icedid | hxxp://crackdj[.]com

Analysis

max time kernel
2704s
max time network
2704s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
25-02-2022 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://crackdj.com

Score

10^/10

icedid onlylogger smokeloader socelars 2715004312 aspackv2 backdoor banker evasion loader spyware stealer trojan

Malware Config

Extracted

Family

socelars

https://frertge.s3.eu-west-2.amazonaws.com/asdhbf/

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://pjure.at/upload/

http://puffersweiven.com/upload/

http://algrcabel.ru/upload/

http://pelangiqq99.com/upload/

http://elsaunny.com/upload/

http://korphoto.com/upload/

http://hangxachtaythodoan.com/upload/

http://pkodev.net/upload/

http://go-piratia.ru/upload/

http://piratia.su/upload/

rc4.i32

Extracted

Family

icedid

Campaign

2715004312

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de8e8da43_Fri13bc2dd2.exe	family_socelars
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8e8da43_Fri13bc2dd2.exe	family_socelars
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8e8da43_Fri13bc2dd2.exe	family_socelars
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8e8da43_Fri13bc2dd2.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 45 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exenet.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4216 created 4624	4216	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 312 created 4624	312	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 1896 created 4624	1896	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 4820 created 4624	4820	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 3596 created 4624	3596	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 3856 created 4624	3856	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 1048 created 4624	1048	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 3988 created 4624	3988	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 2448 created 4896	2448	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 4660 created 4896	4660	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 1188 created 4896	1188	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 4348 created 4896	4348	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 5116 created 4896	5116	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 1516 created 4896	1516	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 4228 created 4896	4228	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
PID 1368 created 4376	1368	WerFault.exe	6A8D.exe
PID 4972 created 1760	4972	WerFault.exe	6DBB.exe
PID 4800 created 1760	4800	WerFault.exe	6DBB.exe
PID 4688 created 4376	4688	WerFault.exe	6A8D.exe
PID 2276 created 1760	2276	WerFault.exe	6DBB.exe
PID 4704 created 4376	4704	WerFault.exe	6A8D.exe
PID 2540 created 1760	2540	WerFault.exe	6DBB.exe
PID 3388 created 4376	3388	WerFault.exe	6A8D.exe
PID 3900 created 1760	3900	WerFault.exe	6DBB.exe
PID 1296 created 4376	1296	WerFault.exe	6A8D.exe
PID 3904 created 4376	3904	WerFault.exe	6A8D.exe
PID 5052 created 1760	5052	WerFault.exe	6DBB.exe
PID 4724 created 4376	4724	WerFault.exe	6A8D.exe
PID 2204 created 1760	2204	WerFault.exe	6DBB.exe
PID 4364 created 1760	4364	net.exe	6DBB.exe
PID 2408 created 4376	2408	WerFault.exe	6A8D.exe
PID 2740 created 3948	2740	WerFault.exe	sfrtigc
PID 4972 created 4532	4972	WerFault.exe	explorer.exe
PID 4360 created 2744	4360	WerFault.exe	DllHost.exe
PID 2208 created 948	2208	WerFault.exe	DllHost.exe
PID 3528 created 3448	3528	WerFault.exe	DllHost.exe
PID 1560 created 1196	1560	WerFault.exe	DllHost.exe
PID 4808 created 2480	4808	WerFault.exe	DllHost.exe
PID 3280 created 2752	3280	WerFault.exe	DllHost.exe
PID 1356 created 4116	1356	WerFault.exe	DllHost.exe
PID 1888 created 1312	1888	WerFault.exe	rtrtigc
PID 2536 created 2024	2536	WerFault.exe	sfrtigc
PID 2664 created 3936	2664	WerFault.exe	DllHost.exe
PID 5028 created 4496	5028	WerFault.exe	rtrtigc
PID 3244 created 4420	3244	WerFault.exe	sfrtigc

OnlyLogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4624-263-0x0000000000400000-0x0000000000455000-memory.dmp	family_onlylogger
behavioral3/memory/4624-262-0x0000000004790000-0x00000000047E1000-memory.dmp	family_onlylogger
behavioral3/memory/4896-281-0x0000000000400000-0x0000000000455000-memory.dmp	family_onlylogger

ASPack v2.12-2.42 11 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de8b00663_Fri13482c1255.exe	aspack_v212_v242
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8b00663_Fri13482c1255.exe	aspack_v212_v242
\??\c:\users\admin\downloads\pc-install6218dec3864a5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8b00663_fri13482c1255.exe	aspack_v212_v242
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\libstdc++-6.dll	aspack_v212_v242

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

508 3760 rundll32.exe
509 956 rundll32.exe
Downloads MZ/PE file

flow	pid	process
508	3760	rundll32.exe
509	956	rundll32.exe

Executes dropped EXE 57 IoCs

Processes:

win_setup__6218dea3ee0ad.exesetup_installer.exesetup_install.exe6218de9a8d5ff_Fri136ed403e.exe6218de9a8d5ff_Fri136ed403e.tmp6218de8e8da43_Fri13bc2dd2.exe6218de9a8d5ff_Fri136ed403e.exe6218de9a8d5ff_Fri136ed403e.tmp5(6665____.exe6218de8e8da43_Fri13bc2dd2.exe6218de8c491c2_Fri130b0c34bf.exe5(6665____.exe6218de8b00663_Fri13482c1255.exe6218de968df4a_Fri1330ac31f73.exe6218de98105b1_Fri13311aaf26.exe6218de9991adf_Fri137fb25855.exe6218de9991adf_Fri137fb25855.exe6218de9a8d5ff_Fri136ed403e.exe11111.exe6218de9a8d5ff_Fri136ed403e.tmp5(6665____.exe6218de932c3fb_Fri1384b4021b5.exe6218de932c3fb_Fri1384b4021b5.exe6218de968df4a_Fri1330ac31f73.exe60A8.exe64FE.exe6A8D.exe6DBB.exe6218de91bf2d5_Fri13725cf28a8.exe6218de91bf2d5_Fri13725cf28a8.tmp6218de91bf2d5_Fri13725cf28a8.exe6218de91bf2d5_Fri13725cf28a8.tmpdllhostwin.exertrtigcsfrtigcjurtigcjurtigc11111.exertrtigcsfrtigcjurtigcjurtigc11111.exertrtigcsfrtigcjurtigcjurtigc11111.exertrtigcsfrtigcjurtigcjurtigc11111.exertrtigcsfrtigcjurtigcjurtigc

pid	process
2696	win_setup__6218dea3ee0ad.exe
872	setup_installer.exe
1600	setup_install.exe
1544	6218de9a8d5ff_Fri136ed403e.exe
1596	6218de9a8d5ff_Fri136ed403e.tmp
4776	6218de8e8da43_Fri13bc2dd2.exe
1304	6218de9a8d5ff_Fri136ed403e.exe
2672	6218de9a8d5ff_Fri136ed403e.tmp
3264	5(6665____.exe
1576	6218de8e8da43_Fri13bc2dd2.exe
4116	6218de8c491c2_Fri130b0c34bf.exe
4608	5(6665____.exe
3604	6218de8b00663_Fri13482c1255.exe
4624	6218de968df4a_Fri1330ac31f73.exe
4696	6218de98105b1_Fri13311aaf26.exe
3364	6218de9991adf_Fri137fb25855.exe
3832	6218de9991adf_Fri137fb25855.exe
3928	6218de9a8d5ff_Fri136ed403e.exe
1588	11111.exe
956	6218de9a8d5ff_Fri136ed403e.tmp
2116	5(6665____.exe
2580	6218de932c3fb_Fri1384b4021b5.exe
2304	6218de932c3fb_Fri1384b4021b5.exe
4896	6218de968df4a_Fri1330ac31f73.exe
4040	60A8.exe
3716	64FE.exe
4376	6A8D.exe
1760	6DBB.exe
3228	6218de91bf2d5_Fri13725cf28a8.exe
4304	6218de91bf2d5_Fri13725cf28a8.tmp
4212	6218de91bf2d5_Fri13725cf28a8.exe
2408	6218de91bf2d5_Fri13725cf28a8.tmp
2456	dllhostwin.exe
4228	rtrtigc
3948	sfrtigc
4160	jurtigc
5004	jurtigc
3656	11111.exe
1312	rtrtigc
1276	sfrtigc
1344	jurtigc
4308	jurtigc
1712	11111.exe
2584	rtrtigc
2024	sfrtigc
4928	jurtigc
4224	jurtigc
2540	11111.exe
4496	rtrtigc
3040	sfrtigc
552	jurtigc
2752	jurtigc
3576	11111.exe
4600	rtrtigc
4420	sfrtigc
2124	jurtigc
1588	jurtigc

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6218de968df4a_Fri1330ac31f73.exe6218de91bf2d5_Fri13725cf28a8.tmpwin_setup__6218dea3ee0ad.exesetup_installer.exe6218de968df4a_Fri1330ac31f73.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	6218de968df4a_Fri1330ac31f73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	6218de91bf2d5_Fri13725cf28a8.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	win_setup__6218dea3ee0ad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	6218de968df4a_Fri1330ac31f73.exe

Loads dropped DLL 16 IoCs

Processes:

setup_install.exe6218de9a8d5ff_Fri136ed403e.tmp6218de9a8d5ff_Fri136ed403e.tmp6218de8b00663_Fri13482c1255.exe6218de9a8d5ff_Fri136ed403e.tmp6218de91bf2d5_Fri13725cf28a8.tmp6218de91bf2d5_Fri13725cf28a8.tmprundll32.exe

pid	process
1600	setup_install.exe
1600	setup_install.exe
1600	setup_install.exe
1600	setup_install.exe
1600	setup_install.exe
1600	setup_install.exe
1596	6218de9a8d5ff_Fri136ed403e.tmp
2672	6218de9a8d5ff_Fri136ed403e.tmp
3604	6218de8b00663_Fri13482c1255.exe
3604	6218de8b00663_Fri13482c1255.exe
3604	6218de8b00663_Fri13482c1255.exe
956	6218de9a8d5ff_Fri136ed403e.tmp
4304	6218de91bf2d5_Fri13725cf28a8.tmp
2408	6218de91bf2d5_Fri13725cf28a8.tmp
4824	rundll32.exe
4824	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

453 ip-api.com

flow	ioc
453	ip-api.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

6218de9991adf_Fri137fb25855.exejurtigcjurtigcjurtigcjurtigcjurtigc

description	pid	process	target process
PID 3364 set thread context of 3832	3364	6218de9991adf_Fri137fb25855.exe	6218de9991adf_Fri137fb25855.exe
PID 4160 set thread context of 5004	4160	jurtigc	jurtigc
PID 1344 set thread context of 4308	1344	jurtigc	jurtigc
PID 4928 set thread context of 4224	4928	jurtigc	jurtigc
PID 552 set thread context of 2752	552	jurtigc	jurtigc
PID 2124 set thread context of 1588	2124	jurtigc	jurtigc

Drops file in Program Files directory 3 IoCs

Processes:

WerFault.exe

description	ioc	process
File created	C:\Program Files (x86)\AtomTweaker\unins000.dat	WerFault.exe
File created	C:\Program Files (x86)\AtomTweaker\is-5L7H8.tmp	WerFault.exe
File opened for modification	C:\Program Files (x86)\AtomTweaker\unins000.dat	WerFault.exe

Drops file in Windows directory 36 IoCs

Processes:

SMConfigInstaller.exeLinqWebConfig.exeaspnet_regiis.exeWFServicesReg.exeWFServicesReg.exeLinqWebConfig.exeaspnet_regiis.exeSMConfigInstaller.exeNgen.exeNgen.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\web.config	SMConfigInstaller.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web_mediumtrust.config	LinqWebConfig.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSF8B40.tmp	aspnet_regiis.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config	WFServicesReg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\WSF86AD.tmp	WFServicesReg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config	WFServicesReg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSF8844.tmp	LinqWebConfig.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web_hightrust.config	LinqWebConfig.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\WSF8891.tmp	LinqWebConfig.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\web_mediumtrust.config	LinqWebConfig.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\web_hightrust.config	LinqWebConfig.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\WSF911C.tmp	aspnet_regiis.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config	SMConfigInstaller.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSF86BF.tmp	WFServicesReg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config	SMConfigInstaller.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config	WFServicesReg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\WSF86AC.tmp	WFServicesReg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSF86AE.tmp	WFServicesReg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\web.config	WFServicesReg.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	Ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	Ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config	SMConfigInstaller.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config	WFServicesReg.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config	SMConfigInstaller.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSF85D3.tmp	WFServicesReg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\config\WSF912D.tmp	aspnet_regiis.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	Ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config	SMConfigInstaller.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSF85D2.tmp	WFServicesReg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\WSF88A1.tmp	LinqWebConfig.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	Ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config	WFServicesReg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSF8823.tmp	LinqWebConfig.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	Ngen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 45 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3760	4624	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
1364	4624	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
3244	4624	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
1708	4624	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
4540	4624	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
3916	4624	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
3356	4624	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
4784	4624	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
5108	4896	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
1508	4896	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
1560	4896	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
3900	4896	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
2960	4896	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
4152	4896	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
2140	4896	WerFault.exe	6218de968df4a_Fri1330ac31f73.exe
4124	4376	WerFault.exe	6A8D.exe
3928	1760	WerFault.exe	6DBB.exe
3536	4376	WerFault.exe	6A8D.exe
308	1760	WerFault.exe	6DBB.exe
1508	4376	WerFault.exe	6A8D.exe
4644	1760	WerFault.exe	6DBB.exe
4804	1760	WerFault.exe	6DBB.exe
3428	4376	WerFault.exe	6A8D.exe
5116	1760	WerFault.exe	6DBB.exe
4940	4376	WerFault.exe	6A8D.exe
4232	1760	WerFault.exe	6DBB.exe
4848	4376	WerFault.exe	6A8D.exe
2424	4376	WerFault.exe	6A8D.exe
380	1760	WerFault.exe	6DBB.exe
4784	1760	WerFault.exe	6DBB.exe
4240	4376	WerFault.exe	6A8D.exe
5044	3948	WerFault.exe	sfrtigc
1708	4532	WerFault.exe	explorer.exe
1160	2744	WerFault.exe	DllHost.exe
3284	948	WerFault.exe	DllHost.exe
484	3448	WerFault.exe	DllHost.exe
4296	1196	WerFault.exe	DllHost.exe
4916	2480	WerFault.exe	DllHost.exe
4944	2752	WerFault.exe	DllHost.exe
2564	4116	WerFault.exe	DllHost.exe
4132	1312	WerFault.exe	rtrtigc
3308	2024	WerFault.exe	sfrtigc
4472	3936	WerFault.exe	DllHost.exe
4392	4496	WerFault.exe	rtrtigc
4748	4420	WerFault.exe	sfrtigc

Checks SCSI registry key(s) 3 TTPs 38 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exevssvc.exesfrtigcrtrtigc6218de932c3fb_Fri1384b4021b5.exertrtigc6218de9991adf_Fri137fb25855.exe6218de932c3fb_Fri1384b4021b5.exertrtigcsfrtigc60A8.exejurtigc

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfrtigc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfrtigc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtrtigc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6218de932c3fb_Fri1384b4021b5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtrtigc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6218de9991adf_Fri137fb25855.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6218de932c3fb_Fri1384b4021b5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtrtigc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfrtigc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6218de932c3fb_Fri1384b4021b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6218de932c3fb_Fri1384b4021b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	60A8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtrtigc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jurtigc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtrtigc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6218de932c3fb_Fri1384b4021b5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	60A8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jurtigc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtrtigc
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6218de9991adf_Fri137fb25855.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfrtigc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfrtigc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtrtigc
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6218de9991adf_Fri137fb25855.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	60A8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jurtigc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtrtigc
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sfrtigc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002b5b8d01cc3769600000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002b5b8d010000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809002b5b8d01000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002b5b8d0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002b5b8d0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6218de932c3fb_Fri1384b4021b5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rtrtigc

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe6DBB.exeWerFault.exeWerFault.exe6A8D.exeWerFault.exeWerFault.exefirefox.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6DBB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	6DBB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	6A8D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6DBB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	6A8D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6DBB.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6DBB.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6A8D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	6DBB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	6A8D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6A8D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	6DBB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	6A8D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	6A8D.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	6DBB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	6DBB.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	6A8D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	6A8D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	6A8D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2688 tasklist.exe

pid	process
2688	tasklist.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

3300 ipconfig.exe
2312 NETSTAT.EXE
4044 NETSTAT.EXE
3996 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1424 systeminfo.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2540 taskkill.exe
2424 taskkill.exe
3368 taskkill.exe

pid	process
3300	ipconfig.exe
2312	NETSTAT.EXE
4044	NETSTAT.EXE
3996	ipconfig.exe

pid	process
1424	systeminfo.exe

pid	process
2540	taskkill.exe
2424	taskkill.exe
3368	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30943832"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000004618a9bdfd7b25859dbb96d6b23665a876b19e0a26ae111e1f855d24cb513c91000000000e8000000002000020000000d9326ddf9fc6034397d50ae5beefb2df864f918b3d42a8e48628136ed74167a020000000e2f444dea659ce33517e422c1df1545cc484ef393735924bd74197603e645501400000004df56117969c5b1a95b42c1742eef531a9a1dd0cc64d721236090a40e245a805011f274d489b40359df6c3121b6a9d336ab85f5c9b042904dc8322a2375bd644	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30943832"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2964047357"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2964360007"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30943832"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda000000000200000000001066000000010000200000004581c746daa71fc795a98c44bc04dd1f4b7cc4d31b77ba74cdedc0c26c3ede62000000000e8000000002000020000000f67d4d510137895e666e379c06dc19c6329f1bf3877fa829eea96866c61909ee2000000090e5f971ca1b1362e4ae1874f0b3a1af214d6d94c609273bdf07f8836302467740000000e22dc715853d1b7827463634b743208d5e0844dab5434a0d4c885eab1fe9ace2271eee1d8f88b229ca99c01a940607971699688719cb8bc58f40d57f52555b56	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502953b3582ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f03515b3582ad801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2963109536"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30943832"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D6E608BB-964B-11EC-82D0-76AD6BDA0DF8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2963109536"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "351963176"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "351964976"	iexplore.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exefirefox.exeOpenWith.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000010000000200000000000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "17148"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "616"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0\0 = 84003100000000005954047810003632313844457e3100006c0009000400efbe59540478595404782e0000001622020000000d000000000000000000000000000000a9db410036003200310038006400650039003400660031003200640063005f00460072006900310033003800620032003800640030006300390063006400000018000000
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "546"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "16"
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295"
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0 = 820074001c004346534616003100000000002c54c973120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe2c54c873595461772e00000087e10100000001000000000000000000000000000000d0d614014100700070004400610074006100000042000000
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000008f24aeeac007d80117ebdce69d17d801d707826e582ad80114000000
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1346"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\SniffedFolderType = "Generic"
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "17148"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0 = 560031000000000059547c771000526f616d696e6700400009000400efbe2c54c873595401782e00000088e10100000001000000000000000000000000000000548b520052006f0061006d0069006e006700000016000000
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	OpenWith.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6218de8e8da43_Fri13bc2dd2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	6218de8e8da43_Fri13bc2dd2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6218de8e8da43_Fri13bc2dd2.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x.zip:Zone.Identifier firefox.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1252 notepad.exe
Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2436

description	ioc	process
File created	C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x.zip:Zone.Identifier	firefox.exe

pid	process
1252	notepad.exe

pid	process
2436

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exetaskmgr.exe

pid	process
4876	powershell.exe
4876	powershell.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

taskmgr.exeOpenWith.exe

pid process

220 taskmgr.exe
2436
3224 OpenWith.exe

pid	process
220	taskmgr.exe
2436
3224	OpenWith.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

6218de9991adf_Fri137fb25855.exe6218de932c3fb_Fri1384b4021b5.exe6218de932c3fb_Fri1384b4021b5.exe60A8.exertrtigcjurtigcexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
3832	6218de9991adf_Fri137fb25855.exe
2580	6218de932c3fb_Fri1384b4021b5.exe
2304	6218de932c3fb_Fri1384b4021b5.exe
4040	60A8.exe
4228	rtrtigc
5004	jurtigc
2436
2436
2436
2436
2436
2436
4516	explorer.exe
4516	explorer.exe
2436
2436
3900	explorer.exe
3900	explorer.exe
2436
2436
4312	explorer.exe
4312	explorer.exe
2436
2436
3600	explorer.exe
3600	explorer.exe
2436
2436
3920	explorer.exe
3920	explorer.exe
3920	explorer.exe
3920	explorer.exe
2436
2436
4252	explorer.exe
4252	explorer.exe
3920	explorer.exe
3920	explorer.exe
4252	explorer.exe
4252	explorer.exe
3920	explorer.exe
3920	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exe7zG.exe7zG.exepowershell.exetaskmgr.exe7zG.exe7zG.exe6218de8e8da43_Fri13bc2dd2.exe6218de8e8da43_Fri13bc2dd2.exe

description	pid	process
Token: SeDebugPrivilege	3092	firefox.exe
Token: SeDebugPrivilege	3092	firefox.exe
Token: SeDebugPrivilege	3092	firefox.exe
Token: SeRestorePrivilege	3748	7zG.exe
Token: 35	3748	7zG.exe
Token: SeSecurityPrivilege	3748	7zG.exe
Token: SeSecurityPrivilege	3748	7zG.exe
Token: SeRestorePrivilege	4412	7zG.exe
Token: 35	4412	7zG.exe
Token: SeSecurityPrivilege	4412	7zG.exe
Token: SeSecurityPrivilege	4412	7zG.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	3092	firefox.exe
Token: SeDebugPrivilege	3092	firefox.exe
Token: SeDebugPrivilege	220	taskmgr.exe
Token: SeSystemProfilePrivilege	220	taskmgr.exe
Token: SeCreateGlobalPrivilege	220	taskmgr.exe
Token: SeRestorePrivilege	4448	7zG.exe
Token: 35	4448	7zG.exe
Token: SeSecurityPrivilege	4448	7zG.exe
Token: SeSecurityPrivilege	4448	7zG.exe
Token: SeRestorePrivilege	5028	7zG.exe
Token: 35	5028	7zG.exe
Token: SeSecurityPrivilege	5028	7zG.exe
Token: SeSecurityPrivilege	5028	7zG.exe
Token: SeCreateTokenPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeAssignPrimaryTokenPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeLockMemoryPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeIncreaseQuotaPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeMachineAccountPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeTcbPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeSecurityPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeTakeOwnershipPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeLoadDriverPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeSystemProfilePrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeSystemtimePrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeProfSingleProcessPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeIncBasePriorityPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeCreatePagefilePrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeCreatePermanentPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeBackupPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeRestorePrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeShutdownPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeDebugPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeAuditPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeSystemEnvironmentPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeChangeNotifyPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeRemoteShutdownPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeUndockPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeSyncAgentPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeEnableDelegationPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeManageVolumePrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeImpersonatePrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeCreateGlobalPrivilege	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: 31	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: 32	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: 33	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: 34	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: 35	4776	6218de8e8da43_Fri13bc2dd2.exe
Token: SeCreateTokenPrivilege	1576	6218de8e8da43_Fri13bc2dd2.exe
Token: SeAssignPrimaryTokenPrivilege	1576	6218de8e8da43_Fri13bc2dd2.exe
Token: SeLockMemoryPrivilege	1576	6218de8e8da43_Fri13bc2dd2.exe
Token: SeIncreaseQuotaPrivilege	1576	6218de8e8da43_Fri13bc2dd2.exe
Token: SeMachineAccountPrivilege	1576	6218de8e8da43_Fri13bc2dd2.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zG.exe7zG.exetaskmgr.exe7zG.exe7zG.exe

pid	process
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3748	7zG.exe
4412	7zG.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
4448	7zG.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
5028	7zG.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe
220	taskmgr.exe

Suspicious use of SetWindowsHookEx 59 IoCs

Processes:

firefox.exewin_setup__6218dea3ee0ad.exesetup_installer.exesetup_install.exe64FE.exeOpenWith.exeOpenWith.exeiexplore.exeIEXPLORE.EXE

pid	process
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
2696	win_setup__6218dea3ee0ad.exe
872	setup_installer.exe
1600	setup_install.exe
2436
2436
2436
2436
2436
2436
3716	64FE.exe
2436
2436
2436
2436
2436
4372	OpenWith.exe
2436
2436
2436
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
3224	OpenWith.exe
4444	iexplore.exe
4444	iexplore.exe
4152	IEXPLORE.EXE
4152	IEXPLORE.EXE

Suspicious use of UnmapMainImage 10 IoCs

Processes:

SearchApp.exe

pid	process
3064	SearchApp.exe
3064	SearchApp.exe
3064	SearchApp.exe
3064	SearchApp.exe
3064	SearchApp.exe
3064	SearchApp.exe
3064	SearchApp.exe
3064	SearchApp.exe
3064	SearchApp.exe
3064	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 772 wrote to memory of 3092	772	firefox.exe	firefox.exe
PID 772 wrote to memory of 3092	772	firefox.exe	firefox.exe
PID 772 wrote to memory of 3092	772	firefox.exe	firefox.exe
PID 772 wrote to memory of 3092	772	firefox.exe	firefox.exe
PID 772 wrote to memory of 3092	772	firefox.exe	firefox.exe
PID 772 wrote to memory of 3092	772	firefox.exe	firefox.exe
PID 772 wrote to memory of 3092	772	firefox.exe	firefox.exe
PID 772 wrote to memory of 3092	772	firefox.exe	firefox.exe
PID 772 wrote to memory of 3092	772	firefox.exe	firefox.exe
PID 3092 wrote to memory of 3804	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 3804	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 312	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 1684	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 1684	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 1684	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 1684	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 1684	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 1684	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 1684	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 1684	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 1684	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 1684	3092	firefox.exe	firefox.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2904

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3064

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2744 -s 944
2⤵
- Program crash
- Enumerates system info in registry
PID:1160

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2528

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3324

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2244

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://crackdj.com
1⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" http://crackdj.com
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3092.0.513555803\1457986373" -parentBuildID 20200403170909 -prefsHandle 1704 -prefMapHandle 1672 -prefsLen 1 -prefMapSize 219766 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3092 "\\.\pipe\gecko-crash-server-pipe.3092" 1784 gpu
3⤵
PID:3804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3092.3.989743042\820792658" -childID 1 -isForBrowser -prefsHandle 2496 -prefMapHandle 2248 -prefsLen 112 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3092 "\\.\pipe\gecko-crash-server-pipe.3092" 1540 tab
3⤵
PID:312

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3092.13.1835217097\1416177082" -childID 2 -isForBrowser -prefsHandle 3412 -prefMapHandle 3408 -prefsLen 978 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3092 "\\.\pipe\gecko-crash-server-pipe.3092" 3420 tab
3⤵
PID:1684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3092.20.1457676618\1921328752" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 6969 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3092 "\\.\pipe\gecko-crash-server-pipe.3092" 3720 tab
3⤵
PID:1364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3092.27.839994486\1890524742" -childID 4 -isForBrowser -prefsHandle 8036 -prefMapHandle 8068 -prefsLen 8685 -prefMapSize 219766 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3092 "\\.\pipe\gecko-crash-server-pipe.3092" 4128 tab
3⤵
PID:4556

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2484

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\" -spe -an -ai#7zMap31548:126:7zEvent23854
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3748

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\PASSWORD-IS-I55FPV0QuMY.txt
1⤵
PID:4268

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\" -spe -an -ai#7zMap1567:178:7zEvent15229
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4412

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:872

C:\Users\Admin\AppData\Local\Temp\7zS8631260F\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8631260F\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de8b00663_Fri13482c1255.exe
4⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
PID:4840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de8c491c2_Fri130b0c34bf.exe
4⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de9ae0859_Fri13b74c5f4538.exe
4⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de9a8d5ff_Fri136ed403e.exe
4⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de9991adf_Fri137fb25855.exe
4⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de98105b1_Fri13311aaf26.exe
4⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de968df4a_Fri1330ac31f73.exe /mixtwo
4⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de94f12dc_Fri138b28d0c9cd.exe
4⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de932c3fb_Fri1384b4021b5.exe
4⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de91bf2d5_Fri13725cf28a8.exe
4⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de8f4cf3b_Fri13dc2fa2a32.exe
4⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de8e8da43_Fri13bc2dd2.exe
4⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6218de8d19553_Fri1380ded2.exe
4⤵
PID:4660

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:220

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\" -spe -an -ai#7zMap19660:228:7zEvent26037
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4448

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\" -spe -an -ai#7zMap10874:260:7zEvent24222
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5028

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe"
1⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\Temp\is-4F9E8.tmp\6218de9a8d5ff_Fri136ed403e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4F9E8.tmp\6218de9a8d5ff_Fri136ed403e.tmp" /SL5="$90120,140006,56320,C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596

C:\Users\Admin\AppData\Local\Temp\is-84IN9.tmp\5(6665____.exe
"C:\Users\Admin\AppData\Local\Temp\is-84IN9.tmp\5(6665____.exe" /S /UID=1405
3⤵
- Executes dropped EXE
PID:3264

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
PID:3232

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8e8da43_Fri13bc2dd2.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8e8da43_Fri13bc2dd2.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:2096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:2540

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe"
1⤵
- Executes dropped EXE
PID:1304

C:\Users\Admin\AppData\Local\Temp\is-6R4F4.tmp\6218de9a8d5ff_Fri136ed403e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6R4F4.tmp\6218de9a8d5ff_Fri136ed403e.tmp" /SL5="$3045C,140006,56320,C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672

C:\Users\Admin\AppData\Local\Temp\is-BVL8G.tmp\5(6665____.exe
"C:\Users\Admin\AppData\Local\Temp\is-BVL8G.tmp\5(6665____.exe" /S /UID=1405
3⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
PID:4064

C:\Windows\system32\OptionalFeatures.EXE
"C:\Windows\system32\OptionalFeatures.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
PID:208

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8e8da43_Fri13bc2dd2.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8e8da43_Fri13bc2dd2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8c491c2_Fri130b0c34bf.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8c491c2_Fri130b0c34bf.exe"
1⤵
- Executes dropped EXE
PID:4116

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8b00663_Fri13482c1255.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8b00663_Fri13482c1255.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
2⤵
PID:2996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
3⤵
PID:4228

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de968df4a_Fri1330ac31f73.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de968df4a_Fri1330ac31f73.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 748
2⤵
- Drops file in Windows directory
- Program crash
- Enumerates system info in registry
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 904
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 920
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 916
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 952
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 960
2⤵
- Program crash
- Enumerates system info in registry
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 944
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "6218de968df4a_Fri1330ac31f73.exe" /f & erase "C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de968df4a_Fri1330ac31f73.exe" & exit
2⤵
PID:5028

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "6218de968df4a_Fri1330ac31f73.exe" /f
3⤵
- Kills process with taskkill
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 984
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4784

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de98105b1_Fri13311aaf26.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de98105b1_Fri13311aaf26.exe"
1⤵
- Executes dropped EXE
PID:4696

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:1588

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:3656

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:1712

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:2540

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:3576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4616

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9991adf_Fri137fb25855.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9991adf_Fri137fb25855.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3364

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9991adf_Fri137fb25855.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9991adf_Fri137fb25855.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4624 -ip 4624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4216

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe"
1⤵
- Executes dropped EXE
PID:3928

C:\Users\Admin\AppData\Local\Temp\is-RC085.tmp\6218de9a8d5ff_Fri136ed403e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RC085.tmp\6218de9a8d5ff_Fri136ed403e.tmp" /SL5="$3044A,140006,56320,C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956

C:\Users\Admin\AppData\Local\Temp\is-LHCMO.tmp\5(6665____.exe
"C:\Users\Admin\AppData\Local\Temp\is-LHCMO.tmp\5(6665____.exe" /S /UID=1405
3⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4624 -ip 4624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4624 -ip 4624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4624 -ip 4624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4624 -ip 4624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4624 -ip 4624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4624 -ip 4624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4624 -ip 4624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3988

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de932c3fb_Fri1384b4021b5.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de932c3fb_Fri1384b4021b5.exe"
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2580

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de932c3fb_Fri1384b4021b5.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de932c3fb_Fri1384b4021b5.exe"
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2304

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de968df4a_Fri1330ac31f73.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de968df4a_Fri1330ac31f73.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 816
2⤵
- Program crash
- Enumerates system info in registry
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 824
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 824
2⤵
- Program crash
- Enumerates system info in registry
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 896
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 836
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 968
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "6218de968df4a_Fri1330ac31f73.exe" /f & erase "C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de968df4a_Fri1330ac31f73.exe" & exit
2⤵
PID:1868

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "6218de968df4a_Fri1330ac31f73.exe" /f
3⤵
- Kills process with taskkill
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1076
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4896 -ip 4896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4896 -ip 4896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4896 -ip 4896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4896 -ip 4896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4348

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4896 -ip 4896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4896 -ip 4896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4896 -ip 4896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4228

C:\Users\Admin\AppData\Local\Temp\60A8.exe
C:\Users\Admin\AppData\Local\Temp\60A8.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4040

C:\Users\Admin\AppData\Local\Temp\64FE.exe
C:\Users\Admin\AppData\Local\Temp\64FE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3716

C:\Users\Admin\AppData\Local\Temp\6A8D.exe
C:\Users\Admin\AppData\Local\Temp\6A8D.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4376

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 600
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 936
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1032
2⤵
- Program crash
- Enumerates system info in registry
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1040
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1052
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 952
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1088
2⤵
- Program crash
- Enumerates system info in registry
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1108
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4240

C:\Users\Admin\AppData\Local\Temp\6DBB.exe
C:\Users\Admin\AppData\Local\Temp\6DBB.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1760

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 612
2⤵
- Program crash
- Enumerates system info in registry
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 928
2⤵
- Program crash
- Enumerates system info in registry
PID:308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 928
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1020
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 940
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 928
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1044
2⤵
- Program crash
- Enumerates system info in registry
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 928
2⤵
- Program crash
- Enumerates system info in registry
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4376 -ip 4376
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1760 -ip 1760
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4972

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de91bf2d5_Fri13725cf28a8.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de91bf2d5_Fri13725cf28a8.exe"
1⤵
- Executes dropped EXE
PID:3228

C:\Users\Admin\AppData\Local\Temp\is-C6T5L.tmp\6218de91bf2d5_Fri13725cf28a8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C6T5L.tmp\6218de91bf2d5_Fri13725cf28a8.tmp" /SL5="$70476,870458,780800,C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de91bf2d5_Fri13725cf28a8.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4304

C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de91bf2d5_Fri13725cf28a8.exe
"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de91bf2d5_Fri13725cf28a8.exe" /SILENT
3⤵
- Executes dropped EXE
PID:4212

C:\Users\Admin\AppData\Local\Temp\is-NHAFA.tmp\6218de91bf2d5_Fri13725cf28a8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NHAFA.tmp\6218de91bf2d5_Fri13725cf28a8.tmp" /SL5="$80476,870458,780800,C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de91bf2d5_Fri13725cf28a8.exe" /SILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408

C:\Users\Admin\AppData\Local\Temp\is-8QCIL.tmp\dllhostwin.exe
"C:\Users\Admin\AppData\Local\Temp\is-8QCIL.tmp\dllhostwin.exe" 77
5⤵
- Executes dropped EXE
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1760 -ip 1760
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4376 -ip 4376
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1760 -ip 1760
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4376 -ip 4376
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1760 -ip 1760
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4376 -ip 4376
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1760 -ip 1760
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4376 -ip 4376
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1296

C:\Users\Admin\AppData\Roaming\sfrtigc
C:\Users\Admin\AppData\Roaming\sfrtigc
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 340
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5044

C:\Users\Admin\AppData\Roaming\rtrtigc
C:\Users\Admin\AppData\Roaming\rtrtigc
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4228

C:\Windows\system32\cmd.exe
cmd
1⤵
PID:5104

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
PID:2632

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
PID:2152

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:2996

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:4620

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:4580

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:1168

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:624

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:3204

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:2864

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:4464

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:3364

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:2260

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:4928

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:1780

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:3300

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:4780

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:4672

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:1424

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:2688

C:\Windows\system32\net.exe
net accounts /domain
2⤵
PID:4988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:4584

C:\Windows\system32\net.exe
net share
2⤵
PID:2940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:3152

C:\Windows\system32\net.exe
net user
2⤵
PID:4940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:3204

C:\Windows\system32\net.exe
net user /domain
2⤵
PID:4680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:1860

C:\Windows\system32\net.exe
net use
2⤵
PID:3972

C:\Windows\system32\net.exe
net group
2⤵
PID:2240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:2220

C:\Windows\system32\net.exe
net localgroup
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:1012

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:4576

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:1276

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:4044

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:4464

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:3996

C:\Users\Admin\AppData\Roaming\jurtigc
C:\Users\Admin\AppData\Roaming\jurtigc
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4160

C:\Users\Admin\AppData\Roaming\jurtigc
C:\Users\Admin\AppData\Roaming\jurtigc
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5004

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de94f12dc_Fri138b28d0c9cd\" -spe -an -ai#7zMap2637:320:7zEvent15291
1⤵
PID:1712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1760 -ip 1760
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4376 -ip 4376
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3904

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de94f12dc_Fri138b28d0c9cd\KCiimG.cpl",
1⤵
PID:3144

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de94f12dc_Fri138b28d0c9cd\KCiimG.cpl",
2⤵
PID:4304

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de94f12dc_Fri138b28d0c9cd\KCiimG.cpl",
3⤵
- Loads dropped DLL
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4376 -ip 4376
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1760 -ip 1760
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4376 -ip 4376
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Program Files directory
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1760 -ip 1760
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3948 -ip 3948
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2740

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Roaming\WaitEnable.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:1252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de94f12dc_Fri138b28d0c9cd\KCiimG.cpl
2⤵
PID:3428

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4104

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4444

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4444 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 868
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4532 -ip 4532
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4972

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4516

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3900

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4312

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3600

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3920

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 2744 -ip 2744
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 948 -s 424
2⤵
- Program crash
- Enumerates system info in registry
PID:3284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 948 -ip 948
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2208

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3448 -s 912
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 3448 -ip 3448
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1196

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1196 -s 812
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 1196 -ip 1196
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2480 -s 244
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 2480 -ip 2480
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4808

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2752 -s 860
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4944

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 2752 -ip 2752
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4116 -s 820
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 4116 -ip 4116
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe
"C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /c:install /f:basic
1⤵
- Drops file in Windows directory
PID:2268

C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe
"C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /c:install /f:basic
1⤵
- Drops file in Windows directory
PID:4704

C:\Windows\WinSxS\x86_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_b22e8a4512f5879a\WFServicesReg.exe
"C:\Windows\WinSxS\x86_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_b22e8a4512f5879a\WFServicesReg.exe" /c /b /v /m /i
1⤵
- Drops file in Windows directory
PID:3604

C:\Windows\WinSxS\amd64_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_0e4d25c8cb52f8d0\WFServicesReg.exe
"C:\Windows\WinSxS\amd64_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_0e4d25c8cb52f8d0\WFServicesReg.exe" /c /b /v /m /i
1⤵
- Drops file in Windows directory
PID:1500

C:\Windows\WinSxS\x86_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_b0df27a8cf08799e\LinqWebConfig.exe
"C:\Windows\WinSxS\x86_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_b0df27a8cf08799e\LinqWebConfig.exe" C:\Windows\Microsoft.NET\Framework
1⤵
- Drops file in Windows directory
PID:1600

C:\Windows\WinSxS\amd64_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_0cfdc32c8765ead4\LinqWebConfig.exe
"C:\Windows\WinSxS\amd64_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_0cfdc32c8765ead4\LinqWebConfig.exe" C:\Windows\Microsoft.NET\Framework64
1⤵
- Drops file in Windows directory
PID:4460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" -update
1⤵
- Drops file in Windows directory
PID:4616

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" -update
1⤵
- Drops file in Windows directory
PID:3152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe Update /Queue /Delay
1⤵
- Drops file in Windows directory
PID:4488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe Update /Queue /Delay
1⤵
- Drops file in Windows directory
PID:3012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3556

C:\Users\Admin\AppData\Roaming\rtrtigc
C:\Users\Admin\AppData\Roaming\rtrtigc
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 456
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4132

C:\Users\Admin\AppData\Roaming\sfrtigc
C:\Users\Admin\AppData\Roaming\sfrtigc
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1276

C:\Users\Admin\AppData\Roaming\jurtigc
C:\Users\Admin\AppData\Roaming\jurtigc
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1344

C:\Users\Admin\AppData\Roaming\jurtigc
C:\Users\Admin\AppData\Roaming\jurtigc
2⤵
- Executes dropped EXE
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1312 -ip 1312
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1888

C:\Users\Admin\AppData\Roaming\rtrtigc
C:\Users\Admin\AppData\Roaming\rtrtigc
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2584

C:\Users\Admin\AppData\Roaming\sfrtigc
C:\Users\Admin\AppData\Roaming\sfrtigc
1⤵
- Executes dropped EXE
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 304
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3308

C:\Users\Admin\AppData\Roaming\jurtigc
C:\Users\Admin\AppData\Roaming\jurtigc
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4928

C:\Users\Admin\AppData\Roaming\jurtigc
C:\Users\Admin\AppData\Roaming\jurtigc
2⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2024 -ip 2024
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
PID:3276

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1408

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3936 -s 860
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 3936 -ip 3936
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2664

C:\Users\Admin\AppData\Roaming\rtrtigc
C:\Users\Admin\AppData\Roaming\rtrtigc
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 308
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4392

C:\Users\Admin\AppData\Roaming\sfrtigc
C:\Users\Admin\AppData\Roaming\sfrtigc
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3040

C:\Users\Admin\AppData\Roaming\jurtigc
C:\Users\Admin\AppData\Roaming\jurtigc
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:552

C:\Users\Admin\AppData\Roaming\jurtigc
C:\Users\Admin\AppData\Roaming\jurtigc
2⤵
- Executes dropped EXE
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4496 -ip 4496
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5028

C:\Users\Admin\AppData\Roaming\rtrtigc
C:\Users\Admin\AppData\Roaming\rtrtigc
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4600

C:\Users\Admin\AppData\Roaming\sfrtigc
C:\Users\Admin\AppData\Roaming\sfrtigc
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 304
2⤵
- Program crash
- Checks processor information in registry
PID:4748

C:\Users\Admin\AppData\Roaming\jurtigc
C:\Users\Admin\AppData\Roaming\jurtigc
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2124

C:\Users\Admin\AppData\Roaming\jurtigc
C:\Users\Admin\AppData\Roaming\jurtigc
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4420 -ip 4420
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
def67c120114f80bc2b73093f3cd60a9

SHA1
7bf986b78d3b2218316975ac0d01ffccd4d6c128

SHA256
42b2a7419b710c7c066a815965f7196ea5892dee21606c953d9b879b42ba0c4d

SHA512
4af3079479a1142ec88dd914a78e3af9a9ee28405d77b4ad52a4aa76dab17258bbe7a5f615c8223e575e91483d6643c08edda456e5d97438b6d16b89e3bda6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de8b00663_Fri13482c1255.exe
MD5
98c3385d313ae6d4cf1f192830f6b555

SHA1
31c572430094e9adbf5b7647c3621b2e8dfa7fe8

SHA256
4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be

SHA512
fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de8c491c2_Fri130b0c34bf.exe
MD5
91c096174606e78d846e43b8ef50d867

SHA1
46f106d1393dbb3c1c82f76706e988683e45c27a

SHA256
1e3ad7bbf2444d727463b7bb11c86fc61cb0123c9adf7eb7e537c4259e2b41aa

SHA512
0f4ca8ae93ce9ef01995af2bf714dd3315d73a5beb5261ea4721a572eac9403e21eb0ed9d50682f09679f624dc1e0bcd42cbb85925c2c8b5a9d403bc5fa88fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de8d19553_Fri1380ded2.exe
MD5
75ad54df5f1dc21200505341189b84ac

SHA1
4f7c18ae38ed5b659350e86fb7952590769959a3

SHA256
ad87f57f3d271050c4634ee24cce25336fcbcfa6ea979fce7899c185b5e5299f

SHA512
11acb9629713fc4ba7d6ca649f1388f6995f5136fc00e138fb06b30e92202a9361203629971ad2ef9efd5f318c16d1b11f23a4b344c08add0b2f99817017a58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de8e8da43_Fri13bc2dd2.exe
MD5
fc895170a507bd3dd8fca9e0f8852133

SHA1
fde644632a8b6dfc8790fdec7a4f7c645767f167

SHA256
ed53c9f296e247675d8143a52e690e80fc6b47704c5a4c1e00a32853fbc0bf49

SHA512
7a772670f2010fca17d22a80379592950dcdeb735bdc7d899d1f633f4c3735e9758a0c6e6eecf9ac2e58524918fca0774b0a9cf7d015b0b48b99535e5cfdfa0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de8f4cf3b_Fri13dc2fa2a32.exe
MD5
894759b7ce3835029711d032205ec472

SHA1
e8824dffbc468e4dcdfd06094597776b3c4be593

SHA256
c12d359da11bc33309ac9d661aec047669aee7986bfd8326d122a26c055e0044

SHA512
ea25a7fd901eb9dedf93eb5e026de1406315599429ee31080828a59cd8cb6dd763ef307c329ef5f422b3cfaa136f2aa7b1412f013bbbd9aecf97a7c9195d127b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de91bf2d5_Fri13725cf28a8.exe
MD5
8f12876ff6f721e9b9786733f923ed5a

SHA1
4898a00c846f82316cc632007966dfb5f626ad43

SHA256
9aa138a385805dc69f7c082a3994538fea2127d18f352a74ab8505ccd74fa533

SHA512
1069e733a45c7a2bec67cae1b465bdd4a76051673a7bb0a7dba21a240d9e4d3d18f5915ace58e5a666d824e57355907c7ac23fc23d4fcf38af5a6e54115f1b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de932c3fb_Fri1384b4021b5.exe
MD5
de69ea210655b667edbd430c67dbe115

SHA1
e796c84e61fb9dc8dac648d4bc32fa3515cac8b0

SHA256
5f3968808374c4f8c34780ba7e845073b482137c57c5653c71da00d1e63ba38f

SHA512
592c3441c8a4b81fe3506585d77f986e35e204b6808b7e84d57224cd81a18c94c0d8798b77a19a841a39b0c7e0e75030e90155eca0742033f693634d24b8bca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de94f12dc_Fri138b28d0c9cd.exe
MD5
726b2690a903785d3414af8f78a85118

SHA1
b2a1c391fca3c4cd5ed51c97272f97198cb73f09

SHA256
6efabadba5bca0d55bd8376d7e0c4f2bd600a556e64c6f2338e4e90abeabb0aa

SHA512
f28e57aee274cd14d0f733a0a5a9f93b8e16a250b6f6cc99f3345a1a3bd154703a276bf524147ef2191365b932a1867bd80069bef7aca229b9c0d1d66788e679

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de968df4a_Fri1330ac31f73.exe
MD5
5444773e4fa23faec62cf2aec2490632

SHA1
f0210aa9f76d60b4f3a76e7fbacd24d54208ba06

SHA256
3deded7799d78c820d5d5b945002870d22a9a1671b311eb0060299ef5395fe13

SHA512
b73da7a846da03426c587de6b91dd97644480e8be6de1a1baeddd97611d0fbfa82f9190f5efbfdb3ad5064f571adfae7671108c4ee41796227bbb952e8f68ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de98105b1_Fri13311aaf26.exe
MD5
749b436db9150b62721e67aa8d5bdebb

SHA1
a5b77f7cede8c4c40d96e941a941862b6a9c1a23

SHA256
9d400635b2cb61d461ade25b36097fc8e66c8d963c1cd3ab0d6864b9c016bbfc

SHA512
ccfbffc9ca5dde45e1a834336e0f1df4a9c0e8658a7c4f07f5dec347005b2c4f9bdd5c6d5981680ba9a84d4169f9a26d4a53c930def39cd298947ec7cf8db0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de9991adf_Fri137fb25855.exe
MD5
29e958b2976d4e26b64a727dd8c30535

SHA1
f27fa30ed220b489eafff59e769717bc6d1212c0

SHA256
0334e3b35fcacfa5912dd78eb0785d1399968d7c1ff7c9f67e16a3980fe0fcff

SHA512
4a7ac3ccfe1c8eb0ba543ac1df39c7c588238d4ab2103418f97a9f2549c7ffd8323ac5da0b50a5b0ebfdcbac4a7f01fabdea660e4b194b43a392743e0d91b5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de9a8d5ff_Fri136ed403e.exe
MD5
093a525270f9877b561277e4db28c84d

SHA1
381137c07d639575a016fc3884584ddda3afe769

SHA256
cb7b334daa0e0dc84b3f43e1e332c7f09b729804300f49e6b5dadc0138c6661e

SHA512
82e5a270a71de13d7a96e2d84a51a74692db6269dc7d6faa1d2f02be23ad1678b55c81651045bc1d7a766e5f82240ccfb574082eed10b776c31bde6c03895326

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\6218de9ae0859_Fri13b74c5f4538.exe
MD5
0c022b60e97fb5e03f80d15096a428fb

SHA1
e63709659c8b9296d2480db4af4d67087f596069

SHA256
4937bd826d53480e4f4dfa4a922c1768378739265168d9a2e4b4c28039bb286c

SHA512
b9c7188e871151ce7ca89cfee4746f6c33535de7f0d7d6c87b285d03c7a76f4c586121b44c5e6409a27f70a239e6b3d6e78b9b5a83c1f213609a8af137e88149

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libcurl.dll
MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libcurlpp.dll
MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\setup_install.exe
MD5
b2248f30e671f2847647ae8857f73be1

SHA1
9ac4d138ca2d3d0c4b5519d9c2998ef3110e4fd8

SHA256
bae8c90cb26f81bfe26d923567c77b9bd9c5e2e22d79355c11f7bcbf97024426

SHA512
4bd318a0d2b152c28b3e34e1d8311577c47bb013871d52350e5393bc07cff63390f1160779fd3a6e0a38097906065b662fcace026dc2c14d7449f0b16e9da9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8631260F\setup_install.exe
MD5
b2248f30e671f2847647ae8857f73be1

SHA1
9ac4d138ca2d3d0c4b5519d9c2998ef3110e4fd8

SHA256
bae8c90cb26f81bfe26d923567c77b9bd9c5e2e22d79355c11f7bcbf97024426

SHA512
4bd318a0d2b152c28b3e34e1d8311577c47bb013871d52350e5393bc07cff63390f1160779fd3a6e0a38097906065b662fcace026dc2c14d7449f0b16e9da9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4F9E8.tmp\6218de9a8d5ff_Fri136ed403e.tmp
MD5
25ffc23f92cf2ee9d036ec921423d867

SHA1
4be58697c7253bfea1672386eaeeb6848740d7d6

SHA256
1bbabc7a7f29c1512b368d2b620fc05441b622f72aa76cf9ee6be0aecd22a703

SHA512
4e8c7f5b42783825b3b146788ca2ee237186d5a6de4f1c413d9ef42874c4e7dd72b4686c545dde886e0923ade0f5d121a4eddfe7bfc58c3e0bd45a6493fe6710

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6R4F4.tmp\6218de9a8d5ff_Fri136ed403e.tmp
MD5
25ffc23f92cf2ee9d036ec921423d867

SHA1
4be58697c7253bfea1672386eaeeb6848740d7d6

SHA256
1bbabc7a7f29c1512b368d2b620fc05441b622f72aa76cf9ee6be0aecd22a703

SHA512
4e8c7f5b42783825b3b146788ca2ee237186d5a6de4f1c413d9ef42874c4e7dd72b4686c545dde886e0923ade0f5d121a4eddfe7bfc58c3e0bd45a6493fe6710

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-84IN9.tmp\5(6665____.exe
MD5
6fa75cfecf36479704a1bf9ba5995d7b

SHA1
7b3715c0c24341c6ab0b2a0408451f05c1a655c5

SHA256
ae02d2b43d2d63b75a3a5c87267541c8d34a3f60a03e169ce904e3ea6a5b842f

SHA512
af5104d4b6cb918838576cd232ba90ba065efd6e564612b246edec38f408601020d45a85186671d7f9d60110c2a3fc523f8ee21378843317c78acf7291b55e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-84IN9.tmp\5(6665____.exe
MD5
6fa75cfecf36479704a1bf9ba5995d7b

SHA1
7b3715c0c24341c6ab0b2a0408451f05c1a655c5

SHA256
ae02d2b43d2d63b75a3a5c87267541c8d34a3f60a03e169ce904e3ea6a5b842f

SHA512
af5104d4b6cb918838576cd232ba90ba065efd6e564612b246edec38f408601020d45a85186671d7f9d60110c2a3fc523f8ee21378843317c78acf7291b55e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-84IN9.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BVL8G.tmp\5(6665____.exe
MD5
6fa75cfecf36479704a1bf9ba5995d7b

SHA1
7b3715c0c24341c6ab0b2a0408451f05c1a655c5

SHA256
ae02d2b43d2d63b75a3a5c87267541c8d34a3f60a03e169ce904e3ea6a5b842f

SHA512
af5104d4b6cb918838576cd232ba90ba065efd6e564612b246edec38f408601020d45a85186671d7f9d60110c2a3fc523f8ee21378843317c78acf7291b55e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BVL8G.tmp\5(6665____.exe
MD5
6fa75cfecf36479704a1bf9ba5995d7b

SHA1
7b3715c0c24341c6ab0b2a0408451f05c1a655c5

SHA256
ae02d2b43d2d63b75a3a5c87267541c8d34a3f60a03e169ce904e3ea6a5b842f

SHA512
af5104d4b6cb918838576cd232ba90ba065efd6e564612b246edec38f408601020d45a85186671d7f9d60110c2a3fc523f8ee21378843317c78acf7291b55e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BVL8G.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
0b6719ec3fea2911551217f2c15c498b

SHA1
6a9d1cc07e8c0723d293f0a65cb1f55a0bea8712

SHA256
fa536471eb10465f81cf3ee02ec612a68987f09dbeab0940fc12b992c75ecbf2

SHA512
e4b8ca637c0d6821e1bace937302b40f0b990daecf9de09de56fa1345fc42c15cb5d2a43cd5c5bce556ce5b05bdd51aa87519b58a11feb33b795579a8f477c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
MD5
0b6719ec3fea2911551217f2c15c498b

SHA1
6a9d1cc07e8c0723d293f0a65cb1f55a0bea8712

SHA256
fa536471eb10465f81cf3ee02ec612a68987f09dbeab0940fc12b992c75ecbf2

SHA512
e4b8ca637c0d6821e1bace937302b40f0b990daecf9de09de56fa1345fc42c15cb5d2a43cd5c5bce556ce5b05bdd51aa87519b58a11feb33b795579a8f477c7c

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x.zip
MD5
76ef98a9490ba086a7848e2015e69773

SHA1
b1b786009c49bd5cafc71d63c1c8869905dfd94a

SHA256
ece9757e36f196f2047c7407c9fb0a5bc0faf0ab52978ef2fc85f5ecfdc73b6f

SHA512
810655478d84e3a1f41894f84752945f62adf7158329c36b28b686fbb0f678b2418569b0a60d9aca847ad55ff0cc5cd346249b70b4b462c9c4d94982c047bd7e

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\PASSWORD-IS-I55FPV0QuMY.txt
MD5
d98b037828adf7afdb76f9a2fd3882f5

SHA1
ca33b37c4c8bb8d2ee059637d4812ece5b2f77f9

SHA256
a3237dde1a95e5351f47154f0d8c0822806f632f665ee18d6500a157d02af165

SHA512
2fcffb4de4e3fa98e60c53895ad7b6183862326831ae3816b19261a7b7fed77fe9e2fbfeabe8427fbb94f406f83d46cefdbe97a87e1d42be054708ba64442979

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en.zip
MD5
cde93e2d03a77ca7576e35ac8acafa0f

SHA1
acfcc9b3afbe1d4edfb8ac6a723106c7fef6ecf0

SHA256
70a059a6e13fec7fb5331bd974103ed6bb9178e0fec950360819657368aef472

SHA512
5b1a59358319cb5099814dee4dd4e6bfee1e05088836563000c7adb27a70ffcee59b6c657777ab05fda45d010e60409a81baf1164e06c4a9f13bc1d8a24f8442

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad.exe
MD5
90f2c71ac3d7431501ff1358b1380557

SHA1
ba2e1f517d2c18b0c2d01810829dd5905d7054f4

SHA256
7218e16f214bfbd52079839fc2db6800ff58b6601bb552afbce98b8c5e522c7f

SHA512
a0abfe666a7c76f7c1c41bec875eab449ced9eb052d8b7f20875f8cdc3fabdc9934210c6120dba6500ac40600c43179e1dfb547bd1e4d429bac09e2e2db33dfd

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad.exe
MD5
90f2c71ac3d7431501ff1358b1380557

SHA1
ba2e1f517d2c18b0c2d01810829dd5905d7054f4

SHA256
7218e16f214bfbd52079839fc2db6800ff58b6601bb552afbce98b8c5e522c7f

SHA512
a0abfe666a7c76f7c1c41bec875eab449ced9eb052d8b7f20875f8cdc3fabdc9934210c6120dba6500ac40600c43179e1dfb547bd1e4d429bac09e2e2db33dfd

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer.exe
MD5
0b6719ec3fea2911551217f2c15c498b

SHA1
6a9d1cc07e8c0723d293f0a65cb1f55a0bea8712

SHA256
fa536471eb10465f81cf3ee02ec612a68987f09dbeab0940fc12b992c75ecbf2

SHA512
e4b8ca637c0d6821e1bace937302b40f0b990daecf9de09de56fa1345fc42c15cb5d2a43cd5c5bce556ce5b05bdd51aa87519b58a11feb33b795579a8f477c7c

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8b00663_Fri13482c1255.exe
MD5
98c3385d313ae6d4cf1f192830f6b555

SHA1
31c572430094e9adbf5b7647c3621b2e8dfa7fe8

SHA256
4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be

SHA512
fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8c491c2_Fri130b0c34bf.exe
MD5
91c096174606e78d846e43b8ef50d867

SHA1
46f106d1393dbb3c1c82f76706e988683e45c27a

SHA256
1e3ad7bbf2444d727463b7bb11c86fc61cb0123c9adf7eb7e537c4259e2b41aa

SHA512
0f4ca8ae93ce9ef01995af2bf714dd3315d73a5beb5261ea4721a572eac9403e21eb0ed9d50682f09679f624dc1e0bcd42cbb85925c2c8b5a9d403bc5fa88fa5

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8c491c2_Fri130b0c34bf.exe
MD5
91c096174606e78d846e43b8ef50d867

SHA1
46f106d1393dbb3c1c82f76706e988683e45c27a

SHA256
1e3ad7bbf2444d727463b7bb11c86fc61cb0123c9adf7eb7e537c4259e2b41aa

SHA512
0f4ca8ae93ce9ef01995af2bf714dd3315d73a5beb5261ea4721a572eac9403e21eb0ed9d50682f09679f624dc1e0bcd42cbb85925c2c8b5a9d403bc5fa88fa5

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8e8da43_Fri13bc2dd2.exe
MD5
fc895170a507bd3dd8fca9e0f8852133

SHA1
fde644632a8b6dfc8790fdec7a4f7c645767f167

SHA256
ed53c9f296e247675d8143a52e690e80fc6b47704c5a4c1e00a32853fbc0bf49

SHA512
7a772670f2010fca17d22a80379592950dcdeb735bdc7d899d1f633f4c3735e9758a0c6e6eecf9ac2e58524918fca0774b0a9cf7d015b0b48b99535e5cfdfa0d

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8e8da43_Fri13bc2dd2.exe
MD5
fc895170a507bd3dd8fca9e0f8852133

SHA1
fde644632a8b6dfc8790fdec7a4f7c645767f167

SHA256
ed53c9f296e247675d8143a52e690e80fc6b47704c5a4c1e00a32853fbc0bf49

SHA512
7a772670f2010fca17d22a80379592950dcdeb735bdc7d899d1f633f4c3735e9758a0c6e6eecf9ac2e58524918fca0774b0a9cf7d015b0b48b99535e5cfdfa0d

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8e8da43_Fri13bc2dd2.exe
MD5
fc895170a507bd3dd8fca9e0f8852133

SHA1
fde644632a8b6dfc8790fdec7a4f7c645767f167

SHA256
ed53c9f296e247675d8143a52e690e80fc6b47704c5a4c1e00a32853fbc0bf49

SHA512
7a772670f2010fca17d22a80379592950dcdeb735bdc7d899d1f633f4c3735e9758a0c6e6eecf9ac2e58524918fca0774b0a9cf7d015b0b48b99535e5cfdfa0d

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de968df4a_Fri1330ac31f73.exe
MD5
5444773e4fa23faec62cf2aec2490632

SHA1
f0210aa9f76d60b4f3a76e7fbacd24d54208ba06

SHA256
3deded7799d78c820d5d5b945002870d22a9a1671b311eb0060299ef5395fe13

SHA512
b73da7a846da03426c587de6b91dd97644480e8be6de1a1baeddd97611d0fbfa82f9190f5efbfdb3ad5064f571adfae7671108c4ee41796227bbb952e8f68ba3

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe
MD5
093a525270f9877b561277e4db28c84d

SHA1
381137c07d639575a016fc3884584ddda3afe769

SHA256
cb7b334daa0e0dc84b3f43e1e332c7f09b729804300f49e6b5dadc0138c6661e

SHA512
82e5a270a71de13d7a96e2d84a51a74692db6269dc7d6faa1d2f02be23ad1678b55c81651045bc1d7a766e5f82240ccfb574082eed10b776c31bde6c03895326

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe
MD5
093a525270f9877b561277e4db28c84d

SHA1
381137c07d639575a016fc3884584ddda3afe769

SHA256
cb7b334daa0e0dc84b3f43e1e332c7f09b729804300f49e6b5dadc0138c6661e

SHA512
82e5a270a71de13d7a96e2d84a51a74692db6269dc7d6faa1d2f02be23ad1678b55c81651045bc1d7a766e5f82240ccfb574082eed10b776c31bde6c03895326

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de9a8d5ff_Fri136ed403e.exe
MD5
093a525270f9877b561277e4db28c84d

SHA1
381137c07d639575a016fc3884584ddda3afe769

SHA256
cb7b334daa0e0dc84b3f43e1e332c7f09b729804300f49e6b5dadc0138c6661e

SHA512
82e5a270a71de13d7a96e2d84a51a74692db6269dc7d6faa1d2f02be23ad1678b55c81651045bc1d7a766e5f82240ccfb574082eed10b776c31bde6c03895326

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\libgcc_s_dw2-1.dll
MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\libstdc++-6.dll
MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\Downloads\pc-install6218DEC3864A5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\libwinpthread-1.dll
MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\??\c:\users\admin\appdata\local\temp\is-4f9e8.tmp\6218de9a8d5ff_fri136ed403e.tmp
MD5
25ffc23f92cf2ee9d036ec921423d867

SHA1
4be58697c7253bfea1672386eaeeb6848740d7d6

SHA256
1bbabc7a7f29c1512b368d2b620fc05441b622f72aa76cf9ee6be0aecd22a703

SHA512
4e8c7f5b42783825b3b146788ca2ee237186d5a6de4f1c413d9ef42874c4e7dd72b4686c545dde886e0923ade0f5d121a4eddfe7bfc58c3e0bd45a6493fe6710

Download Submit
\??\c:\users\admin\appdata\local\temp\is-6r4f4.tmp\6218de9a8d5ff_fri136ed403e.tmp
MD5
25ffc23f92cf2ee9d036ec921423d867

SHA1
4be58697c7253bfea1672386eaeeb6848740d7d6

SHA256
1bbabc7a7f29c1512b368d2b620fc05441b622f72aa76cf9ee6be0aecd22a703

SHA512
4e8c7f5b42783825b3b146788ca2ee237186d5a6de4f1c413d9ef42874c4e7dd72b4686c545dde886e0923ade0f5d121a4eddfe7bfc58c3e0bd45a6493fe6710

Download Submit
\??\c:\users\admin\downloads\pc-install6218dec3864a5-en86-64x\winp-6218dea405589i864-en\win_setup__6218dea3ee0ad\setup_installer\6218de8b00663_fri13482c1255.exe
MD5
98c3385d313ae6d4cf1f192830f6b555

SHA1
31c572430094e9adbf5b7647c3621b2e8dfa7fe8

SHA256
4b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be

SHA512
fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff

Download Submit
memory/1304-213-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1544-208-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1544-203-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1596-209-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1600-173-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1600-176-0x000000006494C000-0x000000006494F000-memory.dmp

Filesize
12KB

Download
memory/1600-150-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1600-152-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1600-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1600-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1600-154-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1600-156-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1600-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1600-157-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1600-172-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1600-171-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1600-174-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/1600-175-0x000000006494A000-0x000000006494F000-memory.dmp

Filesize
20KB

Download
memory/1760-374-0x00000000061A0000-0x00000000062E0000-memory.dmp

Filesize
1.2MB

Download
memory/1760-356-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/1760-291-0x0000000000400000-0x0000000002BF7000-memory.dmp

Filesize
40.0MB

Download
memory/1760-349-0x0000000005740000-0x000000000619D000-memory.dmp

Filesize
10.4MB

Download
memory/1760-353-0x00000000064F0000-0x00000000064F1000-memory.dmp

Filesize
4KB

Download
memory/1760-373-0x00000000061A0000-0x00000000062E0000-memory.dmp

Filesize
1.2MB

Download
memory/1760-359-0x00000000061A0000-0x00000000062E0000-memory.dmp

Filesize
1.2MB

Download
memory/1760-363-0x00000000061A0000-0x00000000062E0000-memory.dmp

Filesize
1.2MB

Download
memory/1760-365-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1760-361-0x00000000061A0000-0x00000000062E0000-memory.dmp

Filesize
1.2MB

Download
memory/1760-354-0x0000000005740000-0x000000000619D000-memory.dmp

Filesize
10.4MB

Download
memory/1760-360-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/1760-358-0x00000000061A0000-0x00000000062E0000-memory.dmp

Filesize
1.2MB

Download
memory/2304-278-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2304-276-0x0000000002D3C000-0x0000000002D4D000-memory.dmp

Filesize
68KB

Download
memory/2304-277-0x0000000002D3C000-0x0000000002D4D000-memory.dmp

Filesize
68KB

Download
memory/2436-388-0x0000000012280000-0x0000000012290000-memory.dmp

Filesize
64KB

Download
memory/2436-282-0x0000000008880000-0x0000000008896000-memory.dmp

Filesize
88KB

Download
memory/2436-392-0x0000000012280000-0x0000000012290000-memory.dmp

Filesize
64KB

Download
memory/2436-275-0x0000000007CE0000-0x0000000007CF6000-memory.dmp

Filesize
88KB

Download
memory/2436-270-0x00000000087D0000-0x00000000087E6000-memory.dmp

Filesize
88KB

Download
memory/2436-385-0x0000000012280000-0x0000000012290000-memory.dmp

Filesize
64KB

Download
memory/2436-391-0x0000000012280000-0x0000000012290000-memory.dmp

Filesize
64KB

Download
memory/2580-272-0x0000000002D48000-0x0000000002D59000-memory.dmp

Filesize
68KB

Download
memory/2580-271-0x0000000002D48000-0x0000000002D59000-memory.dmp

Filesize
68KB

Download
memory/2580-273-0x0000000002B50000-0x0000000002B59000-memory.dmp

Filesize
36KB

Download
memory/2580-274-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2672-228-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3228-341-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3364-264-0x0000000002C09000-0x0000000002C19000-memory.dmp

Filesize
64KB

Download
memory/3364-266-0x0000000002C09000-0x0000000002C19000-memory.dmp

Filesize
64KB

Download
memory/3364-267-0x0000000004610000-0x0000000004619000-memory.dmp

Filesize
36KB

Download
memory/3604-241-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3604-242-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3604-247-0x000000006494D000-0x000000006494F000-memory.dmp

Filesize
8KB

Download
memory/3604-245-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3604-246-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3604-243-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3604-244-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3832-265-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3832-269-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3928-268-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3948-380-0x0000000002DB8000-0x0000000002DC8000-memory.dmp

Filesize
64KB

Download
memory/4040-283-0x0000000002DB9000-0x0000000002DCA000-memory.dmp

Filesize
68KB

Download
memory/4040-286-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4040-285-0x0000000002D70000-0x0000000002D79000-memory.dmp

Filesize
36KB

Download
memory/4040-284-0x0000000002DB9000-0x0000000002DCA000-memory.dmp

Filesize
68KB

Download
memory/4116-230-0x0000000000AF6000-0x0000000000AF7000-memory.dmp

Filesize
4KB

Download
memory/4116-229-0x00000000007CE000-0x00000000007CF000-memory.dmp

Filesize
4KB

Download
memory/4116-222-0x0000000000AD0000-0x0000000000AF8000-memory.dmp

Filesize
160KB

Download
memory/4160-382-0x0000000002DE8000-0x0000000002DF8000-memory.dmp

Filesize
64KB

Download
memory/4212-345-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4228-256-0x0000000006785000-0x0000000006787000-memory.dmp

Filesize
8KB

Download
memory/4228-255-0x0000000074FF0000-0x000000007503C000-memory.dmp

Filesize
304KB

Download
memory/4228-253-0x0000000006782000-0x0000000006783000-memory.dmp

Filesize
4KB

Download
memory/4228-252-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/4228-251-0x000000007280E000-0x000000007280F000-memory.dmp

Filesize
4KB

Download
memory/4228-257-0x000000007F100000-0x000000007F101000-memory.dmp

Filesize
4KB

Download
memory/4228-381-0x0000000002B78000-0x0000000002B89000-memory.dmp

Filesize
68KB

Download
memory/4376-355-0x0000000005F90000-0x0000000005F91000-memory.dmp

Filesize
4KB

Download
memory/4376-367-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/4376-368-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/4376-371-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/4376-288-0x000000000482E000-0x0000000004919000-memory.dmp

Filesize
940KB

Download
memory/4376-290-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/4376-289-0x0000000004920000-0x0000000004B69000-memory.dmp

Filesize
2.3MB

Download
memory/4376-287-0x0000000000400000-0x0000000002BF7000-memory.dmp

Filesize
40.0MB

Download
memory/4376-292-0x000000000060A000-0x0000000000611000-memory.dmp

Filesize
28KB

Download
memory/4376-372-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/4376-370-0x0000000006010000-0x0000000006011000-memory.dmp

Filesize
4KB

Download
memory/4376-369-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/4376-348-0x00000000053F0000-0x0000000005E4D000-memory.dmp

Filesize
10.4MB

Download
memory/4376-366-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/4376-364-0x0000000006030000-0x0000000006170000-memory.dmp

Filesize
1.2MB

Download
memory/4376-362-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/4376-357-0x00000000053F0000-0x0000000005E4D000-memory.dmp

Filesize
10.4MB

Download
memory/4624-260-0x0000000002B88000-0x0000000002BB6000-memory.dmp

Filesize
184KB

Download
memory/4624-262-0x0000000004790000-0x00000000047E1000-memory.dmp

Filesize
324KB

Download
memory/4624-263-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4624-261-0x0000000002B88000-0x0000000002BB6000-memory.dmp

Filesize
184KB

Download
memory/4876-193-0x0000000009E20000-0x000000000A49A000-memory.dmp

Filesize
6.5MB

Download
memory/4876-197-0x0000000009A10000-0x0000000009A1E000-memory.dmp

Filesize
56KB

Download
memory/4876-191-0x0000000007025000-0x0000000007027000-memory.dmp

Filesize
8KB

Download
memory/4876-192-0x000000007F030000-0x000000007F031000-memory.dmp

Filesize
4KB

Download
memory/4876-194-0x00000000097E0000-0x00000000097FA000-memory.dmp

Filesize
104KB

Download
memory/4876-189-0x00000000704F0000-0x000000007053C000-memory.dmp

Filesize
304KB

Download
memory/4876-188-0x0000000008A90000-0x0000000008AC2000-memory.dmp

Filesize
200KB

Download
memory/4876-187-0x00000000084E0000-0x00000000084FE000-memory.dmp

Filesize
120KB

Download
memory/4876-195-0x0000000009860000-0x000000000986A000-memory.dmp

Filesize
40KB

Download
memory/4876-186-0x0000000007EE0000-0x0000000007F46000-memory.dmp

Filesize
408KB

Download
memory/4876-196-0x0000000009A50000-0x0000000009AE6000-memory.dmp

Filesize
600KB

Download
memory/4876-190-0x0000000008A70000-0x0000000008A8E000-memory.dmp

Filesize
120KB

Download
memory/4876-198-0x0000000009B10000-0x0000000009B2A000-memory.dmp

Filesize
104KB

Download
memory/4876-185-0x0000000007E00000-0x0000000007E66000-memory.dmp

Filesize
408KB

Download
memory/4876-184-0x0000000007510000-0x0000000007532000-memory.dmp

Filesize
136KB

Download
memory/4876-199-0x0000000009B00000-0x0000000009B08000-memory.dmp

Filesize
32KB

Download
memory/4876-183-0x0000000007022000-0x0000000007023000-memory.dmp

Filesize
4KB

Download
memory/4876-179-0x0000000006F00000-0x0000000006F36000-memory.dmp

Filesize
216KB

Download
memory/4876-182-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/4876-181-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/4876-180-0x0000000007660000-0x0000000007C88000-memory.dmp

Filesize
6.2MB

Download
memory/4896-280-0x0000000002B4C000-0x0000000002B7A000-memory.dmp

Filesize
184KB

Download
memory/4896-281-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download