hxxps://drive[.]google[.]com/uc?id=1cftqZwMjx3KPo1xvuOaPBeO3QVZYxza9

Analysis

max time kernel
524s
max time network
493s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
29-11-2022 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1cftqZwMjx3KPo1xvuOaPBeO3QVZYxza9

Score

8^/10

microsoft persistence phishing

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

dxwebsetup.exedxwsetup.exe

pid process

4144 dxwebsetup.exe
1092 dxwsetup.exe

pid	process
4144	dxwebsetup.exe
1092	dxwsetup.exe

Loads dropped DLL 10 IoCs

Processes:

dxwsetup.exe

pid	process
1092	dxwsetup.exe
1092	dxwsetup.exe
1092	dxwsetup.exe
1092	dxwsetup.exe
1092	dxwsetup.exe
1092	dxwsetup.exe
1092	dxwsetup.exe
1092	dxwsetup.exe
1092	dxwsetup.exe
1092	dxwsetup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dxwebsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dxwebsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

dxwsetup.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini dxwsetup.exe
File opened for modification C:\Windows\assembly\Desktop.ini dxwsetup.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	dxwsetup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	dxwsetup.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dxwsetup.exe

description	ioc	process
File opened (read-only)	\??\N:	dxwsetup.exe
File opened (read-only)	\??\P:	dxwsetup.exe
File opened (read-only)	\??\S:	dxwsetup.exe
File opened (read-only)	\??\J:	dxwsetup.exe
File opened (read-only)	\??\E:	dxwsetup.exe
File opened (read-only)	\??\L:	dxwsetup.exe
File opened (read-only)	\??\M:	dxwsetup.exe
File opened (read-only)	\??\Q:	dxwsetup.exe
File opened (read-only)	\??\V:	dxwsetup.exe
File opened (read-only)	\??\A:	dxwsetup.exe
File opened (read-only)	\??\F:	dxwsetup.exe
File opened (read-only)	\??\G:	dxwsetup.exe
File opened (read-only)	\??\H:	dxwsetup.exe
File opened (read-only)	\??\I:	dxwsetup.exe
File opened (read-only)	\??\T:	dxwsetup.exe
File opened (read-only)	\??\Y:	dxwsetup.exe
File opened (read-only)	\??\B:	dxwsetup.exe
File opened (read-only)	\??\O:	dxwsetup.exe
File opened (read-only)	\??\R:	dxwsetup.exe
File opened (read-only)	\??\U:	dxwsetup.exe
File opened (read-only)	\??\W:	dxwsetup.exe
File opened (read-only)	\??\X:	dxwsetup.exe
File opened (read-only)	\??\Z:	dxwsetup.exe
File opened (read-only)	\??\K:	dxwsetup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 64 IoCs

Processes:

dxwsetup.exe

description	ioc	process
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Apr2006_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_d3dx9_33_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Mar2008_d3dx10_37_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2006_xinput_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Nov2008_d3dx10_40_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Nov2007_xact_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETEC56.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2006_xact_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2007_d3dx10_35_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Oct2006_xact_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2007_d3dx9_34_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Dec2006_d3dx10_00_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2007_d3dx9_34_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2005_d3dx9_26_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Mar2008_x3daudio_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2008_xaudio_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_d3dx9_43_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2007_d3dx10_34_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2007_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2008_x3daudio_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2008_xaudio_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2009_d3dx11_42_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Apr2007_d3dx10_33_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Feb2005_d3dx9_24_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_d3dcsx_43_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Feb2007_xact_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2007_xact_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Mar2009_d3dx10_41_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2009_d3dx10_42_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETEC56.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\MDX_1.0.2909.0_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Nov2007_d3dx9_36_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Feb2010_xaudio_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Nov2007_d3dx9_36_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Nov2007_d3dx10_36_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Mar2009_d3dx10_41_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2009_d3dx11_42_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2007_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2008_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETEC07.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Apr2005_d3dx9_25_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2009_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_d3dcsx_43_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Mar2009_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Mar2009_xaudio_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2007_d3dx10_35_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Mar2008_xaudio_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_xaudio_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2005_d3dx9_26_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Dec2005_d3dx9_28_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Nov2008_xaudio_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Mar2009_x3daudio_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2009_D3DCompiler_42_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Oct2006_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Aug2008_xact_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Apr2006_xact_x64.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Feb2007_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_d3dx9_43_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Jun2010_d3dx10_43_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Dec2006_xact_x86.cab	dxwsetup.exe
File created	C:\Windows\SysWOW64\DirectX\WebSetup\Mar2008_xact_x86.cab	dxwsetup.exe

Drops file in Windows directory 64 IoCs

Processes:

dxwsetup.exe

description	ioc	process
File created	C:\Windows\msdownld.tmp\AS5BBBC1.tmp\Dec2006_d3dx10_00_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C4A65.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CBCA7.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CE77F.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5CDFCF.tmp\Jun2010_xaudio_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5BF9A5.tmp\Jun2008_d3dx9_38_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5C9141.tmp\Mar2008_xaudio_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CDA22.tmp\Jun2010_d3dcsx_43_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CDF04.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5BDB30.tmp\Apr2007_d3dx9_33_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C173F.tmp\Aug2009_d3dx11_42_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5CCC76.tmp\Aug2009_D3DCompiler_42_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CCF44.tmp\Aug2009_xact_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CE84B.tmp\MDX_1.0.2905.0_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5BCCD8.tmp\Feb2006_d3dx9_29_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5C0C62.tmp\Mar2009_d3dx9_41_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5C2BD1.tmp\Jun2010_D3DCompiler_43_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C50DD.tmp\Apr2006_xact_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C9A0B.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C2BD1.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CA546.tmp\Aug2008_xaudio_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C21FD.tmp\Aug2009_D3DCompiler_42_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C8F5D.tmp\Mar2008_xact_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CD03E.tmp\Aug2009_xaudio_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CEB67.tmp\MDX_1.0.2908.0_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C53AC.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C7BD5.tmp\Aug2007_xact_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C9076.tmp\Mar2008_xaudio_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5CBD62.tmp\Mar2009_xact_x64.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5CE146.tmp\MDX_1.0.2902.0_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5BFD2F.tmp\Jun2008_d3dx10_38_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C26FE.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C5458.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5C86A3.tmp\Nov2007_xact_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CA43D.tmp\Aug2008_xact_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CBFC4.tmp\Aug2009_d3dx9_42_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CE973.tmp\MDX_1.0.2906.0_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5BE60D.tmp\Jun2007_d3dx10_34_x86.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5BFF23.tmp\Aug2008_d3dx9_39_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C7D5C.tmp\Nov2007_d3dx9_36_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CA8B1.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CC37D.tmp\Aug2009_d3dx11_42_x64.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5C632C.tmp\Feb2007_xact_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C7D5C.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CA631.tmp\Aug2008_xaudio_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CD129.tmp\Aug2009_xaudio_x64.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C6AFC.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C9C2E.tmp\Jun2008_xaudio_x64.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5CBDDF.tmp\Mar2009_xaudio_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DXError.log	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C21FD.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C7BD5.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CA1FB.tmp\Aug2008_d3dx10_39_x64.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5CE405.tmp\MDX_1.0.2903.0_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CE08A.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5BC6EC.tmp\Aug2005_d3dx9_27_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5BF204.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5C7BD5.tmp\Aug2007_xact_x86.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C9C2E.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5CCC76.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS5C5244.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5CB0DF.tmp\Nov2008_d3dx10_40_x64.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS5CA546.tmp\Aug2008_xaudio_x86.cab	dxwsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 2 IoCs

Processes:

chrome.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\dxwebsetup.exe:Zone.Identifier firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\dxwebsetup.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4232	chrome.exe
4232	chrome.exe
1784	chrome.exe
1784	chrome.exe
3996	chrome.exe
3996	chrome.exe
5092	chrome.exe
5092	chrome.exe
4588	chrome.exe
4588	chrome.exe
4608	chrome.exe
4608	chrome.exe
3168	chrome.exe
3168	chrome.exe
3800	chrome.exe
3800	chrome.exe
1784	chrome.exe
1784	chrome.exe
1412	chrome.exe
1412	chrome.exe
2848	chrome.exe
2848	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1784 chrome.exe
1784 chrome.exe
1784 chrome.exe
1784 chrome.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

firefox.exevssvc.exesrtasks.exe

description	pid	process
Token: SeDebugPrivilege	4472	firefox.exe
Token: SeDebugPrivilege	4472	firefox.exe
Token: SeDebugPrivilege	4472	firefox.exe
Token: SeDebugPrivilege	4472	firefox.exe
Token: SeBackupPrivilege	4220	vssvc.exe
Token: SeRestorePrivilege	4220	vssvc.exe
Token: SeAuditPrivilege	4220	vssvc.exe
Token: SeBackupPrivilege	340	srtasks.exe
Token: SeRestorePrivilege	340	srtasks.exe
Token: SeSecurityPrivilege	340	srtasks.exe
Token: SeTakeOwnershipPrivilege	340	srtasks.exe
Token: SeBackupPrivilege	340	srtasks.exe
Token: SeRestorePrivilege	340	srtasks.exe
Token: SeSecurityPrivilege	340	srtasks.exe
Token: SeTakeOwnershipPrivilege	340	srtasks.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exefirefox.exe

pid	process
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

firefox.exe

pid	process
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1784 wrote to memory of 1852	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 1852	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3908	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 4232	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 4232	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe
PID 1784 wrote to memory of 3036	1784	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://drive.google.com/uc?id=1cftqZwMjx3KPo1xvuOaPBeO3QVZYxza9
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffa2ca4f50,0x7fffa2ca4f60,0x7fffa2ca4f70
2⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:2
2⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1688 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 /prefetch:8
2⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
2⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
2⤵
PID:1048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4032 /prefetch:8
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:8
2⤵
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
2⤵
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=908 /prefetch:1
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 /prefetch:8
2⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,6588743587339921374,7776896356524699546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2260

C:\Users\Admin\Desktop\SDT2 0.1.0\SDT2.exe
"C:\Users\Admin\Desktop\SDT2 0.1.0\SDT2.exe"
1⤵
PID:4940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4472.0.764904691\1009114744" -parentBuildID 20200403170909 -prefsHandle 1560 -prefMapHandle 1552 -prefsLen 1 -prefMapSize 219987 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4472 "\\.\pipe\gecko-crash-server-pipe.4472" 1632 gpu
3⤵
PID:4484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4472.3.1661402044\1833760306" -childID 1 -isForBrowser -prefsHandle 2020 -prefMapHandle 2016 -prefsLen 156 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4472 "\\.\pipe\gecko-crash-server-pipe.4472" 1436 tab
3⤵
PID:3368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4472.13.937959887\1452925105" -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3440 -prefsLen 6938 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4472 "\\.\pipe\gecko-crash-server-pipe.4472" 3476 tab
3⤵
PID:2160

C:\Users\Admin\Downloads\dxwebsetup.exe
"C:\Users\Admin\Downloads\dxwebsetup.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4144

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
PID:1092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4888

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Users\Admin\Desktop\SDT2 0.1.0\SDT2.exe
"C:\Users\Admin\Desktop\SDT2 0.1.0\SDT2.exe"
1⤵
PID:2804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll
Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.cif
Filesize
65KB

MD5
b36d3f105d18e55534ad605cbf061a92

SHA1
788ef2de1dea6c8fe1d23a2e1007542f7321ed79

SHA256
c6c5e877e92d387e977c135765075b7610df2500e21c16e106a225216e6442ae

SHA512
35ae00da025fd578205337a018b35176095a876cd3c3cf67a3e8a8e69cd750a4ccc34ce240f11fae3418e5e93caf5082c987f0c63f9d953ed7cb8d9271e03b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.dll
Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.inf
Filesize
12KB

MD5
e6a74342f328afa559d5b0544e113571

SHA1
a08b053dfd061391942d359c70f9dd406a968b7d

SHA256
93f5589499ee4ee2812d73c0d8feacbbcfe8c47b6d98572486bc0eff3c5906ca

SHA512
1e35e5bdff1d551da6c1220a1a228c657a56a70dedf5be2d9273fc540f9c9f0bb73469595309ea1ff561be7480ee92d16f7acbbd597136f4fc5f9b8b65ecdfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif
Filesize
56KB

MD5
7b1fbe9f5f43b2261234b78fe115cf8e

SHA1
dd0f256ae38b4c4771e1d1ec001627017b7bb741

SHA256
762ff640013db2bd4109d7df43a867303093815751129bd1e33f16bf02e52cce

SHA512
d21935a9867c0f2f7084917c79fbb1da885a1bfd4793cf669ff4da8c777b3a201857250bfb7c2b616625a8d3573c68395d210446d2c284b41cf09cc7cbb07885

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif
Filesize
56KB

MD5
2c4d9e4773084f33092ced15678a2c46

SHA1
bad603d543470157effd4876a684b9cfd5075524

SHA256
ed710d035ccaab0914810becf2f5db2816dba3a351f3666a38a903c80c16997a

SHA512
d2e34cac195cfede8bc64bdc92721c574963ff522618eda4d7172f664aeb4c8675fd3d4f3658391ee5eaa398bcd2ce5d8f80deecf51af176f5c4bb2d2695e04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Users\Admin\Downloads\dxwebsetup.exe
Filesize
288KB

MD5
2cbd6ad183914a0c554f0739069e77d7

SHA1
7bf35f2afca666078db35ca95130beb2e3782212

SHA256
2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

SHA512
ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

Download Submit
C:\Users\Admin\Downloads\dxwebsetup.exe
Filesize
288KB

MD5
2cbd6ad183914a0c554f0739069e77d7

SHA1
7bf35f2afca666078db35ca95130beb2e3782212

SHA256
2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

SHA512
ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

Download Submit
\??\pipe\crashpad_1784_JQQBJZITWKNZQOVI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\DX6342.tmp\dxupdate.dll
Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
\Users\Admin\AppData\Local\Temp\DX6342.tmp\dxupdate.dll
Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
\Users\Admin\AppData\Local\Temp\DX6342.tmp\microsoft.directx.direct3dx.dll
Filesize
2.6MB

MD5
a73e7421449cca62b0561bad4c8ef23d

SHA1
cf51ca7d28fcdc79c215450fb759ffe9101b6cfe

SHA256
7986e3fbe05418fe5d8425f2f1b76b7a7b09952f3ec560b286dd744bf7178059

SHA512
63d24647ac5d0beb8f1284973927263cb6e05b4c399cda3912178114b42d541dd516c6d67a453ea997d9d0cd9126a1802678062f0951c2547e1b445ba50dfbe4

Download Submit
\Users\Admin\AppData\Local\Temp\DX6342.tmp\microsoft.directx.direct3dx.dll
Filesize
2.6MB

MD5
a73e7421449cca62b0561bad4c8ef23d

SHA1
cf51ca7d28fcdc79c215450fb759ffe9101b6cfe

SHA256
7986e3fbe05418fe5d8425f2f1b76b7a7b09952f3ec560b286dd744bf7178059

SHA512
63d24647ac5d0beb8f1284973927263cb6e05b4c399cda3912178114b42d541dd516c6d67a453ea997d9d0cd9126a1802678062f0951c2547e1b445ba50dfbe4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.dll
Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxupdate.dll
Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
\Windows\SysWOW64\directx\websetup\dsetup.dll
Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
\Windows\SysWOW64\directx\websetup\dsetup.dll
Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
\Windows\SysWOW64\directx\websetup\dsetup32.dll
Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
\Windows\SysWOW64\directx\websetup\dsetup32.dll
Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
memory/1092-173-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-182-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-170-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-177-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-181-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-183-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-186-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-189-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-188-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-187-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-185-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-184-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-180-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-179-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-178-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-176-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-160-0x0000000000000000-mapping.dmp

Download
memory/1092-162-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-175-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-163-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-164-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-165-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-166-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-167-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-168-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-171-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-172-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1092-174-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-157-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-123-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-158-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-143-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-155-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-145-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-154-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-153-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-152-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-151-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-150-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-149-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-148-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-147-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-146-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-142-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-144-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-141-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-156-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-159-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-138-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-139-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-137-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-136-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-135-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-134-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-133-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-132-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-131-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-130-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-128-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-127-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-126-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-125-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-124-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-140-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/4144-122-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download