Resubmissions
12-11-2024 01:29
241112-bwgrxs1gnf 1008-07-2021 12:18
210708-8z6d5h8z2n 1006-07-2021 17:53
210706-g6we6sa7sa 1019-06-2021 18:17
210619-vr8bj2dzfn 1017-06-2021 21:39
210617-a9cvlnmrbx 1011-06-2021 17:26
210611-wvab1yw2tj 1008-06-2021 06:47
210608-qrbpch3y46 1008-06-2021 06:47
210608-64tndgm1ln 1005-06-2021 18:40
210605-cd6qpr55sx 1004-06-2021 11:56
210604-5c416rs3ns 10Analysis
-
max time kernel
1800s -
max time network
1799s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-05-2021 18:30
General
-
Target
keygen-step-4d.exe
Score
10/10
Malware Config
Signatures
-
Detected facebook phishing page
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 8 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 10 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Runs ping.exe 1 TTPs 4 IoCs
-
Script User-Agent 24 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 13 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\ruvutgcC:\Users\Admin\AppData\Roaming\ruvutgc2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\ruvutgcC:\Users\Admin\AppData\Roaming\ruvutgc3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Roaming\bvvutgcC:\Users\Admin\AppData\Roaming\bvvutgc2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\ruvutgcC:\Users\Admin\AppData\Roaming\ruvutgc2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\ruvutgcC:\Users\Admin\AppData\Roaming\ruvutgc3⤵
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Roaming\bvvutgcC:\Users\Admin\AppData\Roaming\bvvutgc2⤵
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Roaming\ruvutgcC:\Users\Admin\AppData\Roaming\ruvutgc2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\ruvutgcC:\Users\Admin\AppData\Roaming\ruvutgc3⤵
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Roaming\bvvutgcC:\Users\Admin\AppData\Roaming\bvvutgc2⤵
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-I7EKO.tmp\Install.tmp"C:\Users\Admin\AppData\Local\Temp\is-I7EKO.tmp\Install.tmp" /SL5="$900FE,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-PVJEO.tmp\Ultra.exe"C:\Users\Admin\AppData\Local\Temp\is-PVJEO.tmp\Ultra.exe" /S /UID=burnerch14⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Sidebar\IVKFMCYJJK\ultramediaburner.exe"C:\Program Files\Windows Sidebar\IVKFMCYJJK\ultramediaburner.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-ENDSU.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-ENDSU.tmp\ultramediaburner.tmp" /SL5="$301CC,281924,62464,C:\Program Files\Windows Sidebar\IVKFMCYJJK\ultramediaburner.exe" /VERYSILENT6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu7⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\17-57083-dfa-e28a0-5c4de0fa5ba3f\Pyzhemakuby.exe"C:\Users\Admin\AppData\Local\Temp\17-57083-dfa-e28a0-5c4de0fa5ba3f\Pyzhemakuby.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2e-97044-c0c-944b2-4895cc84da6bd\Dynyhukale.exe"C:\Users\Admin\AppData\Local\Temp\2e-97044-c0c-944b2-4895cc84da6bd\Dynyhukale.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gmyzezlt.wj0\001.exe & exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gmyzezlt.wj0\001.exeC:\Users\Admin\AppData\Local\Temp\gmyzezlt.wj0\001.exe7⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x3ien1ri.tn0\installer.exe /qn CAMPAIGN="654" & exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\x3ien1ri.tn0\installer.exeC:\Users\Admin\AppData\Local\Temp\x3ien1ri.tn0\installer.exe /qn CAMPAIGN="654"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\x3ien1ri.tn0\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\x3ien1ri.tn0\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621103658 /qn CAMPAIGN=""654"" " CAMPAIGN="654"8⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3sihidor.mme\hbggg.exe & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\3sihidor.mme\hbggg.exeC:\Users\Admin\AppData\Local\Temp\3sihidor.mme\hbggg.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bsj1zilb.h3e\google-game.exe & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\bsj1zilb.h3e\google-game.exeC:\Users\Admin\AppData\Local\Temp\bsj1zilb.h3e\google-game.exe7⤵
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser8⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dbm34h0g.prr\setup.exe & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\dbm34h0g.prr\setup.exeC:\Users\Admin\AppData\Local\Temp\dbm34h0g.prr\setup.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\dbm34h0g.prr\setup.exe"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30009⤵
- Runs ping.exe
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\10zwupof.ikr\customer1.exe & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\10zwupof.ikr\customer1.exeC:\Users\Admin\AppData\Local\Temp\10zwupof.ikr\customer1.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u1ntw12g.pyy\toolspab1.exe & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\u1ntw12g.pyy\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\u1ntw12g.pyy\toolspab1.exe7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\u1ntw12g.pyy\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\u1ntw12g.pyy\toolspab1.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iq4ikyea.1lp\GcleanerWW.exe /mixone & exit6⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zwapaq5t.wbo\005.exe & exit6⤵
- Loads dropped DLL
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\zwapaq5t.wbo\005.exeC:\Users\Admin\AppData\Local\Temp\zwapaq5t.wbo\005.exe7⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\haomjdwe.cqd\installer.exe /qn CAMPAIGN="654" & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\haomjdwe.cqd\installer.exeC:\Users\Admin\AppData\Local\Temp\haomjdwe.cqd\installer.exe /qn CAMPAIGN="654"7⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\haomjdwe.cqd\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\haomjdwe.cqd\ EXE_CMD_LINE="/forcecleanup /wintime 1621103658 /qn CAMPAIGN=""654"" " CAMPAIGN="654"8⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lzh4tdj4.hiv\702564a0.exe & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\lzh4tdj4.hiv\702564a0.exeC:\Users\Admin\AppData\Local\Temp\lzh4tdj4.hiv\702564a0.exe7⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\saefyzdr.hrm\app.exe /8-2222 & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\saefyzdr.hrm\app.exeC:\Users\Admin\AppData\Local\Temp\saefyzdr.hrm\app.exe /8-22227⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\saefyzdr.hrm\app.exe"C:\Users\Admin\AppData\Local\Temp\saefyzdr.hrm\app.exe" /8-22228⤵
- Modifies data under HKEY_USERS
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vmdbxvk0.bg3\Setup3310.exe /Verysilent /subid=623 & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\vmdbxvk0.bg3\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\vmdbxvk0.bg3\Setup3310.exe /Verysilent /subid=6237⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-8VPOD.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-8VPOD.tmp\Setup3310.tmp" /SL5="$B0196,138429,56832,C:\Users\Admin\AppData\Local\Temp\vmdbxvk0.bg3\Setup3310.exe" /Verysilent /subid=6238⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-4NSFI.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-4NSFI.tmp\Setup.exe" /Verysilent9⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"10⤵
-
C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"11⤵
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RunWW.exe /f12⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 612⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe12⤵
- Kills process with taskkill
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"10⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HPQK5.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-HPQK5.tmp\lylal220.tmp" /SL5="$303BE,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-43U8U.tmp\4_177039.exe"C:\Users\Admin\AppData\Local\Temp\is-43U8U.tmp\4_177039.exe" /S /UID=lylal22012⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Microsoft Office 15\HLKVTLSNZM\irecord.exe"C:\Program Files\Microsoft Office 15\HLKVTLSNZM\irecord.exe" /VERYSILENT13⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-E2V68.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-E2V68.tmp\irecord.tmp" /SL5="$503D2,6139911,56832,C:\Program Files\Microsoft Office 15\HLKVTLSNZM\irecord.exe" /VERYSILENT14⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\recording\i-record.exe"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu15⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a2-3d8e8-27c-6ccb0-59ddf81ceafa6\ZHiqebacutae.exe"C:\Users\Admin\AppData\Local\Temp\a2-3d8e8-27c-6ccb0-59ddf81ceafa6\ZHiqebacutae.exe"13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\a7-0a83a-abe-be8a5-2657a1a796e75\Cewucaebewy.exe"C:\Users\Admin\AppData\Local\Temp\a7-0a83a-abe-be8a5-2657a1a796e75\Cewucaebewy.exe"13⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\du20xrdv.qvb\001.exe & exit14⤵
-
C:\Users\Admin\AppData\Local\Temp\du20xrdv.qvb\001.exeC:\Users\Admin\AppData\Local\Temp\du20xrdv.qvb\001.exe15⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uuimcc0v.dua\installer.exe /qn CAMPAIGN="654" & exit14⤵
-
C:\Users\Admin\AppData\Local\Temp\uuimcc0v.dua\installer.exeC:\Users\Admin\AppData\Local\Temp\uuimcc0v.dua\installer.exe /qn CAMPAIGN="654"15⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1b1l2y1n.2bc\hbggg.exe & exit14⤵
-
C:\Users\Admin\AppData\Local\Temp\1b1l2y1n.2bc\hbggg.exeC:\Users\Admin\AppData\Local\Temp\1b1l2y1n.2bc\hbggg.exe15⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3pdytidc.k4p\google-game.exe & exit14⤵
-
C:\Users\Admin\AppData\Local\Temp\3pdytidc.k4p\google-game.exeC:\Users\Admin\AppData\Local\Temp\3pdytidc.k4p\google-game.exe15⤵
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser16⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cyf3udmj.5y3\setup.exe & exit14⤵
-
C:\Users\Admin\AppData\Local\Temp\cyf3udmj.5y3\setup.exeC:\Users\Admin\AppData\Local\Temp\cyf3udmj.5y3\setup.exe15⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\cyf3udmj.5y3\setup.exe"16⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV117⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300017⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Runs ping.exe
- Suspicious use of FindShellTrayWindow
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xxcrpcrd.vkq\customer1.exe & exit14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\xxcrpcrd.vkq\customer1.exeC:\Users\Admin\AppData\Local\Temp\xxcrpcrd.vkq\customer1.exe15⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3iayhylv.w1p\toolspab1.exe & exit14⤵
-
C:\Users\Admin\AppData\Local\Temp\3iayhylv.w1p\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\3iayhylv.w1p\toolspab1.exe15⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\3iayhylv.w1p\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\3iayhylv.w1p\toolspab1.exe16⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4xkvpmf2.ynd\GcleanerWW.exe /mixone & exit14⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rjs5fppp.0b2\005.exe & exit14⤵
-
C:\Users\Admin\AppData\Local\Temp\rjs5fppp.0b2\005.exeC:\Users\Admin\AppData\Local\Temp\rjs5fppp.0b2\005.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wdijrjwm.1pv\installer.exe /qn CAMPAIGN="654" & exit14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
-
C:\Users\Admin\AppData\Local\Temp\wdijrjwm.1pv\installer.exeC:\Users\Admin\AppData\Local\Temp\wdijrjwm.1pv\installer.exe /qn CAMPAIGN="654"15⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\wdijrjwm.1pv\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\wdijrjwm.1pv\ EXE_CMD_LINE="/forcecleanup /wintime 1621103658 /qn CAMPAIGN=""654"" " CAMPAIGN="654"16⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a3nraiyo.vkj\702564a0.exe & exit14⤵
-
C:\Users\Admin\AppData\Local\Temp\a3nraiyo.vkj\702564a0.exeC:\Users\Admin\AppData\Local\Temp\a3nraiyo.vkj\702564a0.exe15⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xqmqmily.xyp\app.exe /8-2222 & exit14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
-
C:\Users\Admin\AppData\Local\Temp\xqmqmily.xyp\app.exeC:\Users\Admin\AppData\Local\Temp\xqmqmily.xyp\app.exe /8-222215⤵
-
C:\Users\Admin\AppData\Local\Temp\xqmqmily.xyp\app.exe"C:\Users\Admin\AppData\Local\Temp\xqmqmily.xyp\app.exe" /8-222216⤵
- Modifies data under HKEY_USERS
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x22eijol.wqw\Setup3310.exe /Verysilent /subid=623 & exit14⤵
-
C:\Users\Admin\AppData\Local\Temp\x22eijol.wqw\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\x22eijol.wqw\Setup3310.exe /Verysilent /subid=62315⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0BSQ6.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-0BSQ6.tmp\Setup3310.tmp" /SL5="$A04BC,138429,56832,C:\Users\Admin\AppData\Local\Temp\x22eijol.wqw\Setup3310.exe" /Verysilent /subid=62316⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-F0AE0.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-F0AE0.tmp\Setup.exe" /Verysilent17⤵
- Drops file in Program Files directory
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"10⤵
-
-
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"10⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install11⤵
- Loads dropped DLL
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\8193921.exe"C:\Users\Admin\AppData\Roaming\8193921.exe"11⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\8752411.exe"C:\Users\Admin\AppData\Roaming\8752411.exe"11⤵
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"12⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\5271902.exe"C:\Users\Admin\AppData\Roaming\5271902.exe"11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\2262309.exe"C:\Users\Admin\AppData\Roaming\2262309.exe"11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 206012⤵
- Program crash
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"10⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 69E8FC6771747439BAF2770A0E018ED5 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3EAE09864D4E3A32772B0001E5D5A3352⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 40DD0C9C785C3A0C1DF512F16E839A07 E Global\MSI00002⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E5EC30D0148F9388B7D887A03968684D C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F65D13C64B7923ADC67079CB94468D9D2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F1F27CD474AC00AE9352EDFEE4BAEFE4 E Global\MSI00002⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F927D5BDD3C3EDA42A6424CD01803380 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1C2BFA2C30836B7434CF87004099A99D2⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F5ABA064625487693148EDCDD692317C E Global\MSI00002⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\41FB.exeC:\Users\Admin\AppData\Local\Temp\41FB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\45E4.exeC:\Users\Admin\AppData\Local\Temp\45E4.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-2JIGC.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-2JIGC.tmp\LabPicV3.tmp" /SL5="$40374,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-D54J6.tmp\3316505.exe"C:\Users\Admin\AppData\Local\Temp\is-D54J6.tmp\3316505.exe" /S /UID=lab2142⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Defender Advanced Threat Protection\AUIEHLOESF\prolab.exe"C:\Program Files\Windows Defender Advanced Threat Protection\AUIEHLOESF\prolab.exe" /VERYSILENT3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-4QRBJ.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-4QRBJ.tmp\prolab.tmp" /SL5="$8037A,575243,216576,C:\Program Files\Windows Defender Advanced Threat Protection\AUIEHLOESF\prolab.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Users\Admin\AppData\Local\Temp\9f-a21bb-56e-8ba90-cfda3d397f9b0\Nyrecorywu.exe"C:\Users\Admin\AppData\Local\Temp\9f-a21bb-56e-8ba90-cfda3d397f9b0\Nyrecorywu.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Temp\01-d8510-78d-33886-c10b66553b44a\Moqidazhikae.exe"C:\Users\Admin\AppData\Local\Temp\01-d8510-78d-33886-c10b66553b44a\Moqidazhikae.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n3twhzqf.fte\001.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\n3twhzqf.fte\001.exeC:\Users\Admin\AppData\Local\Temp\n3twhzqf.fte\001.exe5⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hkseyjie.hht\installer.exe /qn CAMPAIGN="654" & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\hkseyjie.hht\installer.exeC:\Users\Admin\AppData\Local\Temp\hkseyjie.hht\installer.exe /qn CAMPAIGN="654"5⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ietm0sn3.4pq\hbggg.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\ietm0sn3.4pq\hbggg.exeC:\Users\Admin\AppData\Local\Temp\ietm0sn3.4pq\hbggg.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oiq0ptxe.4v1\google-game.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\oiq0ptxe.4v1\google-game.exeC:\Users\Admin\AppData\Local\Temp\oiq0ptxe.4v1\google-game.exe5⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser6⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kmyrqg2a.uem\setup.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\kmyrqg2a.uem\setup.exeC:\Users\Admin\AppData\Local\Temp\kmyrqg2a.uem\setup.exe5⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\kmyrqg2a.uem\setup.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30007⤵
- Executes dropped EXE
- Runs ping.exe
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fqeuzqr3.ego\customer1.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\fqeuzqr3.ego\customer1.exeC:\Users\Admin\AppData\Local\Temp\fqeuzqr3.ego\customer1.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m5mvtno5.why\toolspab1.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\m5mvtno5.why\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\m5mvtno5.why\toolspab1.exe5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\m5mvtno5.why\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\m5mvtno5.why\toolspab1.exe6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4eyyr1wj.rym\GcleanerWW.exe /mixone & exit4⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kwg4f55p.0qk\005.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\kwg4f55p.0qk\005.exeC:\Users\Admin\AppData\Local\Temp\kwg4f55p.0qk\005.exe5⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2eayaq24.5wd\installer.exe /qn CAMPAIGN="654" & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\2eayaq24.5wd\installer.exeC:\Users\Admin\AppData\Local\Temp\2eayaq24.5wd\installer.exe /qn CAMPAIGN="654"5⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\txg0isww.k2z\702564a0.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\txg0isww.k2z\702564a0.exeC:\Users\Admin\AppData\Local\Temp\txg0isww.k2z\702564a0.exe5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lsjyqsp0.ghb\app.exe /8-2222 & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\lsjyqsp0.ghb\app.exeC:\Users\Admin\AppData\Local\Temp\lsjyqsp0.ghb\app.exe /8-22225⤵
-
C:\Users\Admin\AppData\Local\Temp\lsjyqsp0.ghb\app.exe"C:\Users\Admin\AppData\Local\Temp\lsjyqsp0.ghb\app.exe" /8-22226⤵
- Modifies data under HKEY_USERS
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hn3vdx0u.pb1\Setup3310.exe /Verysilent /subid=623 & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\hn3vdx0u.pb1\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\hn3vdx0u.pb1\Setup3310.exe /Verysilent /subid=6235⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KQ99D.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-KQ99D.tmp\Setup3310.tmp" /SL5="$704DA,138429,56832,C:\Users\Admin\AppData\Local\Temp\hn3vdx0u.pb1\Setup3310.exe" /Verysilent /subid=6236⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-MNQI0.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-MNQI0.tmp\Setup.exe" /Verysilent7⤵
-
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\E2E1.exeC:\Users\Admin\AppData\Local\Temp\E2E1.exe1⤵
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true2⤵
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Drops file in Windows directory
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
-
-
-
C:\Windows\System\spoolsv.exe"C:\Windows\System\spoolsv.exe" --MaxCircuitDirtiness 60 --NewCircuitPeriod 1 --MaxClientCircuitsPending 1024 --OptimisticData 1 --KeepalivePeriod 30 --CircuitBuildTimeout 10 --EnforceDistinctSubnets 0 --HardwareAccel 1 --UseEntryGuards 03⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ED52.exeC:\Users\Admin\AppData\Local\Temp\ED52.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\F13B.exeC:\Users\Admin\AppData\Local\Temp\F13B.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\F718.exeC:\Users\Admin\AppData\Local\Temp\F718.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4728 -s 29082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4644 -s 14162⤵
- Program crash
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7520 -s 17482⤵
- Program crash
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
4KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
4KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
88KB
-
Filesize
448KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
368KB
-
Filesize
1.0MB
-
Filesize
172KB
-
Filesize
448KB
-
Filesize
1.0MB
-
Filesize
300KB
-
Filesize
8KB
-
Filesize
1.3MB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
52KB
-
Filesize
1.0MB
-
Filesize
368KB