Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/11/2024, 01:29
241112-bwgrxs1gnf 1008/07/2021, 12:18
210708-8z6d5h8z2n 1006/07/2021, 17:53
210706-g6we6sa7sa 1019/06/2021, 18:17
210619-vr8bj2dzfn 1017/06/2021, 21:39
210617-a9cvlnmrbx 1011/06/2021, 17:26
210611-wvab1yw2tj 1008/06/2021, 06:47
210608-qrbpch3y46 1008/06/2021, 06:47
210608-64tndgm1ln 1005/06/2021, 18:40
210605-cd6qpr55sx 1004/06/2021, 11:56
210604-5c416rs3ns 10Analysis
-
max time kernel
1017s -
max time network
1801s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18/05/2021, 13:06
General
-
Target
Install.exe
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
agressia
C2
135.181.170.166:44121
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 60 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 10 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 21 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 11 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-FUB0I.tmp\Install.tmp"C:\Users\Admin\AppData\Local\Temp\is-FUB0I.tmp\Install.tmp" /SL5="$20118,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-EGKGC.tmp\Ultra.exe"C:\Users\Admin\AppData\Local\Temp\is-EGKGC.tmp\Ultra.exe" /S /UID=burnerch13⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Photo Viewer\ZUGYGHNLMT\ultramediaburner.exe"C:\Program Files\Windows Photo Viewer\ZUGYGHNLMT\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-R48SN.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-R48SN.tmp\ultramediaburner.tmp" /SL5="$70060,281924,62464,C:\Program Files\Windows Photo Viewer\ZUGYGHNLMT\ultramediaburner.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1f-639a1-227-8f58c-5109ded1a9004\Dofexehace.exe"C:\Users\Admin\AppData\Local\Temp\1f-639a1-227-8f58c-5109ded1a9004\Dofexehace.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\a0-ad06d-105-c95b7-f356c92e42c0d\Lihizhaelyra.exe"C:\Users\Admin\AppData\Local\Temp\a0-ad06d-105-c95b7-f356c92e42c0d\Lihizhaelyra.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v24w5zp2.asc\001.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\v24w5zp2.asc\001.exeC:\Users\Admin\AppData\Local\Temp\v24w5zp2.asc\001.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\awyhnlzo.qma\installer.exe /qn CAMPAIGN="654" & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\awyhnlzo.qma\installer.exeC:\Users\Admin\AppData\Local\Temp\awyhnlzo.qma\installer.exe /qn CAMPAIGN="654"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\awyhnlzo.qma\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\awyhnlzo.qma\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621083818 /qn CAMPAIGN=""654"" " CAMPAIGN="654"7⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w2gax0co.bwa\hbggg.exe & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\w2gax0co.bwa\hbggg.exeC:\Users\Admin\AppData\Local\Temp\w2gax0co.bwa\hbggg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x3vu4u4b.hu0\google-game.exe & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\x3vu4u4b.hu0\google-game.exeC:\Users\Admin\AppData\Local\Temp\x3vu4u4b.hu0\google-game.exe6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser7⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\miazhywt.5ui\setup.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\miazhywt.5ui\setup.exeC:\Users\Admin\AppData\Local\Temp\miazhywt.5ui\setup.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\miazhywt.5ui\setup.exe"7⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30008⤵
- Runs ping.exe
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ya4zrmt3.zot\customer1.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\ya4zrmt3.zot\customer1.exeC:\Users\Admin\AppData\Local\Temp\ya4zrmt3.zot\customer1.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c4dctopi.q0h\toolspab1.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\c4dctopi.q0h\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\c4dctopi.q0h\toolspab1.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\c4dctopi.q0h\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\c4dctopi.q0h\toolspab1.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mogiuy1f.ayw\GcleanerWW.exe /mixone & exit5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wrefry5e.g1a\005.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\wrefry5e.g1a\005.exeC:\Users\Admin\AppData\Local\Temp\wrefry5e.g1a\005.exe6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fc1lpl5o.1cj\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\fc1lpl5o.1cj\installer.exeC:\Users\Admin\AppData\Local\Temp\fc1lpl5o.1cj\installer.exe /qn CAMPAIGN="654"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\fc1lpl5o.1cj\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\fc1lpl5o.1cj\ EXE_CMD_LINE="/forcecleanup /wintime 1621083818 /qn CAMPAIGN=""654"" " CAMPAIGN="654"7⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t5nej3uz.p2k\702564a0.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\t5nej3uz.p2k\702564a0.exeC:\Users\Admin\AppData\Local\Temp\t5nej3uz.p2k\702564a0.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ixopp2tr.lmd\app.exe /8-2222 & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\ixopp2tr.lmd\app.exeC:\Users\Admin\AppData\Local\Temp\ixopp2tr.lmd\app.exe /8-22226⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ixopp2tr.lmd\app.exe"C:\Users\Admin\AppData\Local\Temp\ixopp2tr.lmd\app.exe" /8-22227⤵
- Modifies data under HKEY_USERS
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pzs0d0sm.qbw\Setup3310.exe /Verysilent /subid=623 & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\pzs0d0sm.qbw\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\pzs0d0sm.qbw\Setup3310.exe /Verysilent /subid=6236⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-OG3H8.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-OG3H8.tmp\Setup3310.tmp" /SL5="$20220,138429,56832,C:\Users\Admin\AppData\Local\Temp\pzs0d0sm.qbw\Setup3310.exe" /Verysilent /subid=6237⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-PHOPL.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-PHOPL.tmp\Setup.exe" /Verysilent8⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RunWW.exe /f11⤵
- Kills process with taskkill
- Modifies Internet Explorer settings
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 611⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\1869389.exe"C:\Users\Admin\AppData\Roaming\1869389.exe"10⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\7278506.exe"C:\Users\Admin\AppData\Roaming\7278506.exe"10⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\8037932.exe"C:\Users\Admin\AppData\Roaming\8037932.exe"10⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\1712773.exe"C:\Users\Admin\AppData\Roaming\1712773.exe"10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 218011⤵
- Program crash
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"9⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install10⤵
- Loads dropped DLL
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-79CUC.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-79CUC.tmp\LabPicV3.tmp" /SL5="$20386,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-E1O8H.tmp\3316505.exe"C:\Users\Admin\AppData\Local\Temp\is-E1O8H.tmp\3316505.exe" /S /UID=lab21411⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\VideoLAN\HVEARVBGOV\prolab.exe"C:\Program Files\VideoLAN\HVEARVBGOV\prolab.exe" /VERYSILENT12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MI76A.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-MI76A.tmp\prolab.tmp" /SL5="$602B4,575243,216576,C:\Program Files\VideoLAN\HVEARVBGOV\prolab.exe" /VERYSILENT13⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Users\Admin\AppData\Local\Temp\79-7e90b-2ea-57ca1-483e15694e745\Narevedyzhae.exe"C:\Users\Admin\AppData\Local\Temp\79-7e90b-2ea-57ca1-483e15694e745\Narevedyzhae.exe"12⤵
- Executes dropped EXE
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Temp\92-0e149-77b-5d39c-8b470a51a06ce\ZHyvibihyzhy.exe"C:\Users\Admin\AppData\Local\Temp\92-0e149-77b-5d39c-8b470a51a06ce\ZHyvibihyzhy.exe"12⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pu2aeocc.rfn\001.exe & exit13⤵
- Blocklisted process makes network request
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\pu2aeocc.rfn\001.exeC:\Users\Admin\AppData\Local\Temp\pu2aeocc.rfn\001.exe14⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\12rjjqyc.a14\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\12rjjqyc.a14\installer.exeC:\Users\Admin\AppData\Local\Temp\12rjjqyc.a14\installer.exe /qn CAMPAIGN="654"14⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bameivyf.o5d\hbggg.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\bameivyf.o5d\hbggg.exeC:\Users\Admin\AppData\Local\Temp\bameivyf.o5d\hbggg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tl2nfuxg.w2z\google-game.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\tl2nfuxg.w2z\google-game.exeC:\Users\Admin\AppData\Local\Temp\tl2nfuxg.w2z\google-game.exe14⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser15⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cnempnop.4rz\setup.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\cnempnop.4rz\setup.exeC:\Users\Admin\AppData\Local\Temp\cnempnop.4rz\setup.exe14⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\cnempnop.4rz\setup.exe"15⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300016⤵
- Runs ping.exe
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oecpqnob.l0b\customer1.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\oecpqnob.l0b\customer1.exeC:\Users\Admin\AppData\Local\Temp\oecpqnob.l0b\customer1.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qg1c545x.ej1\toolspab1.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\qg1c545x.ej1\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\qg1c545x.ej1\toolspab1.exe14⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\qg1c545x.ej1\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\qg1c545x.ej1\toolspab1.exe15⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\czkubyog.lsm\GcleanerWW.exe /mixone & exit13⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rjcht25k.exc\005.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\rjcht25k.exc\005.exeC:\Users\Admin\AppData\Local\Temp\rjcht25k.exc\005.exe14⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hfy1wkhu.wv0\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\hfy1wkhu.wv0\installer.exeC:\Users\Admin\AppData\Local\Temp\hfy1wkhu.wv0\installer.exe /qn CAMPAIGN="654"14⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4c2bbe01.r53\702564a0.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\4c2bbe01.r53\702564a0.exeC:\Users\Admin\AppData\Local\Temp\4c2bbe01.r53\702564a0.exe14⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tyec50ck.doe\app.exe /8-2222 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\tyec50ck.doe\app.exeC:\Users\Admin\AppData\Local\Temp\tyec50ck.doe\app.exe /8-222214⤵
-
C:\Users\Admin\AppData\Local\Temp\tyec50ck.doe\app.exe"C:\Users\Admin\AppData\Local\Temp\tyec50ck.doe\app.exe" /8-222215⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d0inhh3d.bk3\Setup3310.exe /Verysilent /subid=623 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\d0inhh3d.bk3\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\d0inhh3d.bk3\Setup3310.exe /Verysilent /subid=62314⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QT3I3.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-QT3I3.tmp\Setup3310.tmp" /SL5="$104EC,138429,56832,C:\Users\Admin\AppData\Local\Temp\d0inhh3d.bk3\Setup3310.exe" /Verysilent /subid=62315⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-H9LVU.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-H9LVU.tmp\Setup.exe" /Verysilent16⤵
- Drops file in Program Files directory
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-KS59Q.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-KS59Q.tmp\lylal220.tmp" /SL5="$30314,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-BR9NU.tmp\4_177039.exe"C:\Users\Admin\AppData\Local\Temp\is-BR9NU.tmp\4_177039.exe" /S /UID=lylal22011⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Common Files\WDJRNKTYTI\irecord.exe"C:\Program Files\Common Files\WDJRNKTYTI\irecord.exe" /VERYSILENT12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-9MUK0.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-9MUK0.tmp\irecord.tmp" /SL5="$4037C,6139911,56832,C:\Program Files\Common Files\WDJRNKTYTI\irecord.exe" /VERYSILENT13⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\recording\i-record.exe"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu14⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\01-72240-dc9-59e92-46823f313d59f\Qaqojumilo.exe"C:\Users\Admin\AppData\Local\Temp\01-72240-dc9-59e92-46823f313d59f\Qaqojumilo.exe"12⤵
- Executes dropped EXE
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Temp\fd-04c90-38a-bae8a-b4de93c77266b\Jucepinymo.exe"C:\Users\Admin\AppData\Local\Temp\fd-04c90-38a-bae8a-b4de93c77266b\Jucepinymo.exe"12⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vnrdzlhb.3sw\001.exe & exit13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\vnrdzlhb.3sw\001.exeC:\Users\Admin\AppData\Local\Temp\vnrdzlhb.3sw\001.exe14⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nqpvt2r5.rm2\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\nqpvt2r5.rm2\installer.exeC:\Users\Admin\AppData\Local\Temp\nqpvt2r5.rm2\installer.exe /qn CAMPAIGN="654"14⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lclrp0tp.pge\hbggg.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\lclrp0tp.pge\hbggg.exeC:\Users\Admin\AppData\Local\Temp\lclrp0tp.pge\hbggg.exe14⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j5evbnkg.inf\google-game.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\j5evbnkg.inf\google-game.exeC:\Users\Admin\AppData\Local\Temp\j5evbnkg.inf\google-game.exe14⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser15⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 62416⤵
- Program crash
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\13ookql3.1pt\setup.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\13ookql3.1pt\setup.exeC:\Users\Admin\AppData\Local\Temp\13ookql3.1pt\setup.exe14⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\13ookql3.1pt\setup.exe"15⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300016⤵
- Runs ping.exe
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1xiw44ue.zs4\customer1.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\1xiw44ue.zs4\customer1.exeC:\Users\Admin\AppData\Local\Temp\1xiw44ue.zs4\customer1.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt15⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ay4qf15.x4y\toolspab1.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\4ay4qf15.x4y\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\4ay4qf15.x4y\toolspab1.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\4ay4qf15.x4y\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\4ay4qf15.x4y\toolspab1.exe15⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wqnnuy5l.0mh\GcleanerWW.exe /mixone & exit13⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nsv1hn1m.evp\005.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\nsv1hn1m.evp\005.exeC:\Users\Admin\AppData\Local\Temp\nsv1hn1m.evp\005.exe14⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dmc1hq00.g0t\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\dmc1hq00.g0t\installer.exeC:\Users\Admin\AppData\Local\Temp\dmc1hq00.g0t\installer.exe /qn CAMPAIGN="654"14⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\dmc1hq00.g0t\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\dmc1hq00.g0t\ EXE_CMD_LINE="/forcecleanup /wintime 1621083818 /qn CAMPAIGN=""654"" " CAMPAIGN="654"15⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qvk4lmqr.35j\702564a0.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\qvk4lmqr.35j\702564a0.exeC:\Users\Admin\AppData\Local\Temp\qvk4lmqr.35j\702564a0.exe14⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oombukgg.ezj\app.exe /8-2222 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\oombukgg.ezj\app.exeC:\Users\Admin\AppData\Local\Temp\oombukgg.ezj\app.exe /8-222214⤵
-
C:\Users\Admin\AppData\Local\Temp\oombukgg.ezj\app.exe"C:\Users\Admin\AppData\Local\Temp\oombukgg.ezj\app.exe" /8-222215⤵
- Modifies data under HKEY_USERS
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5wj52ktt.sjl\Setup3310.exe /Verysilent /subid=623 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\5wj52ktt.sjl\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\5wj52ktt.sjl\Setup3310.exe /Verysilent /subid=62314⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6ANJN.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-6ANJN.tmp\Setup3310.tmp" /SL5="$80414,138429,56832,C:\Users\Admin\AppData\Local\Temp\5wj52ktt.sjl\Setup3310.exe" /Verysilent /subid=62315⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-45DBB.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-45DBB.tmp\Setup.exe" /Verysilent16⤵
- Drops file in Program Files directory
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Kills process with taskkill
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
-
-
-
-
-
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\svdjtstC:\Users\Admin\AppData\Roaming\svdjtst2⤵
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Roaming\bcdjtstC:\Users\Admin\AppData\Roaming\bcdjtst2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\bcdjtstC:\Users\Admin\AppData\Roaming\bcdjtst3⤵
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Roaming\bcdjtstC:\Users\Admin\AppData\Roaming\bcdjtst2⤵
-
C:\Users\Admin\AppData\Roaming\bcdjtstC:\Users\Admin\AppData\Roaming\bcdjtst3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\svdjtstC:\Users\Admin\AppData\Roaming\svdjtst2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7D241418D78C271C5AE768812741AAC4 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5BB31879DECFB53D242558AFD7C464162⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7CDC69196E2FCB096E9E08D8AE0644E E Global\MSI00002⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 07FB2832C8AFC0B6AEB286C77FF678F4 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B07D89926FCF23D224D8AFEB1F953E402⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 12FE28A4A9F5CE6F9FCF3D84BED1913C E Global\MSI00002⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 380C2AFAE4101F71BF3DBB72284E5493 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7CF009FB1CF39243525C01C54C432572⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 80E0C310E7539ABF477234547045AADE E Global\MSI00002⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7688.exeC:\Users\Admin\AppData\Local\Temp\7688.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true2⤵
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true3⤵
-
-
C:\Windows\System\spoolsv.exe"C:\Windows\System\spoolsv.exe" --MaxCircuitDirtiness 60 --NewCircuitPeriod 1 --MaxClientCircuitsPending 1024 --OptimisticData 1 --KeepalivePeriod 30 --CircuitBuildTimeout 10 --EnforceDistinctSubnets 0 --HardwareAccel 1 --UseEntryGuards 03⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ADF.exeC:\Users\Admin\AppData\Local\Temp\7ADF.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\806E.exeC:\Users\Admin\AppData\Local\Temp\806E.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\8531.exeC:\Users\Admin\AppData\Local\Temp\8531.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4300 -s 12042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4680 -s 19042⤵
- Program crash
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 10416 -s 12362⤵
- Program crash
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
-
Filesize
8KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
4KB
-
Filesize
448KB
-
Filesize
4KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
92KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
448KB
-
Filesize
300KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
1.0MB
-
Filesize
368KB
-
Filesize
64KB
-
Filesize
1.3MB
-
Filesize
112KB
-
Filesize
448KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
1.3MB
-
Filesize
436KB
-
Filesize
176KB
-
Filesize
48KB