Analysis
-
max time kernel
26s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28-05-2021 08:11
Errors
Reason
Machine shutdown
General
-
Target
BBA60DFA5E58997112A5829898E2A7DD.exe
-
Size
3.9MB
-
MD5
bba60dfa5e58997112a5829898e2a7dd
-
SHA1
b0b3f12499471d97d337396b9dd652497e070866
-
SHA256
4e9bb871716df27af35ede8b153efa96e131321fa3ced426fce64b893ebd089a
-
SHA512
fc7ceccfba312cd787cfe7c6674465848bd7a89d4130b68ebfe3839be92cc8567e3d6d97e974eb3ddd11dd7071fa43632e9dec4df298c7b431213c30a52936bd
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://khaleelahmed.com/upload/
http://twvickiassociation.com/upload/
http://www20833.com/upload/
http://cocinasintonterias.com/upload/
http://masaofukunaga.com/upload/
http://gnckids.com/upload/
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
Servj
C2
87.251.71.4:80
Extracted
Family
raccoon
Botnet
74452b5cbc58563477e4a9e149f2093398530bbd
Attributes
-
url4cnc
https://tttttt.me/johnyes13
rc4.plain
rc4.plain
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 2 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
ASPack v2.12-2.42 9 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 35 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 11 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 13 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies registry class 4 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BBA60DFA5E58997112A5829898E2A7DD.exe"C:\Users\Admin\AppData\Local\Temp\BBA60DFA5E58997112A5829898E2A7DD.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04FDA234\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS04FDA234\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c metina_1.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04FDA234\metina_1.exemetina_1.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c metina_2.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04FDA234\metina_2.exemetina_2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c metina_3.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04FDA234\metina_3.exemetina_3.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd5⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c metina_4.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04FDA234\metina_4.exemetina_4.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-APV5H.tmp\metina_4.tmp"C:\Users\Admin\AppData\Local\Temp\is-APV5H.tmp\metina_4.tmp" /SL5="$80056,140518,56832,C:\Users\Admin\AppData\Local\Temp\7zS04FDA234\metina_4.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-A84LH.tmp\_____Zi____DanE______10.exe"C:\Users\Admin\AppData\Local\Temp\is-A84LH.tmp\_____Zi____DanE______10.exe" /S /UID=burnerch16⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\56-6e634-8ee-2b68b-b8aa9b27f0a1d\SHanarezhifo.exe"C:\Users\Admin\AppData\Local\Temp\56-6e634-8ee-2b68b-b8aa9b27f0a1d\SHanarezhifo.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\bc-b39eb-3c0-518bd-a25f8d2c104ed\Xityfawobae.exe"C:\Users\Admin\AppData\Local\Temp\bc-b39eb-3c0-518bd-a25f8d2c104ed\Xityfawobae.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0jwhlvvq.z4j\ebook.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\0jwhlvvq.z4j\ebook.exeC:\Users\Admin\AppData\Local\Temp\0jwhlvvq.z4j\ebook.exe9⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0jwhlvvq.z4j\EBOOKE~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\0jwhlvvq.z4j\ebook.exe10⤵
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\0jwhlvvq.z4j\EBOOKE~1.DLL,dRxZfDZgBQ==11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1108.tmp.ps1"12⤵
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jqbvrpov.dce\001.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\jqbvrpov.dce\001.exeC:\Users\Admin\AppData\Local\Temp\jqbvrpov.dce\001.exe9⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hzjmqwey.zpl\md1_1eaf.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\hzjmqwey.zpl\md1_1eaf.exeC:\Users\Admin\AppData\Local\Temp\hzjmqwey.zpl\md1_1eaf.exe9⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x23tr3hu.vjz\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\x23tr3hu.vjz\installer.exeC:\Users\Admin\AppData\Local\Temp\x23tr3hu.vjz\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\x23tr3hu.vjz\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\x23tr3hu.vjz\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621930417 /qn CAMPAIGN=""654"" " CAMPAIGN="654"10⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vzmfz3ba.swj\gaoou.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\vzmfz3ba.swj\gaoou.exeC:\Users\Admin\AppData\Local\Temp\vzmfz3ba.swj\gaoou.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt10⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4vvp0mva.o2w\Setup3310.exe /Verysilent /subid=623 & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\4vvp0mva.o2w\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\4vvp0mva.o2w\Setup3310.exe /Verysilent /subid=6239⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EHJFC.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-EHJFC.tmp\Setup3310.tmp" /SL5="$103F0,138429,56832,C:\Users\Admin\AppData\Local\Temp\4vvp0mva.o2w\Setup3310.exe" /Verysilent /subid=62310⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MQP9I.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-MQP9I.tmp\Setup.exe" /Verysilent11⤵
-
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RunWW.exe /f14⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 614⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"12⤵
-
C:\Users\Admin\AppData\Roaming\1821053.exe"C:\Users\Admin\AppData\Roaming\1821053.exe"13⤵
-
-
C:\Users\Admin\AppData\Roaming\7509102.exe"C:\Users\Admin\AppData\Roaming\7509102.exe"13⤵
-
-
C:\Users\Admin\AppData\Roaming\6924824.exe"C:\Users\Admin\AppData\Roaming\6924824.exe"13⤵
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-61A67.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-61A67.tmp\lylal220.tmp" /SL5="$5047E,140518,56832,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4D0U0.tmp\___________RUb__________y.exe"C:\Users\Admin\AppData\Local\Temp\is-4D0U0.tmp\___________RUb__________y.exe" /S /UID=lylal22014⤵
-
C:\Program Files\Google\PTYLLPHCPN\irecord.exe"C:\Program Files\Google\PTYLLPHCPN\irecord.exe" /VERYSILENT15⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RIVOA.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-RIVOA.tmp\irecord.tmp" /SL5="$404E6,6139911,56832,C:\Program Files\Google\PTYLLPHCPN\irecord.exe" /VERYSILENT16⤵
-
C:\Program Files (x86)\recording\i-record.exe"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\e6-1f077-7f4-8ee88-d0ed3f07af81e\Gaxybibequ.exe"C:\Users\Admin\AppData\Local\Temp\e6-1f077-7f4-8ee88-d0ed3f07af81e\Gaxybibequ.exe"15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\79-a201d-d84-62eb1-795e7b9d2e78c\Sozhejahete.exe"C:\Users\Admin\AppData\Local\Temp\79-a201d-d84-62eb1-795e7b9d2e78c\Sozhejahete.exe"15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r5b0wusn.yol\001.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\r5b0wusn.yol\001.exeC:\Users\Admin\AppData\Local\Temp\r5b0wusn.yol\001.exe17⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hi2wqdto.lrh\installer.exe /qn CAMPAIGN="654" & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\hi2wqdto.lrh\installer.exeC:\Users\Admin\AppData\Local\Temp\hi2wqdto.lrh\installer.exe /qn CAMPAIGN="654"17⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jvus1ztn.0it\gaoou.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\jvus1ztn.0it\gaoou.exeC:\Users\Admin\AppData\Local\Temp\jvus1ztn.0it\gaoou.exe17⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt18⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xntgze3o.i4u\Setup3310.exe /Verysilent /subid=623 & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\xntgze3o.i4u\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\xntgze3o.i4u\Setup3310.exe /Verysilent /subid=62317⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9UVMB.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-9UVMB.tmp\Setup3310.tmp" /SL5="$30452,138429,56832,C:\Users\Admin\AppData\Local\Temp\xntgze3o.i4u\Setup3310.exe" /Verysilent /subid=62318⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KU415.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-KU415.tmp\Setup.exe" /Verysilent19⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\smqf04rz.qev\google-game.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\smqf04rz.qev\google-game.exeC:\Users\Admin\AppData\Local\Temp\smqf04rz.qev\google-game.exe17⤵
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd18⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\02a1a03l.efa\toolspab1.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\02a1a03l.efa\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\02a1a03l.efa\toolspab1.exe17⤵
-
C:\Users\Admin\AppData\Local\Temp\02a1a03l.efa\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\02a1a03l.efa\toolspab1.exe18⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\buvhebxq.bk3\005.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\buvhebxq.bk3\005.exeC:\Users\Admin\AppData\Local\Temp\buvhebxq.bk3\005.exe17⤵
-
-
-
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6T66E.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-6T66E.tmp\LabPicV3.tmp" /SL5="$304B0,140559,56832,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-Q5GBD.tmp\___________23.exe"C:\Users\Admin\AppData\Local\Temp\is-Q5GBD.tmp\___________23.exe" /S /UID=lab21414⤵
-
C:\Program Files\Windows Photo Viewer\BSHDAKVQAW\prolab.exe"C:\Program Files\Windows Photo Viewer\BSHDAKVQAW\prolab.exe" /VERYSILENT15⤵
-
C:\Users\Admin\AppData\Local\Temp\is-J2ARV.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-J2ARV.tmp\prolab.tmp" /SL5="$30318,575243,216576,C:\Program Files\Windows Photo Viewer\BSHDAKVQAW\prolab.exe" /VERYSILENT16⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\6b-e0d2a-cc3-5c69e-ad31916052a3f\Memaeshepavae.exe"C:\Users\Admin\AppData\Local\Temp\6b-e0d2a-cc3-5c69e-ad31916052a3f\Memaeshepavae.exe"15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\56-91b48-e00-b88bc-cdeb4cd035f32\Hiraeluqiri.exe"C:\Users\Admin\AppData\Local\Temp\56-91b48-e00-b88bc-cdeb4cd035f32\Hiraeluqiri.exe"15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5e5ex2rz.kjq\001.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\5e5ex2rz.kjq\001.exeC:\Users\Admin\AppData\Local\Temp\5e5ex2rz.kjq\001.exe17⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i4a3zos0.wj1\installer.exe /qn CAMPAIGN="654" & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\i4a3zos0.wj1\installer.exeC:\Users\Admin\AppData\Local\Temp\i4a3zos0.wj1\installer.exe /qn CAMPAIGN="654"17⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ogkuu2a.22a\gaoou.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\4ogkuu2a.22a\gaoou.exeC:\Users\Admin\AppData\Local\Temp\4ogkuu2a.22a\gaoou.exe17⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt18⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tpopgnxj.4ca\Setup3310.exe /Verysilent /subid=623 & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\tpopgnxj.4ca\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\tpopgnxj.4ca\Setup3310.exe /Verysilent /subid=62317⤵
-
C:\Users\Admin\AppData\Local\Temp\is-R5FFS.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-R5FFS.tmp\Setup3310.tmp" /SL5="$603BA,138429,56832,C:\Users\Admin\AppData\Local\Temp\tpopgnxj.4ca\Setup3310.exe" /Verysilent /subid=62318⤵
-
C:\Users\Admin\AppData\Local\Temp\is-M2FML.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-M2FML.tmp\Setup.exe" /Verysilent19⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\su5odciq.u4o\google-game.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\su5odciq.u4o\google-game.exeC:\Users\Admin\AppData\Local\Temp\su5odciq.u4o\google-game.exe17⤵
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd18⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ojsnxhvg.0ql\toolspab1.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\ojsnxhvg.0ql\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\ojsnxhvg.0ql\toolspab1.exe17⤵
-
C:\Users\Admin\AppData\Local\Temp\ojsnxhvg.0ql\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\ojsnxhvg.0ql\toolspab1.exe18⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2jv545e2.vog\005.exe & exit16⤵
-
C:\Users\Admin\AppData\Local\Temp\2jv545e2.vog\005.exeC:\Users\Admin\AppData\Local\Temp\2jv545e2.vog\005.exe17⤵
-
-
-
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"12⤵
-
-
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cj5aqf35.xz3\google-game.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\cj5aqf35.xz3\google-game.exeC:\Users\Admin\AppData\Local\Temp\cj5aqf35.xz3\google-game.exe9⤵
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd10⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m2vhm0z5.erq\toolspab1.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\m2vhm0z5.erq\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\m2vhm0z5.erq\toolspab1.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\m2vhm0z5.erq\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\m2vhm0z5.erq\toolspab1.exe10⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1e41aozy.wcx\005.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\1e41aozy.wcx\005.exeC:\Users\Admin\AppData\Local\Temp\1e41aozy.wcx\005.exe9⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ea53w2wd.hpa\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ea53w2wd.hpa\installer.exeC:\Users\Admin\AppData\Local\Temp\ea53w2wd.hpa\installer.exe /qn CAMPAIGN="654"9⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rm1kqbwl.aq4\702564a0.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\rm1kqbwl.aq4\702564a0.exeC:\Users\Admin\AppData\Local\Temp\rm1kqbwl.aq4\702564a0.exe9⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ak4ktrdd.nj4\app.exe /8-2222 & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ak4ktrdd.nj4\app.exeC:\Users\Admin\AppData\Local\Temp\ak4ktrdd.nj4\app.exe /8-22229⤵
-
-
-
-
C:\Program Files\Internet Explorer\VEXISRLSTJ\ultramediaburner.exe"C:\Program Files\Internet Explorer\VEXISRLSTJ\ultramediaburner.exe" /VERYSILENT7⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c metina_5.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04FDA234\metina_5.exemetina_5.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c metina_6.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04FDA234\metina_6.exemetina_6.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\RR9yJlcFJFlGI65l2z0ZIo87.exe"C:\Users\Admin\AppData\Roaming\RR9yJlcFJFlGI65l2z0ZIo87.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\RR9yJlcFJFlGI65l2z0ZIo87.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30007⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Roaming\qTzo1jxlYC9Zmqo3VgXjtFQy.exe"C:\Users\Admin\AppData\Roaming\qTzo1jxlYC9Zmqo3VgXjtFQy.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 6566⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 6726⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 7686⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 8046⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 10726⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\b3ha5GsLPHccjxvM4N7ApIvt.exe"C:\Users\Admin\AppData\Roaming\b3ha5GsLPHccjxvM4N7ApIvt.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\runme.exe"C:\Program Files (x86)\Company\NewProduct\runme.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 6567⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 6727⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 7687⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 8047⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 12727⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 13127⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 13967⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 13807⤵
- Program crash
-
-
-
C:\Program Files (x86)\Company\NewProduct\file4.exe"C:\Program Files (x86)\Company\NewProduct\file4.exe"6⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\lij.exe"C:\Program Files (x86)\Company\NewProduct\lij.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd7⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\l8V7wCppKfuowbvEOqxNogyP.exe"C:\Users\Admin\AppData\Roaming\l8V7wCppKfuowbvEOqxNogyP.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\l8V7wCppKfuowbvEOqxNogyP.exe"C:\Users\Admin\AppData\Roaming\l8V7wCppKfuowbvEOqxNogyP.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Vq4ttim4yWSHFQO4pOlrgKax.exe"C:\Users\Admin\AppData\Roaming\Vq4ttim4yWSHFQO4pOlrgKax.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\S9zqTBomTBWPEBJDWa0BddCF.exe"C:\Users\Admin\AppData\Roaming\S9zqTBomTBWPEBJDWa0BddCF.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\S9zqTBomTBWPEBJDWa0BddCF.exe"C:\Users\Admin\AppData\Roaming\S9zqTBomTBWPEBJDWa0BddCF.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Eof5r8STHxI6RC1OczJhafI2.exe"C:\Users\Admin\AppData\Roaming\Eof5r8STHxI6RC1OczJhafI2.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8359972.exe"C:\Users\Admin\AppData\Roaming\8359972.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\2829606.exe"C:\Users\Admin\AppData\Roaming\2829606.exe"6⤵
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"7⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\ilinUeoifn2xUEBWhT9hZMtu.exe"C:\Users\Admin\AppData\Roaming\ilinUeoifn2xUEBWhT9hZMtu.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\KveuObglDBHwEr7l0tD6WK2D.exe"C:\Users\Admin\AppData\Roaming\KveuObglDBHwEr7l0tD6WK2D.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\gEfFowMQWpTeBRFe03ZrJ6Tl.exe"C:\Users\Admin\AppData\Roaming\gEfFowMQWpTeBRFe03ZrJ6Tl.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\gEfFowMQWpTeBRFe03ZrJ6Tl.exe"6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK7⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Roaming\D3nORuPy6umpfs5VsDIQ3NwU.exe"C:\Users\Admin\AppData\Roaming\D3nORuPy6umpfs5VsDIQ3NwU.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\3gOxb8QqlwvqxjUC36sg5jdR.exe"C:\Users\Admin\AppData\Roaming\3gOxb8QqlwvqxjUC36sg5jdR.exe"5⤵
- Executes dropped EXE
- Drops startup file
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat6⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 37⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"7⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59440.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59440.exe"6⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Roaming\zhbVB04wxJVlJXl2YTxY27vz.exe"C:\Users\Admin\AppData\Roaming\zhbVB04wxJVlJXl2YTxY27vz.exe"5⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Roaming\ZHBVB0~1.DLL,Z C:\Users\Admin\AppData\Roaming\ZHBVB0~1.EXE6⤵
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Roaming\ZHBVB0~1.DLL,GxMIfDaLBbw=7⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "metina_6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS04FDA234\metina_6.exe" & exit5⤵
-
C:\Windows\system32\taskkill.exetaskkill /im "metina_6.exe" /f6⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c metina_8.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c metina_9.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c metina_10.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c metina_7.exe3⤵
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS04FDA234\metina_7.exemetina_7.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"2⤵
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",getname3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PbOSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PbOSetp.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\7829592.exe"C:\Users\Admin\AppData\Roaming\7829592.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\6747983.exe"C:\Users\Admin\AppData\Roaming\6747983.exe"3⤵
-
-
-
C:\Windows\SysWOW64\dfrgui.exe"C:\Windows\system32\dfrgui.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F2⤵
- Executes dropped EXE
- Creates scheduled task(s)
-
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SHDLN.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-SHDLN.tmp\ultramediaburner.tmp" /SL5="$30244,281924,62464,C:\Program Files\Internet Explorer\VEXISRLSTJ\ultramediaburner.exe" /VERYSILENT1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F291F60BF80D621B03E924EB4B32D217 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0550A7859F397E461A635051CBD4E55B2⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2E81B2CAEA160CF6EA881966033597F0 E Global\MSI00002⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\8677.exeC:\Users\Admin\AppData\Local\Temp\8677.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\94C0.exeC:\Users\Admin\AppData\Local\Temp\94C0.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
-
Filesize
696KB
-
Filesize
448KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
300KB
-
Filesize
448KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
684KB
-
Filesize
1.3MB
-
Filesize
88KB
-
Filesize
92KB
-
Filesize
48KB
-
Filesize
696KB
-
Filesize
72KB
-
Filesize
448KB
-
Filesize
8KB
-
Filesize
380KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
364KB
-
Filesize
188KB
-
Filesize
9.1MB
-
Filesize
9.0MB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.9MB
-
Filesize
584KB
-
Filesize
580KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
116KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.0MB
-
Filesize
368KB