Resubmissions
11-07-2024 05:43
240711-gej4lstgrf 1006-09-2021 14:13
210906-rjpvrsedbm 1008-07-2021 11:08
210708-4gztl3mwl6 1008-07-2021 08:02
210708-klfb4qeda6 1007-07-2021 09:39
210707-nem57xyvf2 1006-07-2021 17:51
210706-7pcrmjy3fa 1006-07-2021 13:45
210706-eybelwcq86 10Analysis
-
max time kernel
1802s -
max time network
1805s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
02-07-2021 07:13
General
-
Target
setup_x86_x64_install - копия (22).exe
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
ServAni
C2
87.251.71.195:82
Extracted
Family
vidar
Version
39.4
Botnet
706
C2
https://sergeevih43.tumblr.com
Attributes
-
profile_id
706
Extracted
Family
smokeloader
Version
2020
C2
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
rc4.i32
rc4.i32
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 3 IoCs
-
ASPack v2.12-2.42 8 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 14 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 13 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\tusbiwiC:\Users\Admin\AppData\Roaming\tusbiwi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\tusbiwiC:\Users\Admin\AppData\Roaming\tusbiwi2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\tusbiwiC:\Users\Admin\AppData\Roaming\tusbiwi2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exeC:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (22).exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (22).exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_1.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\arnatic_1.exearnatic_1.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 9646⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\arnatic_2.exearnatic_2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_3.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\arnatic_3.exearnatic_3.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\arnatic_5.exearnatic_5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6094662.exe"C:\Users\Admin\AppData\Roaming\6094662.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\3617142.exe"C:\Users\Admin\AppData\Roaming\3617142.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\1444970.exe"C:\Users\Admin\AppData\Roaming\1444970.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\2815090.exe"C:\Users\Admin\AppData\Roaming\2815090.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\arnatic_6.exearnatic_6.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\U_gCnYOGFGtpNp1RhiChNYFe.exe"C:\Users\Admin\Documents\U_gCnYOGFGtpNp1RhiChNYFe.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 6567⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 6727⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 6767⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 8247⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 10367⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 12807⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 12967⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 12407⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\Documents\98WWtCxpwNga2VkAXK4cG0tM.exe"C:\Users\Admin\Documents\98WWtCxpwNga2VkAXK4cG0tM.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\98WWtCxpwNga2VkAXK4cG0tM.exeC:\Users\Admin\Documents\98WWtCxpwNga2VkAXK4cG0tM.exe7⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 98WWtCxpwNga2VkAXK4cG0tM.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\98WWtCxpwNga2VkAXK4cG0tM.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 98WWtCxpwNga2VkAXK4cG0tM.exe /f9⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\Documents\9k9jA4J_Ym47FjdWejkW4I4a.exe"C:\Users\Admin\Documents\9k9jA4J_Ym47FjdWejkW4I4a.exe"6⤵
-
C:\Users\Admin\Documents\9k9jA4J_Ym47FjdWejkW4I4a.exeC:\Users\Admin\Documents\9k9jA4J_Ym47FjdWejkW4I4a.exe7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\xolwAgcWXqYVp027P4WKpTtD.exe"C:\Users\Admin\Documents\xolwAgcWXqYVp027P4WKpTtD.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\176456159.exeC:\Users\Admin\AppData\Local\Temp\176456159.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\176456159.exeC:\Users\Admin\AppData\Local\Temp\176456159.exe8⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\1444728504.exeC:\Users\Admin\AppData\Local\Temp\1444728504.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1444728504.exeC:\Users\Admin\AppData\Local\Temp\1444728504.exe8⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\Documents\xolwAgcWXqYVp027P4WKpTtD.exe & exit7⤵
-
C:\Windows\SysWOW64\PING.EXEping 08⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\Documents\DdZxc0THJte4BpXtuKf_l5nQ.exe"C:\Users\Admin\Documents\DdZxc0THJte4BpXtuKf_l5nQ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\DdZxc0THJte4BpXtuKf_l5nQ.exe"{path}"7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\zJ9Gk1_4uyvxDBBpgwHQ9NGr.exe"C:\Users\Admin\Documents\zJ9Gk1_4uyvxDBBpgwHQ9NGr.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\file4.exe"C:\Program Files (x86)\Company\NewProduct\file4.exe"7⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl8⤵
- Loads dropped DLL
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
-
-
C:\Users\Admin\Documents\w8pJu5zt31OyBfy8Klc0uA8S.exe"C:\Users\Admin\Documents\w8pJu5zt31OyBfy8Klc0uA8S.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 8967⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\Documents\AVk1ti2LQja2KGQkvSvidMcD.exe"C:\Users\Admin\Documents\AVk1ti2LQja2KGQkvSvidMcD.exe"6⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --hold https://ezsearch.ru7⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffae8cf4f50,0x7ffae8cf4f60,0x7ffae8cf4f708⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1592 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1888 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1956 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3456 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5564 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings8⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff62e8fa890,0x7ff62e8fa8a0,0x7ff62e8fa8b09⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3408 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3416 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3368 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3984 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4048 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3916 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6016 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6152 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6164 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1744 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=896 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6224 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6000 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4848 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5384 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5660 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5528 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3992 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6160 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5556 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6432 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5096 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6640 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6620 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5456 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4148 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3868 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6072 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6904 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,8296563159609580314,11752157119976814900,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:18⤵
-
-
-
-
C:\Users\Admin\Documents\WnzQSR0cicnqeXd8E69ULfyV.exe"C:\Users\Admin\Documents\WnzQSR0cicnqeXd8E69ULfyV.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im WnzQSR0cicnqeXd8E69ULfyV.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\WnzQSR0cicnqeXd8E69ULfyV.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im WnzQSR0cicnqeXd8E69ULfyV.exe /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\arnatic_7.exearnatic_7.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\arnatic_7.exeC:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\arnatic_7.exe6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\arnatic_7.exeC:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\arnatic_7.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_4.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
-
C:\Users\Admin\AppData\Local\Temp\7zSCDA19FE4\arnatic_4.exearnatic_4.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\C729.exeC:\Users\Admin\AppData\Local\Temp\C729.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe"C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nrbux.exe /TR "C:\Users\Admin\AppData\Local\Temp\b67c9bd46f\nrbux.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\ProgramData\ac909b1.exe"C:\ProgramData\ac909b1.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\f1a6a48e76c1fd\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
300KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
448KB
-
Filesize
452KB
-
Filesize
448KB
-
Filesize
1.0MB
-
Filesize
108KB
-
Filesize
452KB
-
Filesize
5.0MB
-
Filesize
36KB
-
Filesize
452KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
452KB
-
Filesize
88KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.3MB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
368KB
-
Filesize
1.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
63.8MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
64KB
-
Filesize
6.0MB