Analysis
-
max time kernel
273s -
max time network
272s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
01/11/2022, 21:56
General
-
Target
Setup.exe
-
Size
43.5MB
-
MD5
a14c3f0dcded72374ca1d57b724ccdb3
-
SHA1
940f77301ba37e4aedd054f23114a146cd481f5c
-
SHA256
b49d8694a2a5f04d2b505e77be54fd88990d26fc85a00cb3ea835debccc01353
-
SHA512
da5fefb3b9fcaad236ab8a5702f1aa07d38d10d36c0c00521b737180543ee88fcc0c0efe37761b44b521abdee355b12b382769040667702282898888dbd8985b
-
SSDEEP
786432:4W75K9iIfLI1JzBH9q9H8HPculH4rdlQWxR0XWF1OplrWKqKIwqqIxYBMEg/+3Z:t75uvI11BlHPcuV4rnJUGXOplFSwiaMm
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
-
Registers COM server for autorun 1 TTPs 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Drops file in Windows directory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\loader.exe"C:\Users\Admin\Desktop\loader.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05214f50,0x7ffa05214f60,0x7ffa05214f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5084 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5168 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5472 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4904 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3972 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4548 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\dxwebsetup.exe"C:\Users\Admin\Downloads\dxwebsetup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_24_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_25_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_26_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_27_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_28_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_29_x64.inf4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_0.dll4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_30_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT2_1_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_1.dll4⤵
- Registers COM server for autorun
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe xinput1_1_x64.inf, Install_Driver4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT2_2_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_2.dll4⤵
- Registers COM server for autorun
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe xinput1_2_x64.inf, Install_Driver4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT2_3_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_3.dll4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_31_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT2_4_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_4.dll4⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_32_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_00_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT2_5_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_5.dll4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT2_6_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_6.dll4⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_33_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_33_x64.inf4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT2_7_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_7.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe xinput1_3_x64.inf, Install_Driver4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_34_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_34_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT2_8_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_8.dll4⤵
- Registers COM server for autorun
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_35_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_35_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT2_9_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_9.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx9_36_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_36_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe X3DAudio1_2_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT2_10_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine2_10.dll4⤵
- Registers COM server for autorun
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe D3DX9_37_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_37_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe X3DAudio1_3_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT3_0_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_0.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XAudio2_0_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_0.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe D3DX9_38_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_38_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe X3DAudio1_4_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT3_1_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_1.dll4⤵
- Registers COM server for autorun
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XAudio2_1_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_1.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe D3DX9_39_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_39_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT3_2_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_2.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XAudio2_2_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_2.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe X3DAudio1_5_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT3_3_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_3.dll4⤵
- Registers COM server for autorun
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XAudio2_3_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_3.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe D3DX9_40_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_40_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe X3DAudio1_6_x64.inf4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT3_4_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_4.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XAudio2_4_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_4.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe D3DX9_41_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_41_x64.inf4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe D3DX9_42_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_42_x64.inf4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx11_42_x64.inf4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dcsx_42_x64.inf4⤵
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe D3DCompiler_42_x64.inf4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT3_5_x64.inf4⤵
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_5.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XAudio2_5_x64.inf4⤵
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_5.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe X3DAudio1_7_x64.inf4⤵
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT3_6_x64.inf4⤵
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_6.dll4⤵
- Modifies registry class
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XAudio2_6_x64.inf4⤵
- Drops file in System32 directory
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_6.dll4⤵
- Registers COM server for autorun
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe D3DX9_43_x64.inf4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx10_43_x64.inf4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dx11_43_x64.inf4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe d3dcsx_43_x64.inf4⤵
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe D3DCompiler_43_x64.inf4⤵
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XACT3_7_x64.inf4⤵
- Drops file in System32 directory
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\xactengine3_7.dll4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exeC:\Users\Admin\AppData\Local\Temp\DXC04A.tmp\infinst.exe XAudio2_7_x64.inf4⤵
-
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_7.dll4⤵
- Registers COM server for autorun
- Modifies registry class
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5388 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4004 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2672 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5388 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,13355850914150973045,14840946917539212790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1504 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4192_689870889\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4192_689870889\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={7976274a-2c3d-4772-ac89-ab91738a6a28} --system2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\loader.exe"C:\Users\Admin\Desktop\loader.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
Filesize
141KB
MD5ea1c1ffd3ea54d1fb117bfdbb3569c60
SHA110958b0f690ae8f5240e1528b1ccffff28a33272
SHA2567c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d
SHA5126c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf
-
Filesize
93KB
MD5984cad22fa542a08c5d22941b888d8dc
SHA13e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA25657bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA5128ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef
-
Filesize
1.5MB
MD5a5412a144f63d639b47fcc1ba68cb029
SHA181bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA2568a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA5122679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405
-
Filesize
173KB
MD57ed554b08e5b69578f9de012822c39c9
SHA1036d04513e134786b4758def5aff83d19bf50c6e
SHA256fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2
SHA5127af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9
-
Filesize
173KB
MD57ed554b08e5b69578f9de012822c39c9
SHA1036d04513e134786b4758def5aff83d19bf50c6e
SHA256fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2
SHA5127af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9
-
Filesize
56KB
MD57b1fbe9f5f43b2261234b78fe115cf8e
SHA1dd0f256ae38b4c4771e1d1ec001627017b7bb741
SHA256762ff640013db2bd4109d7df43a867303093815751129bd1e33f16bf02e52cce
SHA512d21935a9867c0f2f7084917c79fbb1da885a1bfd4793cf669ff4da8c777b3a201857250bfb7c2b616625a8d3573c68395d210446d2c284b41cf09cc7cbb07885
-
Filesize
515KB
MD5ac3a5f7be8cd13a863b50ab5fe00b71c
SHA1eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9
SHA2568f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da
SHA512c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba
-
Filesize
515KB
MD5ac3a5f7be8cd13a863b50ab5fe00b71c
SHA1eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9
SHA2568f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da
SHA512c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba
-
Filesize
477B
MD5ad8982eaa02c7ad4d7cdcbc248caa941
SHA14ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA5125c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28
-
Filesize
42.7MB
MD5ea5519203c0329cdf9620eee5085ac5c
SHA198ede1462f961c5415a751123e2acdcb6dd5327e
SHA256d5b69437f81a83e57d7613286a2f7339a577f85bd82c5543096c826f6780fea0
SHA512fd786bbefe4b117f730ac8b287b02ae60c80063cdc915ee3b5351f6ff3ae855d11562b1a9272d4c726ae5ea53c5833c5bde750d6d5058bbf3bba7601896bbe09
-
Filesize
42.7MB
MD5ea5519203c0329cdf9620eee5085ac5c
SHA198ede1462f961c5415a751123e2acdcb6dd5327e
SHA256d5b69437f81a83e57d7613286a2f7339a577f85bd82c5543096c826f6780fea0
SHA512fd786bbefe4b117f730ac8b287b02ae60c80063cdc915ee3b5351f6ff3ae855d11562b1a9272d4c726ae5ea53c5833c5bde750d6d5058bbf3bba7601896bbe09
-
Filesize
42.7MB
MD5ea5519203c0329cdf9620eee5085ac5c
SHA198ede1462f961c5415a751123e2acdcb6dd5327e
SHA256d5b69437f81a83e57d7613286a2f7339a577f85bd82c5543096c826f6780fea0
SHA512fd786bbefe4b117f730ac8b287b02ae60c80063cdc915ee3b5351f6ff3ae855d11562b1a9272d4c726ae5ea53c5833c5bde750d6d5058bbf3bba7601896bbe09
-
Filesize
288KB
MD52cbd6ad183914a0c554f0739069e77d7
SHA17bf35f2afca666078db35ca95130beb2e3782212
SHA2562cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10
-
Filesize
288KB
MD52cbd6ad183914a0c554f0739069e77d7
SHA17bf35f2afca666078db35ca95130beb2e3782212
SHA2562cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10
-
Filesize
93KB
MD5984cad22fa542a08c5d22941b888d8dc
SHA13e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA25657bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA5128ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef
-
Filesize
1.5MB
MD5a5412a144f63d639b47fcc1ba68cb029
SHA181bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA2568a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA5122679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405
-
Filesize
214KB
MD5491c66b02d27c8027db2d66297bc27b8
SHA1cde762d445e2cc5599944c1f7544885bfe9101a9
SHA256be668675dc24f64453f11cf5e0c631982bad3709ad0eadc47e9ddb30d3bdb984
SHA512eefb3c78472b5b8c79b63baff3a2c5d332870991d59de313096cec9d31b0bd47899d49c7b96d688b2474bce42511dd170e51d2ac597cabad1eb578b7e310336c
-
Filesize
2.7MB
MD5a0c031afb19bc9a2a9f53cb3b5bf7ff8
SHA1ff8e61895ef976a45ba5b5ebeacbdbf68ab6f8ce
SHA2567eb3fba2dbc1ea25c95bf6247ad03d769d71bec5498dee218d4c066cc07c3824
SHA5124f7e988251644bcc4c3ce0fb1148ab9fd4c21496f94076302e6e9582f42540ea6d5d78f896028e92e67af5eac00abbced899419c2aa14497f1db81e2510afd79
-
Filesize
2.7MB
MD5a0c031afb19bc9a2a9f53cb3b5bf7ff8
SHA1ff8e61895ef976a45ba5b5ebeacbdbf68ab6f8ce
SHA2567eb3fba2dbc1ea25c95bf6247ad03d769d71bec5498dee218d4c066cc07c3824
SHA5124f7e988251644bcc4c3ce0fb1148ab9fd4c21496f94076302e6e9582f42540ea6d5d78f896028e92e67af5eac00abbced899419c2aa14497f1db81e2510afd79
-
Filesize
2.7MB
MD5a0c031afb19bc9a2a9f53cb3b5bf7ff8
SHA1ff8e61895ef976a45ba5b5ebeacbdbf68ab6f8ce
SHA2567eb3fba2dbc1ea25c95bf6247ad03d769d71bec5498dee218d4c066cc07c3824
SHA5124f7e988251644bcc4c3ce0fb1148ab9fd4c21496f94076302e6e9582f42540ea6d5d78f896028e92e67af5eac00abbced899419c2aa14497f1db81e2510afd79
-
Filesize
670KB
MD504b5bd1135fa4f31cb9c021bb7ff4725
SHA162623b7fa42353db63482af4231ec6772bb8444d
SHA25669f1d1dd8cc363a734972a67ac51538f9bfff990f1298d8d3665fa38ee41a084
SHA512887ca8412f47d4591984316c147d907344cb0b8630c24765a7f7e0d26d52048a55a7fc3604594c402dbbd1dde58471f374cb810e87b06c05039d269fbfb20246
-
Filesize
670KB
MD504b5bd1135fa4f31cb9c021bb7ff4725
SHA162623b7fa42353db63482af4231ec6772bb8444d
SHA25669f1d1dd8cc363a734972a67ac51538f9bfff990f1298d8d3665fa38ee41a084
SHA512887ca8412f47d4591984316c147d907344cb0b8630c24765a7f7e0d26d52048a55a7fc3604594c402dbbd1dde58471f374cb810e87b06c05039d269fbfb20246
-
Filesize
670KB
MD504b5bd1135fa4f31cb9c021bb7ff4725
SHA162623b7fa42353db63482af4231ec6772bb8444d
SHA25669f1d1dd8cc363a734972a67ac51538f9bfff990f1298d8d3665fa38ee41a084
SHA512887ca8412f47d4591984316c147d907344cb0b8630c24765a7f7e0d26d52048a55a7fc3604594c402dbbd1dde58471f374cb810e87b06c05039d269fbfb20246
-
Filesize
84.0MB
-
Filesize
1024KB
-
Filesize
84.0MB
-
Filesize
364KB
-
Filesize
420KB
-
Filesize
316KB
-
Filesize
368KB
-
Filesize
324KB
-
Filesize
376KB
-
Filesize
408KB
-
Filesize
356KB
-
Filesize
312KB
-
Filesize
360KB
-
Filesize
364KB
-
Filesize
420KB
-
Filesize
324KB
-
Filesize
376KB