Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2023, 04:31
Static task
static1
Behavioral task
behavioral1
Sample
c98e8ff8ff04152c062fb39408e19e05.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
c98e8ff8ff04152c062fb39408e19e05.exe
Resource
win10v2004-20231127-en
General
-
Target
c98e8ff8ff04152c062fb39408e19e05.exe
-
Size
238KB
-
MD5
c98e8ff8ff04152c062fb39408e19e05
-
SHA1
498ba2ac5a1a2de316afafda6ab6c80d9b8ddeef
-
SHA256
feeabd0ec12dfa5f3262e130908a56008d76ef32eb406a72762707bca9331eb9
-
SHA512
b0d097bd6b45a03c1f7cd1c213c5235c7e04bf9fe96438b6a0e36eefb1b8da86cc4308f7b2462a06126c49a2276fda57696ecdbc1de1dcc5dd09700bf81fa4e9
-
SSDEEP
3072:QHFS5nO3zlGZ0y/xz34XNUbXw2aIJOIGVRnww9mw7qKKtrjqR9A8GkZ5OeTC4L:hnO3zlU58QAEO/Pnww9z9KVe1Gk3T
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.hhuy
-
offline_id
gG3wF8nDWRqLztkHPAxMzpvNVlmLBMgQKmKiCNt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-5zKXJl7cwi Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0834ASdw
Extracted
risepro
193.233.132.51
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect ZGRat V1 27 IoCs
resource yara_rule behavioral2/memory/808-71-0x000001CB60160000-0x000001CB60290000-memory.dmp family_zgrat_v1 behavioral2/memory/808-75-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-76-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-78-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-80-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-84-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-87-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-90-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-101-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-104-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-106-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-97-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-108-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-110-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-114-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-116-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-118-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-112-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-120-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-126-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-128-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-124-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-130-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-122-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-93-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/808-82-0x000001CB60160000-0x000001CB6028A000-memory.dmp family_zgrat_v1 behavioral2/memory/7128-1525-0x0000000002580000-0x0000000002659000-memory.dmp family_zgrat_v1 -
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/740-54-0x00000000026F0000-0x000000000280B000-memory.dmp family_djvu behavioral2/memory/4764-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4764-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4764-55-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4764-56-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4764-73-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5048-98-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5048-102-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5048-96-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 2eU4365.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 2eU4365.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 2eU4365.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 2eU4365.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 2eU4365.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 2eU4365.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C323.exe -
Downloads MZ/PE file
-
.NET Reactor proctector 6 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/2416-171-0x0000000002870000-0x00000000028BC000-memory.dmp net_reactor behavioral2/memory/2416-189-0x0000000005000000-0x0000000005010000-memory.dmp net_reactor behavioral2/memory/2416-177-0x0000000002A10000-0x0000000002A5A000-memory.dmp net_reactor behavioral2/memory/6260-634-0x00000000021C0000-0x00000000021DC000-memory.dmp net_reactor behavioral2/memory/6260-641-0x0000000004990000-0x00000000049AA000-memory.dmp net_reactor behavioral2/memory/6260-659-0x0000000004B60000-0x0000000004B70000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C323.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C323.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation D66D.exe Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C323.exe -
Deletes itself 1 IoCs
pid Process 3288 Process not Found -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 7QM3sU32.exe -
Executes dropped EXE 17 IoCs
pid Process 4756 C323.exe 740 D66D.exe 4764 D66D.exe 808 DF58.exe 4388 D66D.exe 5048 D66D.exe 2416 EB30.exe 1432 F2E2.exe 4796 MZ1kH39.exe 560 gB6wC87.exe 2944 1pV81kt4.exe 6260 2eU4365.exe 6508 4WG967Qv.exe 7128 7QM3sU32.exe 1600 DF58.exe 5380 ContextProperties.exe 4876 ContextProperties.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4144 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0007000000023216-24.dat themida behavioral2/files/0x0007000000023216-23.dat themida behavioral2/memory/4756-36-0x0000000000D30000-0x00000000016EC000-memory.dmp themida behavioral2/memory/4756-1801-0x0000000000D30000-0x00000000016EC000-memory.dmp themida -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 2eU4365.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 2eU4365.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7QM3sU32.exe Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7QM3sU32.exe Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7QM3sU32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" F2E2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" MZ1kH39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" gB6wC87.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 7QM3sU32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dd8032d2-9f19-4b6f-908f-0ed659910701\\D66D.exe\" --AutoStart" D66D.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C323.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 91 api.2ip.ua 173 ipinfo.io 174 ipinfo.io 89 api.2ip.ua -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023237-271.dat autoit_exe behavioral2/files/0x0007000000023237-269.dat autoit_exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy 7QM3sU32.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 7QM3sU32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 7QM3sU32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 7QM3sU32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4756 C323.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2152 set thread context of 2020 2152 c98e8ff8ff04152c062fb39408e19e05.exe 89 PID 740 set thread context of 4764 740 D66D.exe 114 PID 4388 set thread context of 5048 4388 D66D.exe 122 PID 808 set thread context of 1600 808 DF58.exe 194 PID 5380 set thread context of 4876 5380 ContextProperties.exe 201 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 4740 5048 WerFault.exe 5436 7128 WerFault.exe 182 6232 2416 WerFault.exe 123 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c98e8ff8ff04152c062fb39408e19e05.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c98e8ff8ff04152c062fb39408e19e05.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c98e8ff8ff04152c062fb39408e19e05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4WG967Qv.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4WG967Qv.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4WG967Qv.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7QM3sU32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7QM3sU32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5440 schtasks.exe 4928 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 c98e8ff8ff04152c062fb39408e19e05.exe 2020 c98e8ff8ff04152c062fb39408e19e05.exe 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found 3288 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2020 c98e8ff8ff04152c062fb39408e19e05.exe 6508 4WG967Qv.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeDebugPrivilege 2416 EB30.exe Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeDebugPrivilege 4756 C323.exe Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeDebugPrivilege 6260 2eU4365.exe Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeDebugPrivilege 808 DF58.exe Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found Token: SeShutdownPrivilege 3288 Process not Found Token: SeCreatePagefilePrivilege 3288 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2944 1pV81kt4.exe 3288 Process not Found 3288 Process not Found 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 2944 1pV81kt4.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 3288 Process not Found 3288 Process not Found 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe -
Suspicious use of SendNotifyMessage 61 IoCs
pid Process 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 2944 1pV81kt4.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 1268 msedge.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 2944 1pV81kt4.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe 6612 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3288 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2020 2152 c98e8ff8ff04152c062fb39408e19e05.exe 89 PID 2152 wrote to memory of 2020 2152 c98e8ff8ff04152c062fb39408e19e05.exe 89 PID 2152 wrote to memory of 2020 2152 c98e8ff8ff04152c062fb39408e19e05.exe 89 PID 2152 wrote to memory of 2020 2152 c98e8ff8ff04152c062fb39408e19e05.exe 89 PID 2152 wrote to memory of 2020 2152 c98e8ff8ff04152c062fb39408e19e05.exe 89 PID 2152 wrote to memory of 2020 2152 c98e8ff8ff04152c062fb39408e19e05.exe 89 PID 3288 wrote to memory of 1844 3288 Process not Found 106 PID 3288 wrote to memory of 1844 3288 Process not Found 106 PID 1844 wrote to memory of 3700 1844 cmd.exe 107 PID 1844 wrote to memory of 3700 1844 cmd.exe 107 PID 3288 wrote to memory of 4884 3288 Process not Found 108 PID 3288 wrote to memory of 4884 3288 Process not Found 108 PID 4884 wrote to memory of 1572 4884 cmd.exe 110 PID 4884 wrote to memory of 1572 4884 cmd.exe 110 PID 3288 wrote to memory of 4756 3288 Process not Found 111 PID 3288 wrote to memory of 4756 3288 Process not Found 111 PID 3288 wrote to memory of 4756 3288 Process not Found 111 PID 3288 wrote to memory of 740 3288 Process not Found 113 PID 3288 wrote to memory of 740 3288 Process not Found 113 PID 3288 wrote to memory of 740 3288 Process not Found 113 PID 740 wrote to memory of 4764 740 D66D.exe 114 PID 740 wrote to memory of 4764 740 D66D.exe 114 PID 740 wrote to memory of 4764 740 D66D.exe 114 PID 740 wrote to memory of 4764 740 D66D.exe 114 PID 740 wrote to memory of 4764 740 D66D.exe 114 PID 740 wrote to memory of 4764 740 D66D.exe 114 PID 740 wrote to memory of 4764 740 D66D.exe 114 PID 740 wrote to memory of 4764 740 D66D.exe 114 PID 740 wrote to memory of 4764 740 D66D.exe 114 PID 740 wrote to memory of 4764 740 D66D.exe 114 PID 4764 wrote to memory of 4144 4764 D66D.exe 115 PID 4764 wrote to memory of 4144 4764 D66D.exe 115 PID 4764 wrote to memory of 4144 4764 D66D.exe 115 PID 3288 wrote to memory of 808 3288 Process not Found 116 PID 3288 wrote to memory of 808 3288 Process not Found 116 PID 4764 wrote to memory of 4388 4764 D66D.exe 117 PID 4764 wrote to memory of 4388 4764 D66D.exe 117 PID 4764 wrote to memory of 4388 4764 D66D.exe 117 PID 4388 wrote to memory of 5048 4388 D66D.exe 122 PID 4388 wrote to memory of 5048 4388 D66D.exe 122 PID 4388 wrote to memory of 5048 4388 D66D.exe 122 PID 4388 wrote to memory of 5048 4388 D66D.exe 122 PID 4388 wrote to memory of 5048 4388 D66D.exe 122 PID 4388 wrote to memory of 5048 4388 D66D.exe 122 PID 4388 wrote to memory of 5048 4388 D66D.exe 122 PID 4388 wrote to memory of 5048 4388 D66D.exe 122 PID 4388 wrote to memory of 5048 4388 D66D.exe 122 PID 4388 wrote to memory of 5048 4388 D66D.exe 122 PID 3288 wrote to memory of 2416 3288 Process not Found 123 PID 3288 wrote to memory of 2416 3288 Process not Found 123 PID 3288 wrote to memory of 2416 3288 Process not Found 123 PID 3288 wrote to memory of 1432 3288 Process not Found 124 PID 3288 wrote to memory of 1432 3288 Process not Found 124 PID 3288 wrote to memory of 1432 3288 Process not Found 124 PID 1432 wrote to memory of 4796 1432 F2E2.exe 127 PID 1432 wrote to memory of 4796 1432 F2E2.exe 127 PID 1432 wrote to memory of 4796 1432 F2E2.exe 127 PID 4796 wrote to memory of 560 4796 MZ1kH39.exe 125 PID 4796 wrote to memory of 560 4796 MZ1kH39.exe 125 PID 4796 wrote to memory of 560 4796 MZ1kH39.exe 125 PID 560 wrote to memory of 2944 560 gB6wC87.exe 126 PID 560 wrote to memory of 2944 560 gB6wC87.exe 126 PID 560 wrote to memory of 2944 560 gB6wC87.exe 126 PID 2944 wrote to memory of 1268 2944 1pV81kt4.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7QM3sU32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 7QM3sU32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c98e8ff8ff04152c062fb39408e19e05.exe"C:\Users\Admin\AppData\Local\Temp\c98e8ff8ff04152c062fb39408e19e05.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\c98e8ff8ff04152c062fb39408e19e05.exe"C:\Users\Admin\AppData\Local\Temp\c98e8ff8ff04152c062fb39408e19e05.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B769.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:3700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B9CB.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1572
-
-
C:\Users\Admin\AppData\Local\Temp\C323.exeC:\Users\Admin\AppData\Local\Temp\C323.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4756 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6612 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffebf9f46f8,0x7ffebf9f4708,0x7ffebf9f47183⤵PID:3456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:83⤵PID:6932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:13⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:13⤵PID:5380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:33⤵PID:6924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:23⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:13⤵PID:6412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:13⤵PID:6388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:13⤵PID:4780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:13⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:13⤵PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:83⤵PID:1380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,18019736446971617123,8347678862629736409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:83⤵PID:4108
-
-
-
C:\Users\Admin\AppData\Local\Temp\D66D.exeC:\Users\Admin\AppData\Local\Temp\D66D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\D66D.exeC:\Users\Admin\AppData\Local\Temp\D66D.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\dd8032d2-9f19-4b6f-908f-0ed659910701" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4144
-
-
C:\Users\Admin\AppData\Local\Temp\D66D.exe"C:\Users\Admin\AppData\Local\Temp\D66D.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\D66D.exe"C:\Users\Admin\AppData\Local\Temp\D66D.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:5048
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DF58.exeC:\Users\Admin\AppData\Local\Temp\DF58.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Users\Admin\AppData\Local\Temp\DF58.exeC:\Users\Admin\AppData\Local\Temp\DF58.exe2⤵
- Executes dropped EXE
PID:1600
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5048 -ip 50481⤵PID:1960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 5681⤵
- Program crash
PID:4740
-
C:\Users\Admin\AppData\Local\Temp\EB30.exeC:\Users\Admin\AppData\Local\Temp\EB30.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 12202⤵
- Program crash
PID:6232
-
-
C:\Users\Admin\AppData\Local\Temp\F2E2.exeC:\Users\Admin\AppData\Local\Temp\F2E2.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MZ1kH39.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MZ1kH39.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4WG967Qv.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4WG967Qv.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6508
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7QM3sU32.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7QM3sU32.exe2⤵
- Drops startup file
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:7128 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:5440
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:4928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 17803⤵
- Program crash
PID:5436
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gB6wC87.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gB6wC87.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1pV81kt4.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1pV81kt4.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffebf9f46f8,0x7ffebf9f4708,0x7ffebf9f47184⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:34⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:84⤵PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:14⤵PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:14⤵PID:1352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:24⤵PID:1848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:14⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2428 /prefetch:14⤵PID:5532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:14⤵PID:5680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:14⤵PID:5820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:14⤵PID:6040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:14⤵PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:14⤵PID:5808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:14⤵PID:5944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:14⤵PID:6220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:14⤵PID:6448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,1519108092937694364,6216025800450785669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:14⤵PID:6528
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login3⤵PID:3524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffebf9f46f8,0x7ffebf9f4708,0x7ffebf9f47184⤵PID:964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,2886089277515987251,9168032825719720703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:34⤵PID:5184
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵PID:4040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffebf9f46f8,0x7ffebf9f4708,0x7ffebf9f47184⤵PID:4576
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login3⤵PID:3736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffebf9f46f8,0x7ffebf9f4708,0x7ffebf9f47184⤵PID:2288
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login3⤵PID:1396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffebf9f46f8,0x7ffebf9f4708,0x7ffebf9f47184⤵PID:3556
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform3⤵PID:5768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffebf9f46f8,0x7ffebf9f4708,0x7ffebf9f47184⤵PID:5812
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin3⤵PID:5576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffebf9f46f8,0x7ffebf9f4708,0x7ffebf9f47184⤵PID:5792
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login3⤵PID:6016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/3⤵PID:5968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffebf9f46f8,0x7ffebf9f4708,0x7ffebf9f47184⤵PID:5692
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵PID:6172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x80,0x170,0x7ffebf9f46f8,0x7ffebf9f4708,0x7ffebf9f47184⤵PID:6272
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eU4365.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eU4365.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:6260
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5568
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffebf9f46f8,0x7ffebf9f4708,0x7ffebf9f47181⤵PID:6068
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2216
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:7020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:6396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7128 -ip 71281⤵PID:5224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2416 -ip 24161⤵PID:2988
-
C:\Users\Admin\AppData\Local\AceFlags\oqababl\ContextProperties.exeC:\Users\Admin\AppData\Local\AceFlags\oqababl\ContextProperties.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5380 -
C:\Users\Admin\AppData\Local\AceFlags\oqababl\ContextProperties.exeC:\Users\Admin\AppData\Local\AceFlags\oqababl\ContextProperties.exe2⤵
- Executes dropped EXE
PID:4876
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD53e61f1b5c83d57794fb57876a8ce4886
SHA1d69fb46fde92526ba21a2ee39d9b98445310a71f
SHA25644c1f59f48fca1dbbcb999232154f060a74d760bdb510accace016de59ed4233
SHA5121bc86558d62a6730c2ab9b2382d68b5b35feef499b489c595ffc9fc4b776d63c0f23afcaef91b008bee22145d92067c7344d2f45ecc8d78d5bbe64ac1b2a1cdb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD57dbb296dadd0f058e3aaafc85a9d7524
SHA1e2bbe1bd4ca6fa71eb9f2f4c8309c139cdc1bbec
SHA2568fb2661ec6a94139cbe64bcf4da97ccd5131cfc367dbc7b333b421639a40ec40
SHA512aa16865c2dd0e7a9ed7fde87a7065c1021ea35188e0de0ebe8bccb8db8832fde5e93ec3a7b66c38a182c8a2150546ee6b7f8428cc9652d8a19c1159bdb7e8ae1
-
Filesize
152B
MD57ee07b80c55c972f8fdcc56d4129733a
SHA14b24307850f55f31d1b87b7798b3b29c1edf46d1
SHA2565e694fe488825cd3af0ff4d9096b0900ff822ea1319a426c147e1c79562347b6
SHA51276857e8a8117946f6172af72cab8c4aa58f58c1d5d27649fa18101692907397c1ffce2de6557f57ff6fd4c767c27d439849c618d4910b028bc5ea3cfe98cb495
-
Filesize
152B
MD5e5c27b4a4d5a3c9c60ba18cb867266e3
SHA1dea55f1d4cdc831f943f4e56f4f8e9a926777600
SHA256860ed0acc83eb0096cc8911725e2c631ff879ad8c35854577651af502c4b69c9
SHA51256eda28e9c61e8081dadc220d23e7bb3320a9ba557eb7511d17a3d2836aa61f301d1d714a3d611eedd7c4b91886c790af7366b01acdb3b637f3dc4fb024f3f6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\61401a62-fab6-4d83-ba10-424b7fe83620.tmp
Filesize5KB
MD5d44e2ebfacbda456cbe5e9afb8cd8ec4
SHA15d6533ad3a2bde32a45ec26e0bbbbb328ac492bc
SHA256c14290832768aa3abf494e16c7478c1ebba626ad9c33098596fea04c86d2b9d3
SHA512531904778dbe0783f2089582776d791fc98f70508fa77da2c288034593e2dea53944c4403f8dd52c32a0408fc9e7a9951da9983c77e5fa87c72ecd598b677394
-
Filesize
14KB
MD539b7c2536ef3619f381f98922a40aee1
SHA1579659030fa4ffe085e38766e95b2b63b5f7ea0a
SHA256907f6f69ea7f0ac924485cd33c337a8efd40c11d7c915d6f5b6e6be001309fba
SHA512bb0aafaee55da0b801bd92a9e88cbee5b64fee1ab7dcf8621dad3c42244ca35363fb5b61eb2f5fcf9c5929e5d173a576cbaec337432c81a574cce6bc3143d5fa
-
Filesize
28KB
MD5f453cde2367807df0a452cc2891814bd
SHA129833b82a96fa84724507b5f89ca03e8a0bbb5e6
SHA256f14ea17ecea0740d5b7674fdab8df6205bf89773a0534214e0a439109bf45035
SHA512508648965ae5c06b6c3ccb257b69d00bb512425d0d1ec6b40e7d257921af3e5e597ef4a1f0b5f9222312bbc3bd6e766d6c2fb9e7a518783e8a072e171d94e3d8
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5dc1e433c1609f1f0215b2df2844524ec
SHA1729c8de60e59c584e1a22f01dc3602447b848b7f
SHA25690285c031bf8a37098d4860f9160cc512405ce64a1a2a4b49fd181017a84ce5c
SHA51255cc14a1549c17e6da92e072c813cc58ee8973386b63ef729f5611020eeff26c972e1c9e93b3336968add1a54cab47e349a52184d03f332c39dae73ef15622d1
-
Filesize
5KB
MD546b95103da3b7301cb24c9a11b0f2384
SHA110935f9ac19a553815734e78c68af4280452ea71
SHA2566399c2554073dba13a7359f6d0b880f315a2374440a7fed6000e6dc032a0ebee
SHA51211525501e1273b71ea945ae8689be534b914c3e729f2d5ef94b3b6962ef6341d16373f83789be1806255caa43138fd4f7488e1cddf3b4e50cc281afc5e5d764e
-
Filesize
24KB
MD5e30738d93d6789672ce8e1c4bfe275a8
SHA1ce2195ec1f2e3830b9a106a9dc8d7fa5397d10fc
SHA2567d60046d1238ff11bdf616d83c212ad6866a7cc630ee9be8580050dee7f74832
SHA512e39c9590f558477a1b823de555bf27542a725566d8bd839a1c493459444d49d755445d8ff34f59681ede12a8e654c5a7fc34b6008c9abcfd65d09f6b1b523a65
-
Filesize
323B
MD55bb09788c9541ba2d13fa1729fcf1160
SHA1650626af286f93e2a92930dd45fbcab95101af2a
SHA256c0c89f1301f81cf2639f9d5fedc9cab8fafc6d3bd2d5cf4711cb5f42a9511c47
SHA512bb20ca5b2f07756e697c5c9955f186727df41fedd29a489540acf0091e4b6a7da9a010001a43071c3b229947ad0678d1ddaf3755e7059ed471d34c6debfc563a
-
Filesize
128KB
MD54131fb09888f94509ef8d8cf7fd13566
SHA1af7a348603f16b8ca5eef5d7dbf0b68062285400
SHA25672f19c27e8253d51fc32941370ea6fe2f6b649e2dd3f5e52df3bd8ca8ec15780
SHA512fd0712ee9be1cdeccb4255149fd904f7eb5c967a80ee6ed92a25a48c125ef63236b1649d14084768e5235b97d471000bd3d88a4cc8f5831177ebf77ca4d33ecb
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
10KB
MD5a9ff728b9ea310d06daacb6f957cd1f2
SHA17f79e12ac73eb9255feceb048c34f238857657f7
SHA256d2106c7b7c2e8d684762a09cf66131e6b815ee9c92e4c19437590e99daddf5ec
SHA512ffbc06dc78beb5d707b93291d06455ea425560e7477da43cdd2fc9ffcafad884be352392f1b64a243b44860b175b25d958ae61b66795d92b279f231a9a9c1150
-
Filesize
2KB
MD5e3936bdf35c1e26def3effb316e9b419
SHA179223aedf4a08bc22448493ce46841961f5c6791
SHA2564584bd1815d9476f80aa6032992e791f966102003ca05f51b977b2887faa63be
SHA51211f6dd3e352433ebb113751dc5505d679fda308a0279fd930f635f727396528690a9a536b578122a3bfb10b80e2fa513f2d27464296e6b4066f6bdca9230c744
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
342KB
MD570e4d975f15d4933da2e2e4772523883
SHA1bd36fb823e470883efcb0ae955634f552cf9556c
SHA256e6934d21a8f4d72eac7cadb2f5d3b9b8d7ece47118cbb96a23faefce4c2787ce
SHA512ea6db17a7640a2b90d6d5ca5e129632abad6eaa125a8d309534e0b07c72b2da82b45494c9a6f368e1bad6cb93030c7f7d4bbe2c476c7eb1f500bb3549bddd236
-
Filesize
630KB
MD5d2e51964c34d7b0572f90ad3c496466e
SHA1fedcf11c7f18b3c6e0e53d7c6bfe0584d3fb073a
SHA256186023e6180f0e2c51a519427362bfae15708257f2744604477c7c30311716e3
SHA512b3affe943b692b7d9406353d59f1e876117f0583be6fc4b08a09c20e2838d2d5c22472e1f792db47d9eb4c36c5541b15acf0ee02cd9090c5316cb9d09042fb63
-
Filesize
703KB
MD5454440503db62af8520be0827389df6a
SHA1473f9a477bdb8a408e7fad05e858dbbaa76f1dda
SHA256b816a1f49cf7a431b9c23d32cb60eb6bae72d88b23b19a861e5f690488b00d57
SHA5126c7f3847a00033394f5b8adb1fadb177b6103ccd6a9205dd2dad45e550805a0cf8295df2353bbf62ce9e629c3218e6c44621f716ebef23931b34ba4102debc15
-
Filesize
592KB
MD5a99b339b78da4b4c8b8db75fafabfb0b
SHA183f65ab67f97e36362376bcf51360188ce381c18
SHA256fb755d4e0893611c4ce3bc56309a2a80cdf9adff782d7f3f10a4948f1f4f511c
SHA51276fcec8b4ceac23950582da271a7acac2af7578f56c0e979718d02002ba9d9c18dff832bb1a2f49a8c84ad8d1fe0951e57024fb80758cde313cc516b591fbd45
-
Filesize
73KB
MD579d5f69113af1d589e36929bc3d5fe22
SHA166774180d78f74e07d7ee11a4fad1d107f24c545
SHA2569a138db343ad3bab20bc20108957de668216e29313712101f5b374e5024f24f1
SHA5129b41988e9aedb6595440aea1eb3c7410ba280355ee54b3b05759b93b43094913fb1016e6a43e414f7264452f00a4b33a9fe078f3839f6c4a2b793f9178a4fd4b
-
Filesize
212KB
MD514405897240db0a621e2bdf8e0751aad
SHA19ce03a5290c7571ac196b9a311a07cf4244090b2
SHA256506d22e07b9c4ac24a57b693deaa7158f72c904d221e5ef7d3710911c7a38a37
SHA512044ed9cb6247025956f20002f0a13017cf966102d851b20610b13f5145276889257716edfe1f1d5f14e7384091d9204991e7805317c87f71dc2e48530c705bd5
-
Filesize
340KB
MD5489cff10aa13658719dadd92187b70c0
SHA127aa602226af41d3a79f4e3365f90b402c4ed9f5
SHA256aaaf003879e29c3ae3c10502313ecee2e2d04c4dd4e947863345624e171ef40d
SHA512330a44eb1ba08b77903bf5c58aa38bff82b00ce4f00084d7de082c58a1a079f7b7cbbbac7b7f7577fa68f5e35854ff2a76206bd3f0bb31d6b72f124b485c1ea8
-
Filesize
311KB
MD520ccaf9d91a78a59c086d53e22a7bb6c
SHA14b3c875227bbeb4742b2633e0e93e83e1634f6a5
SHA256359eb7858b4c873b7dee6fa8b9d19b4f58c6e9bbf4c323dd44e962ba783b2fd0
SHA512fdf33ed9812d49baa2c4fdc3ced2d3c5470ec8f5510744633fbd7b9b272bb09715eabf05326059e2169803ca01a36cf906a577fad55fd085aa79f03950626b75
-
Filesize
258KB
MD58a6a030b76420293e06eb991d9c2ac18
SHA1bddb19ec73fce6989848e3ac3dbcbbbec80dde0c
SHA2563104772921fe88ca534cd942dd78930127792b34e8406e6d748d6be47e0450ef
SHA5125fb1ed6b48ea9143d4070b814301950c192ee6de36c64d94e26a2e4e08ebcb59b00c499350736f93e33715bb4ab6ac866330cfcdda38ed5bed202d0f0fe64e12
-
Filesize
290KB
MD5cfb853c31d54e2979f33f9786cf568e4
SHA107513be8c48e8ac035f10f7e7802f2f9e0a04426
SHA256d690eb2918fcac3fa38e251dd34c51332ba70ae726d1e3ba5141a4250879869f
SHA512a6609ed1f25028cd6b1131e99411bae2bf17b025f586ccd04b5e1bfe7be5ebb98c52fc9048e217d8da519468d6abdefcf7cb462a108739dc3963a3e696115298
-
Filesize
92KB
MD58c155067b5c9b4b4b26ba3a4b3818033
SHA1b5abbe1264f97b845c1029861cd19f8ec35d5d8a
SHA256f2e490c03d65ecdd3e3c07d36f58cc7840d14f1adb60e875c445d87504aca9f6
SHA512f84e61a78889fe60d84c631491d042a37da1d11bde56e368ffdf446a23554dc8b53085d4b091622033ea18fbd48a642d2bcbdd0747baa3c05a8a02874e85debd
-
Filesize
136KB
MD5c22c92b2213c34bd3099cb624a2d2654
SHA1d760ca6d47d6e0fa748e782bf3ed4f96e49e42a9
SHA2569024d30357b911eed2eaf58cb247a6b5a4f4f6fd001f75fa5fcab0e52e6cc10c
SHA512d4276bd118c636b65db2679214938ceee757054a41b51c92f4ebe8e9fadf05453fc9cc101837f87760520dd35eaaedb3f40ee8cad51724bd1dcd0e1d3efb932b
-
Filesize
934KB
MD56abd6ed23a406a48aa439134f5d32301
SHA1918ae7d9e51608a2cdc65ed1adc4833bda84deb1
SHA256f99a06a609b21d922eec4a897e2078ad334df11bac719049862fd64d7a8a5ed5
SHA5123f089a6ef5b72462742e3bedda5596434bb5ea27c9fa12ae16f95af8402b8b7fad82bb200b3ba44b1f82c3b0cd9cce990d0d5890d8ae8918e4d4e230ad524750
-
Filesize
147KB
MD52c60868fd3ba715c67fb11bbab61f485
SHA10f057bdca748cd011fe5b8e0002a57631c0ef1be
SHA256bc5b5adf3286e620a47806a692a917141bd8e0378fbff8ca73d4dfcf4812ef04
SHA512c8f222f7d1d324002a6dccc00606dfdbb21e5e770799ec838328dbbcf93e186751eab0dea399f840e3ff195a71c9c48239a781514f0860e835424e9b45b8d933
-
Filesize
77KB
MD512ff7a3ef2a3b88706fb58c7feda73de
SHA11ca23327274e573f510a898c361c965e1581de04
SHA25676522bf4426b1dc477c6a14a0e2fde2580b50fdecb8f1a861d508d3e0ce11b78
SHA512b03412ce57ab34f9563448346e35a92321f6a4b5670ebd15c95dce9a98dd06532245bb554277e2b7757ea8694ce0dded05c57c5074effb62b7c961216d54efe4
-
Filesize
38KB
MD59ac2d409d53ee85ceb60058a8bcc33d9
SHA12dc44451f40097305f330d7fc51f6dbf39c8465c
SHA256871cfada7e4391fdbb6bb8aaff7adf6bd1e4c30699f6bc0f6be4606256cddbfd
SHA5123585e04d38e4d359321e7793e2db93ca29d6784a768466c97fa92f443dc8eec403d4267e812c4775394af1ac84a009c580ecb4e4d0ab7b986ab31ef75c403534
-
Filesize
212KB
MD518f22f6769d72a82cd2f08150157dcdd
SHA18c14398b66fb5aa0c84d807636cb66e2c565ed68
SHA25649909a5b1190b08648c4115bd8e88c8efb005ff7f31273f46b77d8d3cc85be1b
SHA51252200816592c72c7aa483852e8add90eb1efc6b8abdb66b39a9086539789f52ab8f4430e8901a7ce8386555af1161bc00ae695dd8c678e2967bd24f7cf6ba9f0
-
Filesize
87KB
MD51263e6b198d4a20f570074cee23cce4d
SHA19cd9a1865feec0c2470738d0290de0e031f6141e
SHA256e8600c33ad435ceeea03e0ac870c703fded5f928cf645651445e8fa3fb69bb1a
SHA51212a0dc7671deb15a39aa58d478a9c33b26bec87ae1521a0f47dbd81509452da6b6366a6ba812e37046c2d7ef9114507ebc87f0912612657fc3560bf3fbd5dff7
-
Filesize
176KB
MD5c71139dbb3a5a7cdd21a6faaa86d35e1
SHA1ab8f23d4c689536c2ac331477abe3cf48a689426
SHA256f943626c5ddf1d6f121ef90c0ee2124c36ce6f747cae9447952cd542d4f0caca
SHA51280ed898acaf98a716b868816021968ff3b7bc0eb4ea45bda3b1d98ca2acf3f13905f9b4e43d6fc418d34ff8d97ad4b471d657519915ffd98fe9c9ebd7a0d25c2
-
Filesize
94KB
MD5e851174f45457b44a92ea796a05378d4
SHA165128a993d07867eb080d8f0410263e86d5b7056
SHA256e914efa498c98cfdb9b2661e9bc3416bc5b9671a1840712d7fcfabc09252689e
SHA512f0765bf9a8a02eb2ca15ae5fa1766df4c3762d33a8f622d7e05ad29b5b37ad59818dfd8f348d03e93c8cfc77e01a591c3c7cc84b3d78a59ec42e7383268374aa
-
Filesize
182KB
MD5e829279ff2ce0d314b41aefca27d810b
SHA110460cba71726efed02901fffe97c36de58379cb
SHA256f2da17e28e9d2a6a6bb1fb94147b9718649c00ef32244225ec3c401b924bed74
SHA512c9b163ab69c38ac4b9c9d1f0b15a7f989497a4f5bd69417d11849fb5ce94a86e5d468087725f655e8c03406ea6ad6366181dedd7595170371d07fd352e3d4778
-
Filesize
4KB
MD5ea782c31dd81b3db45a4888fe31c3393
SHA11c12e7df01933caf3f15de29023ae74689d10623
SHA25681be61dca23447b9a0c5ff85fc72635826700220fc5c16d99ab7141c36552d1d
SHA5127b7c9d26b17f26f0c38d5a60fa3a7e5a7826d1066499c8b3e4e87edc8eeedffa28aaa155e6d4146e98dc73b96afd623d4e413307694caf898c425a7c6c164c45
-
Filesize
377KB
MD538896a361ade17512c264b1608c721cf
SHA140ac678d12fbee6fc5750b83c1d9d56e17763fea
SHA256f5ee18d20a089d206f28a6aebde1f010c569242fcc708e6eeb77f0db5fc53bce
SHA51254782549b707a6c9889dc1ffad8a6f654b942fe9c7b0fdd1d6e64c8b2278511675e0000e7c43602e4bdf005ee118787fb72a49458070da24352dd48b53a0ec3b