Analysis
-
max time kernel
92s -
max time network
176s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06/09/2021, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
7002991002.js
Resource
win7v20210408
General
-
Target
7002991002.js
-
Size
5.0MB
-
MD5
a20a192f6475f69d11a5517e9542becf
-
SHA1
d21e1fc4f817ec7410d70a88403dd6e7d4f654f8
-
SHA256
2a0356a320b8202a66e35e71cd8aa503953d8ddea284c0da06ae6f2571ec3ff5
-
SHA512
76df370a5d38d580f120f1eaa4ea1ce64b8a80f70fd6c06db9bf78165ab0b068adb04e3bb0c0fb23231575bcf1386fada6bea21f5eb182361ec7496b8f06af78
Malware Config
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/files/0x00040000000130bb-61.dat MailPassView behavioral1/files/0x00040000000130bb-62.dat MailPassView behavioral1/files/0x00030000000130c4-65.dat MailPassView behavioral1/files/0x00030000000130c4-67.dat MailPassView behavioral1/files/0x00030000000130c4-68.dat MailPassView behavioral1/memory/1536-73-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1536-74-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/1536-76-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x00040000000130bb-61.dat WebBrowserPassView behavioral1/files/0x00040000000130bb-62.dat WebBrowserPassView behavioral1/files/0x00030000000130c4-65.dat WebBrowserPassView behavioral1/files/0x00030000000130c4-67.dat WebBrowserPassView behavioral1/files/0x00030000000130c4-68.dat WebBrowserPassView behavioral1/memory/1308-77-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1308-78-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1308-80-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
resource yara_rule behavioral1/files/0x00040000000130bb-61.dat Nirsoft behavioral1/files/0x00040000000130bb-62.dat Nirsoft behavioral1/files/0x00030000000130c4-65.dat Nirsoft behavioral1/files/0x00030000000130c4-67.dat Nirsoft behavioral1/files/0x00030000000130c4-68.dat Nirsoft behavioral1/memory/1536-73-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1536-74-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/1536-76-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1308-77-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1308-78-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1308-80-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Blocklisted process makes network request 7 IoCs
flow pid Process 4 2028 wscript.exe 8 2028 wscript.exe 9 2028 wscript.exe 12 2028 wscript.exe 14 2028 wscript.exe 16 2028 wscript.exe 20 2028 wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 108 whhost.exe 1940 Windows Update.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7002991002.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7002991002.js wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 108 whhost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\7002991002 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7002991002.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7002991002 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7002991002.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com 10 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1940 set thread context of 1536 1940 Windows Update.exe 34 PID 1940 set thread context of 1308 1940 Windows Update.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 1728 taskkill.exe 1716 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Windows Update.exe -
Script User-Agent 10 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 12 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 16 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 9 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 23 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 24 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 25 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 26 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 14 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands HTTP User-Agent header 22 WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1308 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1940 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1940 Windows Update.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2028 wrote to memory of 108 2028 wscript.exe 30 PID 2028 wrote to memory of 108 2028 wscript.exe 30 PID 2028 wrote to memory of 108 2028 wscript.exe 30 PID 2028 wrote to memory of 108 2028 wscript.exe 30 PID 108 wrote to memory of 1940 108 whhost.exe 33 PID 108 wrote to memory of 1940 108 whhost.exe 33 PID 108 wrote to memory of 1940 108 whhost.exe 33 PID 108 wrote to memory of 1940 108 whhost.exe 33 PID 108 wrote to memory of 1940 108 whhost.exe 33 PID 108 wrote to memory of 1940 108 whhost.exe 33 PID 108 wrote to memory of 1940 108 whhost.exe 33 PID 1940 wrote to memory of 1536 1940 Windows Update.exe 34 PID 1940 wrote to memory of 1536 1940 Windows Update.exe 34 PID 1940 wrote to memory of 1536 1940 Windows Update.exe 34 PID 1940 wrote to memory of 1536 1940 Windows Update.exe 34 PID 1940 wrote to memory of 1536 1940 Windows Update.exe 34 PID 1940 wrote to memory of 1536 1940 Windows Update.exe 34 PID 1940 wrote to memory of 1536 1940 Windows Update.exe 34 PID 1940 wrote to memory of 1536 1940 Windows Update.exe 34 PID 1940 wrote to memory of 1536 1940 Windows Update.exe 34 PID 1940 wrote to memory of 1536 1940 Windows Update.exe 34 PID 1940 wrote to memory of 1308 1940 Windows Update.exe 35 PID 1940 wrote to memory of 1308 1940 Windows Update.exe 35 PID 1940 wrote to memory of 1308 1940 Windows Update.exe 35 PID 1940 wrote to memory of 1308 1940 Windows Update.exe 35 PID 1940 wrote to memory of 1308 1940 Windows Update.exe 35 PID 1940 wrote to memory of 1308 1940 Windows Update.exe 35 PID 1940 wrote to memory of 1308 1940 Windows Update.exe 35 PID 1940 wrote to memory of 1308 1940 Windows Update.exe 35 PID 1940 wrote to memory of 1308 1940 Windows Update.exe 35 PID 1940 wrote to memory of 1308 1940 Windows Update.exe 35
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\7002991002.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\whhost.exe"C:\Users\Admin\AppData\Local\Temp\whhost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵PID:1536
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"2⤵PID:1608
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"2⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exeC:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵PID:544
-
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
PID:1716
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe2⤵PID:1448
-
C:\Windows\system32\taskkill.exetaskkill /F /IM cmdc.exe3⤵
- Kills process with taskkill
PID:1728
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmdc.exe"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata2⤵PID:1412
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"2⤵PID:1524
-