Analysis
-
max time kernel
15s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21/11/2021, 15:16
Static task
static1
Behavioral task
behavioral1
Sample
b16504e25ef918a88c54371fea0e49aa.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
b16504e25ef918a88c54371fea0e49aa.exe
Resource
win10-en-20211014
General
-
Target
b16504e25ef918a88c54371fea0e49aa.exe
-
Size
13.8MB
-
MD5
b16504e25ef918a88c54371fea0e49aa
-
SHA1
786cb7fa904b8c19c055b6a49527f7e9d907307a
-
SHA256
4066a70177c5b8a86458e8727efaa599b0de0e342fd709eec5d3b78ed066cd67
-
SHA512
7a549cf81e37f2c52ecd87b3827f99da8c3bc175a029c0387964a26005dd0fbc918de3261d1e3bd42104bc53eca16325817d85be60bd78688be16118e23ad102
Malware Config
Extracted
amadey
2.82
185.215.113.45/g4MbvE/index.php
Extracted
socelars
http://www.gianninidesign.com/
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 3780 rundll32.exe 119 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/1188-311-0x0000000000418F06-mapping.dmp family_redline behavioral2/memory/3344-312-0x0000000000418EFE-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001aba8-173.dat family_socelars behavioral2/files/0x000500000001aba8-150.dat family_socelars -
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
resource yara_rule behavioral2/files/0x000400000001ab94-124.dat aspack_v212_v242 behavioral2/files/0x000400000001ab94-123.dat aspack_v212_v242 behavioral2/files/0x000400000001ab95-122.dat aspack_v212_v242 behavioral2/files/0x000400000001ab95-126.dat aspack_v212_v242 behavioral2/files/0x000400000001ab97-128.dat aspack_v212_v242 behavioral2/files/0x000400000001ab97-129.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
pid Process 3988 setup_installer.exe 436 setup_install.exe 764 Wed055e29ac05f0e14.exe 884 Wed05ecd67738969.exe 1312 Wed058c3464dcf6606b1.exe 1528 Wed05530159d4f285214.exe 1796 Wed0534fdcb003d1e565.exe 1616 Wed05c754f5b2a7ed96.exe 1888 Wed05572ff115815bed.exe 904 8T41KE8gpE6KXMeNoNpBc45O.exe 1240 Wed05b5c2705a.exe 700 Wed058cca47ea86cc0b.exe 2880 Wed055e29ac05f0e14.tmp 3780 wmiprvse.exe 3560 Wed05c770a4470c.exe 2164 Wed05cb54d5272ed03.exe -
Loads dropped DLL 7 IoCs
pid Process 436 setup_install.exe 436 setup_install.exe 436 setup_install.exe 436 setup_install.exe 436 setup_install.exe 436 setup_install.exe 436 setup_install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com 50 ipinfo.io 51 ipinfo.io 166 ipinfo.io 168 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3560 set thread context of 3128 3560 Wed05c770a4470c.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
pid pid_target Process procid_target 848 68 WerFault.exe 148 2296 836 WerFault.exe 153 1868 4796 WerFault.exe 132 5580 4768 WerFault.exe 135 5748 4768 WerFault.exe 135 6012 4768 WerFault.exe 135 4980 4768 WerFault.exe 135 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2160 schtasks.exe 3592 schtasks.exe 4544 schtasks.exe -
Kills process with taskkill 3 IoCs
pid Process 4952 taskkill.exe 2120 taskkill.exe 5068 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeCreateTokenPrivilege 884 Wed05ecd67738969.exe Token: SeAssignPrimaryTokenPrivilege 884 Wed05ecd67738969.exe Token: SeLockMemoryPrivilege 884 Wed05ecd67738969.exe Token: SeIncreaseQuotaPrivilege 884 Wed05ecd67738969.exe Token: SeMachineAccountPrivilege 884 Wed05ecd67738969.exe Token: SeTcbPrivilege 884 Wed05ecd67738969.exe Token: SeSecurityPrivilege 884 Wed05ecd67738969.exe Token: SeTakeOwnershipPrivilege 884 Wed05ecd67738969.exe Token: SeLoadDriverPrivilege 884 Wed05ecd67738969.exe Token: SeSystemProfilePrivilege 884 Wed05ecd67738969.exe Token: SeSystemtimePrivilege 884 Wed05ecd67738969.exe Token: SeProfSingleProcessPrivilege 884 Wed05ecd67738969.exe Token: SeIncBasePriorityPrivilege 884 Wed05ecd67738969.exe Token: SeCreatePagefilePrivilege 884 Wed05ecd67738969.exe Token: SeCreatePermanentPrivilege 884 Wed05ecd67738969.exe Token: SeBackupPrivilege 884 Wed05ecd67738969.exe Token: SeRestorePrivilege 884 Wed05ecd67738969.exe Token: SeShutdownPrivilege 884 Wed05ecd67738969.exe Token: SeDebugPrivilege 884 Wed05ecd67738969.exe Token: SeAuditPrivilege 884 Wed05ecd67738969.exe Token: SeSystemEnvironmentPrivilege 884 Wed05ecd67738969.exe Token: SeChangeNotifyPrivilege 884 Wed05ecd67738969.exe Token: SeRemoteShutdownPrivilege 884 Wed05ecd67738969.exe Token: SeUndockPrivilege 884 Wed05ecd67738969.exe Token: SeSyncAgentPrivilege 884 Wed05ecd67738969.exe Token: SeEnableDelegationPrivilege 884 Wed05ecd67738969.exe Token: SeManageVolumePrivilege 884 Wed05ecd67738969.exe Token: SeImpersonatePrivilege 884 Wed05ecd67738969.exe Token: SeCreateGlobalPrivilege 884 Wed05ecd67738969.exe Token: 31 884 Wed05ecd67738969.exe Token: 32 884 Wed05ecd67738969.exe Token: 33 884 Wed05ecd67738969.exe Token: 34 884 Wed05ecd67738969.exe Token: 35 884 Wed05ecd67738969.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3128 wrote to memory of 3988 3128 b16504e25ef918a88c54371fea0e49aa.exe 69 PID 3128 wrote to memory of 3988 3128 b16504e25ef918a88c54371fea0e49aa.exe 69 PID 3128 wrote to memory of 3988 3128 b16504e25ef918a88c54371fea0e49aa.exe 69 PID 3988 wrote to memory of 436 3988 setup_installer.exe 70 PID 3988 wrote to memory of 436 3988 setup_installer.exe 70 PID 3988 wrote to memory of 436 3988 setup_installer.exe 70 PID 436 wrote to memory of 380 436 setup_install.exe 73 PID 436 wrote to memory of 380 436 setup_install.exe 73 PID 436 wrote to memory of 380 436 setup_install.exe 73 PID 436 wrote to memory of 1580 436 setup_install.exe 74 PID 436 wrote to memory of 1580 436 setup_install.exe 74 PID 436 wrote to memory of 1580 436 setup_install.exe 74 PID 1580 wrote to memory of 1624 1580 cmd.exe 75 PID 1580 wrote to memory of 1624 1580 cmd.exe 75 PID 1580 wrote to memory of 1624 1580 cmd.exe 75 PID 380 wrote to memory of 2896 380 cmd.exe 76 PID 380 wrote to memory of 2896 380 cmd.exe 76 PID 380 wrote to memory of 2896 380 cmd.exe 76 PID 436 wrote to memory of 3816 436 setup_install.exe 124 PID 436 wrote to memory of 3816 436 setup_install.exe 124 PID 436 wrote to memory of 3816 436 setup_install.exe 124 PID 436 wrote to memory of 1068 436 setup_install.exe 77 PID 436 wrote to memory of 1068 436 setup_install.exe 77 PID 436 wrote to memory of 1068 436 setup_install.exe 77 PID 436 wrote to memory of 1104 436 setup_install.exe 123 PID 436 wrote to memory of 1104 436 setup_install.exe 123 PID 436 wrote to memory of 1104 436 setup_install.exe 123 PID 436 wrote to memory of 1244 436 setup_install.exe 78 PID 436 wrote to memory of 1244 436 setup_install.exe 78 PID 436 wrote to memory of 1244 436 setup_install.exe 78 PID 436 wrote to memory of 1268 436 setup_install.exe 79 PID 436 wrote to memory of 1268 436 setup_install.exe 79 PID 436 wrote to memory of 1268 436 setup_install.exe 79 PID 436 wrote to memory of 2416 436 setup_install.exe 120 PID 436 wrote to memory of 2416 436 setup_install.exe 120 PID 436 wrote to memory of 2416 436 setup_install.exe 120 PID 436 wrote to memory of 1100 436 setup_install.exe 80 PID 436 wrote to memory of 1100 436 setup_install.exe 80 PID 436 wrote to memory of 1100 436 setup_install.exe 80 PID 436 wrote to memory of 3476 436 setup_install.exe 114 PID 436 wrote to memory of 3476 436 setup_install.exe 114 PID 436 wrote to memory of 3476 436 setup_install.exe 114 PID 3816 wrote to memory of 884 3816 cmd.exe 81 PID 3816 wrote to memory of 884 3816 cmd.exe 81 PID 3816 wrote to memory of 884 3816 cmd.exe 81 PID 1268 wrote to memory of 764 1268 cmd.exe 112 PID 1268 wrote to memory of 764 1268 cmd.exe 112 PID 1268 wrote to memory of 764 1268 cmd.exe 112 PID 436 wrote to memory of 3220 436 setup_install.exe 82 PID 436 wrote to memory of 3220 436 setup_install.exe 82 PID 436 wrote to memory of 3220 436 setup_install.exe 82 PID 436 wrote to memory of 2464 436 setup_install.exe 111 PID 436 wrote to memory of 2464 436 setup_install.exe 111 PID 436 wrote to memory of 2464 436 setup_install.exe 111 PID 2416 wrote to memory of 1312 2416 cmd.exe 109 PID 2416 wrote to memory of 1312 2416 cmd.exe 109 PID 2416 wrote to memory of 1312 2416 cmd.exe 109 PID 1244 wrote to memory of 1528 1244 cmd.exe 83 PID 1244 wrote to memory of 1528 1244 cmd.exe 83 PID 1244 wrote to memory of 1528 1244 cmd.exe 83 PID 436 wrote to memory of 1560 436 setup_install.exe 108 PID 436 wrote to memory of 1560 436 setup_install.exe 108 PID 436 wrote to memory of 1560 436 setup_install.exe 108 PID 1068 wrote to memory of 1796 1068 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b16504e25ef918a88c54371fea0e49aa.exe"C:\Users\Admin\AppData\Local\Temp\b16504e25ef918a88c54371fea0e49aa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0534fdcb003d1e565.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed0534fdcb003d1e565.exeWed0534fdcb003d1e565.exe5⤵
- Executes dropped EXE
PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05530159d4f285214.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05530159d4f285214.exeWed05530159d4f285214.exe5⤵
- Executes dropped EXE
PID:1528 -
C:\Users\Admin\Pictures\Adobe Films\UViMP2qWyimoUYIkt0l4crIc.exe"C:\Users\Admin\Pictures\Adobe Films\UViMP2qWyimoUYIkt0l4crIc.exe"6⤵PID:1840
-
-
C:\Users\Admin\Pictures\Adobe Films\7_AZnSJ8y09DZ8IqiB4VjXjp.exe"C:\Users\Admin\Pictures\Adobe Films\7_AZnSJ8y09DZ8IqiB4VjXjp.exe"6⤵PID:4796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 4007⤵
- Program crash
PID:1868
-
-
-
C:\Users\Admin\Pictures\Adobe Films\9qVDblyhKVsXgcOtAd2T_NFA.exe"C:\Users\Admin\Pictures\Adobe Films\9qVDblyhKVsXgcOtAd2T_NFA.exe"6⤵PID:4784
-
-
C:\Users\Admin\Pictures\Adobe Films\8rFk5mzjxBvbENtc8tMixYIb.exe"C:\Users\Admin\Pictures\Adobe Films\8rFk5mzjxBvbENtc8tMixYIb.exe"6⤵PID:4776
-
-
C:\Users\Admin\Pictures\Adobe Films\CkV3bMfdkB5vKXlrVdUcFFht.exe"C:\Users\Admin\Pictures\Adobe Films\CkV3bMfdkB5vKXlrVdUcFFht.exe"6⤵PID:4768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 6607⤵
- Program crash
PID:5580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 6727⤵
- Program crash
PID:5748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 6367⤵
- Program crash
PID:6012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 6927⤵
- Program crash
PID:4980
-
-
-
C:\Users\Admin\Pictures\Adobe Films\QmFgp5twAUM0MMenh4LSdZph.exe"C:\Users\Admin\Pictures\Adobe Films\QmFgp5twAUM0MMenh4LSdZph.exe"6⤵PID:4752
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵PID:4416
-
-
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"7⤵PID:2004
-
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"7⤵PID:5080
-
-
-
C:\Users\Admin\Pictures\Adobe Films\a_Mmu11QY_atLtuOBgrqU0HT.exe"C:\Users\Admin\Pictures\Adobe Films\a_Mmu11QY_atLtuOBgrqU0HT.exe"6⤵PID:4760
-
-
C:\Users\Admin\Pictures\Adobe Films\sthgODbYX2Of11giWTy_BR6J.exe"C:\Users\Admin\Pictures\Adobe Films\sthgODbYX2Of11giWTy_BR6J.exe"6⤵PID:4716
-
C:\Users\Admin\Pictures\Adobe Films\sthgODbYX2Of11giWTy_BR6J.exe"C:\Users\Admin\Pictures\Adobe Films\sthgODbYX2Of11giWTy_BR6J.exe"7⤵PID:4100
-
-
-
C:\Users\Admin\Pictures\Adobe Films\wtaq_s4fd9o57dywCuwgZ0Lx.exe"C:\Users\Admin\Pictures\Adobe Films\wtaq_s4fd9o57dywCuwgZ0Lx.exe"6⤵PID:4700
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:3592
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:4544
-
-
C:\Users\Admin\Documents\PuV639husrW7hD5QLRXbQ0s7.exe"C:\Users\Admin\Documents\PuV639husrW7hD5QLRXbQ0s7.exe"7⤵PID:1964
-
-
-
C:\Users\Admin\Pictures\Adobe Films\KdckbJbEvXnawneMgWVcVVKT.exe"C:\Users\Admin\Pictures\Adobe Films\KdckbJbEvXnawneMgWVcVVKT.exe"6⤵PID:4904
-
-
C:\Users\Admin\Pictures\Adobe Films\CehC_XT5Mlez10jq8xidjaja.exe"C:\Users\Admin\Pictures\Adobe Films\CehC_XT5Mlez10jq8xidjaja.exe"6⤵PID:4888
-
C:\Users\Admin\AppData\Roaming\4455073.exe"C:\Users\Admin\AppData\Roaming\4455073.exe"7⤵PID:4848
-
-
C:\Users\Admin\AppData\Roaming\3896197.exe"C:\Users\Admin\AppData\Roaming\3896197.exe"7⤵PID:2464
-
C:\Users\Admin\AppData\Roaming\73986821\7398656173986561.exe"C:\Users\Admin\AppData\Roaming\73986821\7398656173986561.exe"8⤵PID:5480
-
-
-
C:\Users\Admin\AppData\Roaming\3553767.exe"C:\Users\Admin\AppData\Roaming\3553767.exe"7⤵PID:2284
-
-
C:\Users\Admin\AppData\Roaming\3808550.exe"C:\Users\Admin\AppData\Roaming\3808550.exe"7⤵PID:5160
-
-
C:\Users\Admin\AppData\Roaming\2024155.exe"C:\Users\Admin\AppData\Roaming\2024155.exe"7⤵PID:5188
-
-
C:\Users\Admin\AppData\Roaming\5720338.exe"C:\Users\Admin\AppData\Roaming\5720338.exe"7⤵PID:5204
-
-
-
C:\Users\Admin\Pictures\Adobe Films\EJveuBqJvSoclsucoPaVvMNo.exe"C:\Users\Admin\Pictures\Adobe Films\EJveuBqJvSoclsucoPaVvMNo.exe"6⤵PID:2160
-
-
C:\Users\Admin\Pictures\Adobe Films\v4t5hwiVCu9sVy3TKEpsvy3I.exe"C:\Users\Admin\Pictures\Adobe Films\v4t5hwiVCu9sVy3TKEpsvy3I.exe"6⤵PID:1708
-
-
C:\Users\Admin\Pictures\Adobe Films\alAWlw1xAudIQwzPfJCsecuG.exe"C:\Users\Admin\Pictures\Adobe Films\alAWlw1xAudIQwzPfJCsecuG.exe"6⤵PID:68
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 68 -s 3967⤵
- Program crash
PID:848
-
-
-
C:\Users\Admin\Pictures\Adobe Films\28quGJwtreiiFR1HusWUIyYe.exe"C:\Users\Admin\Pictures\Adobe Films\28quGJwtreiiFR1HusWUIyYe.exe"6⤵PID:2376
-
C:\Users\Admin\Pictures\Adobe Films\28quGJwtreiiFR1HusWUIyYe.exe"C:\Users\Admin\Pictures\Adobe Films\28quGJwtreiiFR1HusWUIyYe.exe"7⤵PID:5032
-
-
-
C:\Users\Admin\Pictures\Adobe Films\qbBeUVl9QNwds05tTMjsz4CM.exe"C:\Users\Admin\Pictures\Adobe Films\qbBeUVl9QNwds05tTMjsz4CM.exe"6⤵PID:2320
-
-
C:\Users\Admin\Pictures\Adobe Films\7fxKjDDZlkmkCuW8KHnMODyf.exe"C:\Users\Admin\Pictures\Adobe Films\7fxKjDDZlkmkCuW8KHnMODyf.exe"6⤵PID:5108
-
-
C:\Users\Admin\Pictures\Adobe Films\CFLWmpJmaQrDqAyz8kGzwPJq.exe"C:\Users\Admin\Pictures\Adobe Films\CFLWmpJmaQrDqAyz8kGzwPJq.exe"6⤵PID:836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 4047⤵
- Program crash
PID:2296
-
-
-
C:\Users\Admin\Pictures\Adobe Films\sR5jjruz5krCmz6OIuyKYr9_.exe"C:\Users\Admin\Pictures\Adobe Films\sR5jjruz5krCmz6OIuyKYr9_.exe"6⤵PID:3772
-
-
C:\Users\Admin\Pictures\Adobe Films\8T41KE8gpE6KXMeNoNpBc45O.exe"C:\Users\Admin\Pictures\Adobe Films\8T41KE8gpE6KXMeNoNpBc45O.exe"6⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵PID:5852
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
PID:5068
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\zLl1mBuFAW0A1ffc07ghZJHU.exe"C:\Users\Admin\Pictures\Adobe Films\zLl1mBuFAW0A1ffc07ghZJHU.exe"6⤵PID:3844
-
-
C:\Users\Admin\Pictures\Adobe Films\Dv1gZvMUBfPFrQitpaSknZyB.exe"C:\Users\Admin\Pictures\Adobe Films\Dv1gZvMUBfPFrQitpaSknZyB.exe"6⤵PID:3040
-
C:\Users\Admin\Pictures\Adobe Films\Dv1gZvMUBfPFrQitpaSknZyB.exe"C:\Users\Admin\Pictures\Adobe Films\Dv1gZvMUBfPFrQitpaSknZyB.exe"7⤵PID:6056
-
-
-
C:\Users\Admin\Pictures\Adobe Films\bit8uz5HLoPvGcl9EO9IVdux.exe"C:\Users\Admin\Pictures\Adobe Films\bit8uz5HLoPvGcl9EO9IVdux.exe"6⤵PID:4752
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed055e29ac05f0e14.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed055e29ac05f0e14.exeWed055e29ac05f0e14.exe5⤵
- Executes dropped EXE
PID:764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed058cca47ea86cc0b.exe4⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed058cca47ea86cc0b.exeWed058cca47ea86cc0b.exe5⤵
- Executes dropped EXE
PID:700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05572ff115815bed.exe4⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05572ff115815bed.exeWed05572ff115815bed.exe5⤵
- Executes dropped EXE
PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05b5c2705a.exe4⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05b5c2705a.exeWed05b5c2705a.exe5⤵
- Executes dropped EXE
PID:1240
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0507640eb5b.exe4⤵PID:2200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0504ce1fce545657.exe4⤵PID:2764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed059a025cf2a.exe4⤵PID:2080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed059ecd633701f3.exe4⤵PID:1560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05c770a4470c.exe /mixtwo4⤵PID:2464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05cb54d5272ed03.exe4⤵PID:3476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed058c3464dcf6606b1.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2416
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05c754f5b2a7ed96.exe4⤵PID:1104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05ecd67738969.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3816
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05ecd67738969.exeWed05ecd67738969.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵PID:4128
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
PID:2120
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-49M53.tmp\Wed055e29ac05f0e14.tmp"C:\Users\Admin\AppData\Local\Temp\is-49M53.tmp\Wed055e29ac05f0e14.tmp" /SL5="$501C8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed055e29ac05f0e14.exe"1⤵
- Executes dropped EXE
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed055e29ac05f0e14.exe"C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed055e29ac05f0e14.exe" /SILENT2⤵PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05c770a4470c.exeWed05c770a4470c.exe /mixtwo1⤵PID:3128
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed05c770a4470c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05c770a4470c.exe" & exit2⤵PID:4288
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed05c770a4470c.exe" /f3⤵
- Kills process with taskkill
PID:4952
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-6G32C.tmp\Wed05c754f5b2a7ed96.tmp"C:\Users\Admin\AppData\Local\Temp\is-6G32C.tmp\Wed05c754f5b2a7ed96.tmp" /SL5="$30172,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05c754f5b2a7ed96.exe"1⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059a025cf2a.exeC:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059a025cf2a.exe1⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059ecd633701f3.exeC:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059ecd633701f3.exe1⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\is-6JHED.tmp\Wed055e29ac05f0e14.tmp"C:\Users\Admin\AppData\Local\Temp\is-6JHED.tmp\Wed055e29ac05f0e14.tmp" /SL5="$6006A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed055e29ac05f0e14.exe" /SILENT1⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\is-DPROD.tmp\winhostdll.exe"C:\Users\Admin\AppData\Local\Temp\is-DPROD.tmp\winhostdll.exe" ss12⤵PID:4988
-
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed058cca47ea86cc0b.exe"C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed058cca47ea86cc0b.exe" -u1⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05cb54d5272ed03.exeWed05cb54d5272ed03.exe1⤵
- Executes dropped EXE
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"2⤵PID:2948
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\3⤵PID:904
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\4⤵PID:4484
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F3⤵
- Creates scheduled task(s)
PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05c770a4470c.exeWed05c770a4470c.exe /mixtwo1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3560
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059ecd633701f3.exeWed059ecd633701f3.exe1⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059ecd633701f3.exeC:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059ecd633701f3.exe2⤵PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059a025cf2a.exeWed059a025cf2a.exe1⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059a025cf2a.exeC:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed059a025cf2a.exe2⤵PID:1188
-
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed05c754f5b2a7ed96.exeWed05c754f5b2a7ed96.exe1⤵
- Executes dropped EXE
PID:1616
-
C:\Users\Admin\AppData\Local\Temp\7zS49FD66F5\Wed058c3464dcf6606b1.exeWed058c3464dcf6606b1.exe1⤵
- Executes dropped EXE
PID:1312
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Process spawned unexpected child process
PID:4184 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global3⤵PID:4208
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe1⤵PID:4504