Source: Process started | Author: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ', CommandLine: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\Adnexal8.exe' , ParentImage: C:\Users\user\AppData\Roaming\Adnexal8.exe, ParentProcessId: 6892, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ', ProcessId: 4540 |
Source: 10.2.Adnexal8.exe.4d141c2.1.unpack | Avira: Label: TR/Kryptik.avp.8 |
Source: 12.2.Adnexal8.exe.400000.0.unpack | Avira: Label: TR/Kryptik.avp.8 |
Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack | Avira: Label: TR/Kryptik.avp.8 |
Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack | Avira: Label: TR/Kryptik.avp.8 |
Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack | Avira: Label: TR/Kryptik.avp.8 |
Source: 12.1.Adnexal8.exe.400000.0.unpack | Avira: Label: TR/Kryptik.avp.8 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_0040D423 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore, | 1_2_0040D423 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_0040A364 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree, | 1_2_0040A364 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_0040A1A9 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree, | 1_2_0040A1A9 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_004041BC CryptUnprotectData,LocalFree, | 1_2_004041BC |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_0040A5BD CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree, | 1_2_0040A5BD |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_0040BA2E CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA, | 1_2_0040BA2E |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_0040CEA2 lstrlenA,CryptUnprotectData,LocalFree, | 1_2_0040CEA2 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_0040A774 lstrlenA,CryptUnprotectData,LocalFree, | 1_2_0040A774 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_0040D423 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore, | 12_2_0040D423 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_0040A364 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree, | 12_2_0040A364 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_0040A1A9 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree, | 12_2_0040A1A9 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_004041BC CryptUnprotectData,LocalFree, | 12_2_004041BC |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_0040A5BD CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree, | 12_2_0040A5BD |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_0040BA2E CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA, | 12_2_0040BA2E |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_0040CEA2 lstrlenA,CryptUnprotectData,LocalFree, | 12_2_0040CEA2 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_0040A774 lstrlenA,CryptUnprotectData,LocalFree, | 12_2_0040A774 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose, | 1_2_00404C68 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 1_2_0040890D |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose, | 1_2_00404FD8 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 1_2_00403F86 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose, | 1_2_00409484 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 1_2_00408789 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_1_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose, | 1_1_00404C68 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_1_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 1_1_0040890D |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_1_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose, | 1_1_00404FD8 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_1_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 1_1_00403F86 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_1_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose, | 1_1_00409484 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_1_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 1_1_00408789 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose, | 12_2_00404C68 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 12_2_0040890D |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose, | 12_2_00404FD8 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 12_2_00403F86 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose, | 12_2_00409484 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 12_2_00408789 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_1_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose, | 12_1_00404C68 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_1_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 12_1_0040890D |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_1_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose, | 12_1_00404FD8 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_1_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 12_1_00403F86 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_1_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose, | 12_1_00409484 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_1_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, | 12_1_00408789 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ | Jump to behavior |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ | Jump to behavior |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ | Jump to behavior |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ | Jump to behavior |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ | Jump to behavior |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ | Jump to behavior |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp | String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook) |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp | String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_*ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNWeb DataLogin Dataloginsorigin_urlpassword_valueusername_valueftp://http://https://moz_loginshostnameencryptedPasswordencryptedUsername\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/*password 51:b:username:s:full address:s:.TERMSRV/FTP NowFTPNowsites.xmlSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%dPasswordServerNameUserIDInitialDirectoryPortNumberServerType equals www.facebook.com (Facebook) |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, Adnexal8.exe | String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook) |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp | String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp | String found in binary or memory: http://https://ftp://operawand.dat_Software |
Source: Adnexal8.exe | String found in binary or memory: http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp | String found in binary or memory: http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.phpYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI |
Source: Adnexal8.exe, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp | String found in binary or memory: http://www.ibsensoftware.com/ |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp | String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp | String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp | String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp | String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094 |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp | String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp | String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9 |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp | String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp | String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/? |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp | String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmp | String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591= |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmp | String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591B |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmp | String found in binary or memory: https://consent.google.com/setpc=s&uxe=4421591W |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp | String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1 |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp | String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=168R |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp | String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp | String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp | String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp | String found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp | String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp | String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmp | String found in binary or memory: https://www.google.com/?gws_rd=ssl |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp | String found in binary or memory: https://www.google.com/favicon.ico |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp | String found in binary or memory: https://www.google.com/gws_rd=ssl |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmp | String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp | String found in binary or memory: https://www.google.com/intl/en_uk/chrome/W9 |
Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp | String found in binary or memory: https://www.google.com/searchLMEM |
Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 12.2.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 10.2.Adnexal8.exe.4d141c2.1.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 12.1.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 12.1.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 10.2.Adnexal8.exe.4d141c2.1.raw.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 12.2.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR | Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 12.2.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 10.2.Adnexal8.exe.4d141c2.1.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 12.1.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 12.1.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 10.2.Adnexal8.exe.4d141c2.1.raw.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 12.2.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, type: MEMORY | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, type: MEMORY | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, type: MEMORY | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, type: MEMORY | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR | Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 0_2_04B40D59 | 0_2_04B40D59 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_0041280A | 1_2_0041280A |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_2_00402E46 | 1_2_00402E46 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_1_0041280A | 1_1_0041280A |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 1_1_00402E46 | 1_1_00402E46 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 10_2_04B20D59 | 10_2_04B20D59 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_0041280A | 12_2_0041280A |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_2_00402E46 | 12_2_00402E46 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_1_0041280A | 12_1_0041280A |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 12_1_00402E46 | 12_1_00402E46 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: String function: 00401D69 appears 60 times | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: String function: 0040417C appears 118 times | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: String function: 00410D46 appears 36 times | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: String function: 00410C9E appears 38 times | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: String function: 00410E30 appears 84 times | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: String function: 00401D15 appears 48 times | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: String function: 00404131 appears 106 times | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: String function: 00401C8E appears 278 times | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: String function: 004052CA appears 32 times | |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: String function: 00401D69 appears 60 times | |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: String function: 0040417C appears 118 times | |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: String function: 00410D46 appears 36 times | |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: String function: 00410C9E appears 38 times | |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: String function: 00410E30 appears 84 times | |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: String function: 00401D15 appears 48 times | |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: String function: 00404131 appears 106 times | |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: String function: 00401C8E appears 278 times | |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: String function: 004052CA appears 32 times | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 0_2_04B41491 NtProtectVirtualMemory, | 0_2_04B41491 |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Code function: 0_2_04B40A06 NtSetContextThread, | 0_2_04B40A06 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 10_2_04B21491 NtProtectVirtualMemory, | 10_2_04B21491 |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Code function: 10_2_04B20A06 NtSetContextThread, | 10_2_04B20A06 |
Source: unknown | Process created: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Process created: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12537875.bat' 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' ' | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adnexal8.vbe' | |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe' | |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Process created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe' | |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ' | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Process created: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' | Jump to behavior |
Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12537875.bat' 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' ' | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe' | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Process created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe' | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\Adnexal8.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ' | |