Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20/11/2021, 01:11
Static task
static1
General
-
Target
E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe
-
Size
6.2MB
-
MD5
860c180f8e614d3314b8f058d2e91a8d
-
SHA1
aee319eade0123403551a7a6e9fec06bd940dd2d
-
SHA256
e1917f133b3838845a0611ae4e9ac5db1479461c18644d1739f058c2adc4d9cb
-
SHA512
68ca22a57b9c64d96c070322b73d18cbf281508a58f525a4ed7544f7418628b26a8bc36b5d703d4fbd5f19a2eb9d2756922085008a3c51c8dc88ef3d3f36a042
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
http://www.gianninidesign.com/
Extracted
vidar
40.6
706
https://dimonbk83.tumblr.com/
-
profile_id
706
Extracted
redline
ANI
45.142.215.47:27643
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/2856-235-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral2/memory/2856-236-0x000000000041C5CA-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 4 IoCs
resource yara_rule behavioral2/files/0x000400000001ab94-151.dat family_socelars behavioral2/files/0x000400000001ab94-183.dat family_socelars behavioral2/files/0x000500000001abe4-510.dat family_socelars behavioral2/files/0x000500000001abe4-511.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 2976 created 2140 2976 WerFault.exe 92 -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/2140-228-0x0000000003450000-0x0000000003524000-memory.dmp family_vidar behavioral2/memory/2140-231-0x0000000000400000-0x00000000017ED000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000400000001ab80-119.dat aspack_v212_v242 behavioral2/files/0x000400000001ab80-122.dat aspack_v212_v242 behavioral2/files/0x000400000001ab7f-120.dat aspack_v212_v242 behavioral2/files/0x000400000001ab7f-125.dat aspack_v212_v242 behavioral2/files/0x000400000001ab7f-124.dat aspack_v212_v242 behavioral2/files/0x000400000001ab83-126.dat aspack_v212_v242 behavioral2/files/0x000400000001ab83-128.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
pid Process 1292 setup_install.exe 1112 Tue028a363eda.exe 800 Tue02976fcdf1.exe 608 Tue02522f9ea0b1.exe 1328 Tue02520f255d0ba43a.exe 1420 Tue0289c99651.exe 1216 Tue02dc626f48.exe 1044 Tue026e182673.exe 2328 Tue026e94a5005f8.exe 1440 Tue02705f9c2b455.exe 2040 Tue02b2110095fe706.exe 2140 Tue029560e6534e190c.exe 3652 Tue02b2110095fe706.tmp 2856 Tue026e94a5005f8.exe -
resource yara_rule behavioral2/files/0x000400000001ab8d-172.dat vmprotect behavioral2/memory/1420-196-0x0000000140000000-0x0000000140650000-memory.dmp vmprotect behavioral2/files/0x000400000001ab8d-178.dat vmprotect -
Loads dropped DLL 7 IoCs
pid Process 1292 setup_install.exe 1292 setup_install.exe 1292 setup_install.exe 1292 setup_install.exe 1292 setup_install.exe 1292 setup_install.exe 3652 Tue02b2110095fe706.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com 112 ipinfo.io 113 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2328 set thread context of 2856 2328 WerFault.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
pid pid_target Process procid_target 3688 1292 WerFault.exe 68 2976 2140 WerFault.exe 92 1288 1044 WerFault.exe 85 3692 1044 WerFault.exe 85 968 1044 WerFault.exe 85 2744 1044 WerFault.exe 85 2868 1044 WerFault.exe 85 1284 1044 WerFault.exe 85 2044 1044 WerFault.exe 85 2328 1044 WerFault.exe 85 1956 1044 WerFault.exe 85 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue02522f9ea0b1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue02522f9ea0b1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue02522f9ea0b1.exe -
Kills process with taskkill 1 IoCs
pid Process 1844 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Tue029560e6534e190c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Tue029560e6534e190c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 3688 WerFault.exe 2384 powershell.exe 608 Tue02522f9ea0b1.exe 608 Tue02522f9ea0b1.exe 2384 powershell.exe 2384 powershell.exe 3064 Process not Found 3064 Process not Found 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 3064 Process not Found 3064 Process not Found 2976 WerFault.exe 2976 WerFault.exe 3064 Process not Found 3064 Process not Found 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 3064 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 608 Tue02522f9ea0b1.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeDebugPrivilege 800 Tue02976fcdf1.exe Token: SeCreateTokenPrivilege 1216 Tue02dc626f48.exe Token: SeAssignPrimaryTokenPrivilege 1216 Tue02dc626f48.exe Token: SeLockMemoryPrivilege 1216 Tue02dc626f48.exe Token: SeIncreaseQuotaPrivilege 1216 Tue02dc626f48.exe Token: SeMachineAccountPrivilege 1216 Tue02dc626f48.exe Token: SeTcbPrivilege 1216 Tue02dc626f48.exe Token: SeSecurityPrivilege 1216 Tue02dc626f48.exe Token: SeTakeOwnershipPrivilege 1216 Tue02dc626f48.exe Token: SeLoadDriverPrivilege 1216 Tue02dc626f48.exe Token: SeSystemProfilePrivilege 1216 Tue02dc626f48.exe Token: SeSystemtimePrivilege 1216 Tue02dc626f48.exe Token: SeProfSingleProcessPrivilege 1216 Tue02dc626f48.exe Token: SeIncBasePriorityPrivilege 1216 Tue02dc626f48.exe Token: SeCreatePagefilePrivilege 1216 Tue02dc626f48.exe Token: SeCreatePermanentPrivilege 1216 Tue02dc626f48.exe Token: SeBackupPrivilege 1216 Tue02dc626f48.exe Token: SeRestorePrivilege 1216 Tue02dc626f48.exe Token: SeShutdownPrivilege 1216 Tue02dc626f48.exe Token: SeDebugPrivilege 1216 Tue02dc626f48.exe Token: SeAuditPrivilege 1216 Tue02dc626f48.exe Token: SeSystemEnvironmentPrivilege 1216 Tue02dc626f48.exe Token: SeChangeNotifyPrivilege 1216 Tue02dc626f48.exe Token: SeRemoteShutdownPrivilege 1216 Tue02dc626f48.exe Token: SeUndockPrivilege 1216 Tue02dc626f48.exe Token: SeSyncAgentPrivilege 1216 Tue02dc626f48.exe Token: SeEnableDelegationPrivilege 1216 Tue02dc626f48.exe Token: SeManageVolumePrivilege 1216 Tue02dc626f48.exe Token: SeImpersonatePrivilege 1216 Tue02dc626f48.exe Token: SeCreateGlobalPrivilege 1216 Tue02dc626f48.exe Token: 31 1216 Tue02dc626f48.exe Token: 32 1216 Tue02dc626f48.exe Token: 33 1216 Tue02dc626f48.exe Token: 34 1216 Tue02dc626f48.exe Token: 35 1216 Tue02dc626f48.exe Token: SeDebugPrivilege 1440 Tue02705f9c2b455.exe Token: SeRestorePrivilege 3688 WerFault.exe Token: SeBackupPrivilege 3688 WerFault.exe Token: SeDebugPrivilege 3688 WerFault.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 1844 taskkill.exe Token: SeDebugPrivilege 2976 WerFault.exe Token: SeDebugPrivilege 1288 WerFault.exe Token: SeDebugPrivilege 3692 WerFault.exe Token: SeDebugPrivilege 968 WerFault.exe Token: SeDebugPrivilege 2744 WerFault.exe Token: SeDebugPrivilege 2868 WerFault.exe Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeDebugPrivilege 1284 WerFault.exe Token: SeDebugPrivilege 2044 WerFault.exe Token: SeDebugPrivilege 2328 WerFault.exe Token: SeDebugPrivilege 1956 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1292 2220 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 68 PID 2220 wrote to memory of 1292 2220 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 68 PID 2220 wrote to memory of 1292 2220 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 68 PID 1292 wrote to memory of 440 1292 setup_install.exe 71 PID 1292 wrote to memory of 440 1292 setup_install.exe 71 PID 1292 wrote to memory of 440 1292 setup_install.exe 71 PID 1292 wrote to memory of 2508 1292 setup_install.exe 72 PID 1292 wrote to memory of 2508 1292 setup_install.exe 72 PID 1292 wrote to memory of 2508 1292 setup_install.exe 72 PID 1292 wrote to memory of 3860 1292 setup_install.exe 73 PID 1292 wrote to memory of 3860 1292 setup_install.exe 73 PID 1292 wrote to memory of 3860 1292 setup_install.exe 73 PID 1292 wrote to memory of 3764 1292 setup_install.exe 74 PID 1292 wrote to memory of 3764 1292 setup_install.exe 74 PID 1292 wrote to memory of 3764 1292 setup_install.exe 74 PID 1292 wrote to memory of 2224 1292 setup_install.exe 75 PID 1292 wrote to memory of 2224 1292 setup_install.exe 75 PID 1292 wrote to memory of 2224 1292 setup_install.exe 75 PID 1292 wrote to memory of 2216 1292 setup_install.exe 76 PID 1292 wrote to memory of 2216 1292 setup_install.exe 76 PID 1292 wrote to memory of 2216 1292 setup_install.exe 76 PID 1292 wrote to memory of 3208 1292 setup_install.exe 77 PID 1292 wrote to memory of 3208 1292 setup_install.exe 77 PID 1292 wrote to memory of 3208 1292 setup_install.exe 77 PID 3860 wrote to memory of 1112 3860 cmd.exe 78 PID 3860 wrote to memory of 1112 3860 cmd.exe 78 PID 3860 wrote to memory of 1112 3860 cmd.exe 78 PID 1292 wrote to memory of 2848 1292 setup_install.exe 91 PID 1292 wrote to memory of 2848 1292 setup_install.exe 91 PID 1292 wrote to memory of 2848 1292 setup_install.exe 91 PID 3764 wrote to memory of 800 3764 cmd.exe 79 PID 3764 wrote to memory of 800 3764 cmd.exe 79 PID 1292 wrote to memory of 2360 1292 setup_install.exe 90 PID 1292 wrote to memory of 2360 1292 setup_install.exe 90 PID 1292 wrote to memory of 2360 1292 setup_install.exe 90 PID 2508 wrote to memory of 608 2508 cmd.exe 89 PID 2508 wrote to memory of 608 2508 cmd.exe 89 PID 2508 wrote to memory of 608 2508 cmd.exe 89 PID 1292 wrote to memory of 1380 1292 setup_install.exe 80 PID 1292 wrote to memory of 1380 1292 setup_install.exe 80 PID 1292 wrote to memory of 1380 1292 setup_install.exe 80 PID 1292 wrote to memory of 896 1292 setup_install.exe 88 PID 1292 wrote to memory of 896 1292 setup_install.exe 88 PID 1292 wrote to memory of 896 1292 setup_install.exe 88 PID 440 wrote to memory of 2384 440 cmd.exe 87 PID 440 wrote to memory of 2384 440 cmd.exe 87 PID 440 wrote to memory of 2384 440 cmd.exe 87 PID 1292 wrote to memory of 1052 1292 setup_install.exe 81 PID 1292 wrote to memory of 1052 1292 setup_install.exe 81 PID 1292 wrote to memory of 1052 1292 setup_install.exe 81 PID 2224 wrote to memory of 1328 2224 cmd.exe 86 PID 2224 wrote to memory of 1328 2224 cmd.exe 86 PID 2224 wrote to memory of 1328 2224 cmd.exe 86 PID 1052 wrote to memory of 1420 1052 cmd.exe 82 PID 1052 wrote to memory of 1420 1052 cmd.exe 82 PID 1380 wrote to memory of 1044 1380 cmd.exe 85 PID 1380 wrote to memory of 1044 1380 cmd.exe 85 PID 1380 wrote to memory of 1044 1380 cmd.exe 85 PID 3208 wrote to memory of 2328 3208 cmd.exe 84 PID 3208 wrote to memory of 2328 3208 cmd.exe 84 PID 3208 wrote to memory of 2328 3208 cmd.exe 84 PID 2216 wrote to memory of 1216 2216 cmd.exe 83 PID 2216 wrote to memory of 1216 2216 cmd.exe 83 PID 2216 wrote to memory of 1216 2216 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe"C:\Users\Admin\AppData\Local\Temp\E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02522f9ea0b1.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue02522f9ea0b1.exeTue02522f9ea0b1.exe4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue028a363eda.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue028a363eda.exeTue028a363eda.exe4⤵
- Executes dropped EXE
PID:1112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02976fcdf1.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue02976fcdf1.exeTue02976fcdf1.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02520f255d0ba43a.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue02520f255d0ba43a.exeTue02520f255d0ba43a.exe4⤵
- Executes dropped EXE
PID:1328 -
C:\Users\Admin\Pictures\Adobe Films\pY3V5kPsIX4kNgrswN9ZAnCG.exe"C:\Users\Admin\Pictures\Adobe Films\pY3V5kPsIX4kNgrswN9ZAnCG.exe"5⤵PID:1944
-
-
C:\Users\Admin\Pictures\Adobe Films\LtGBiAot9eYh0JLCKwzlzWty.exe"C:\Users\Admin\Pictures\Adobe Films\LtGBiAot9eYh0JLCKwzlzWty.exe"5⤵PID:688
-
-
C:\Users\Admin\Pictures\Adobe Films\Dd_vErwRLsqGAE4wtmpgYo9C.exe"C:\Users\Admin\Pictures\Adobe Films\Dd_vErwRLsqGAE4wtmpgYo9C.exe"5⤵PID:2088
-
-
C:\Users\Admin\Pictures\Adobe Films\wGzSP4QCqfGdvimX9_SNgQYc.exe"C:\Users\Admin\Pictures\Adobe Films\wGzSP4QCqfGdvimX9_SNgQYc.exe"5⤵PID:1308
-
-
C:\Users\Admin\Pictures\Adobe Films\gfn8Fpf3IlcRXEayRiRKhg3j.exe"C:\Users\Admin\Pictures\Adobe Films\gfn8Fpf3IlcRXEayRiRKhg3j.exe"5⤵PID:3140
-
-
C:\Users\Admin\Pictures\Adobe Films\lTDoOa2Gkua9BTOrNZuvs9R4.exe"C:\Users\Admin\Pictures\Adobe Films\lTDoOa2Gkua9BTOrNZuvs9R4.exe"5⤵PID:1088
-
-
C:\Users\Admin\Pictures\Adobe Films\5Wlez1o3KOq4cmjIurWKzaxB.exe"C:\Users\Admin\Pictures\Adobe Films\5Wlez1o3KOq4cmjIurWKzaxB.exe"5⤵PID:968
-
-
C:\Users\Admin\Pictures\Adobe Films\MSSndjlTnVKtRF8XIZWVOAwf.exe"C:\Users\Admin\Pictures\Adobe Films\MSSndjlTnVKtRF8XIZWVOAwf.exe"5⤵PID:316
-
-
C:\Users\Admin\Pictures\Adobe Films\jXd0hB3iWp_RxMY0206t8DT6.exe"C:\Users\Admin\Pictures\Adobe Films\jXd0hB3iWp_RxMY0206t8DT6.exe"5⤵PID:3312
-
-
C:\Users\Admin\Pictures\Adobe Films\IfbhxHKoLEkZQOrgVcxQBjX_.exe"C:\Users\Admin\Pictures\Adobe Films\IfbhxHKoLEkZQOrgVcxQBjX_.exe"5⤵PID:3160
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"6⤵PID:4528
-
-
-
C:\Users\Admin\Pictures\Adobe Films\vmTa4fa_dFs9Dh2e42TTRnd0.exe"C:\Users\Admin\Pictures\Adobe Films\vmTa4fa_dFs9Dh2e42TTRnd0.exe"5⤵PID:712
-
-
C:\Users\Admin\Pictures\Adobe Films\51GVa8nelvqPZQvVeGFCIJ55.exe"C:\Users\Admin\Pictures\Adobe Films\51GVa8nelvqPZQvVeGFCIJ55.exe"5⤵PID:4076
-
-
C:\Users\Admin\Pictures\Adobe Films\nI35PbbZjhhxhE00Gn35l0d0.exe"C:\Users\Admin\Pictures\Adobe Films\nI35PbbZjhhxhE00Gn35l0d0.exe"5⤵PID:3956
-
-
C:\Users\Admin\Pictures\Adobe Films\NrUpxaW3U394mmx1iZvE1XAV.exe"C:\Users\Admin\Pictures\Adobe Films\NrUpxaW3U394mmx1iZvE1XAV.exe"5⤵PID:1656
-
-
C:\Users\Admin\Pictures\Adobe Films\p8HAzJpokOyUs2NDbFHfslnL.exe"C:\Users\Admin\Pictures\Adobe Films\p8HAzJpokOyUs2NDbFHfslnL.exe"5⤵PID:3948
-
-
C:\Users\Admin\Pictures\Adobe Films\Xa_NCnPkHscOE9Co1_btu8iq.exe"C:\Users\Admin\Pictures\Adobe Films\Xa_NCnPkHscOE9Co1_btu8iq.exe"5⤵PID:4244
-
-
C:\Users\Admin\Pictures\Adobe Films\m4_WlKFS4JO4irEdPhnZqrw7.exe"C:\Users\Admin\Pictures\Adobe Films\m4_WlKFS4JO4irEdPhnZqrw7.exe"5⤵PID:4236
-
-
C:\Users\Admin\Pictures\Adobe Films\mgSvobRobbPXSsC7jnjyGspQ.exe"C:\Users\Admin\Pictures\Adobe Films\mgSvobRobbPXSsC7jnjyGspQ.exe"5⤵PID:4220
-
-
C:\Users\Admin\Pictures\Adobe Films\apUsnqnKbCa6wDWryZzBIhbO.exe"C:\Users\Admin\Pictures\Adobe Films\apUsnqnKbCa6wDWryZzBIhbO.exe"5⤵PID:4212
-
-
C:\Users\Admin\Pictures\Adobe Films\B0LsDP8Nwa2GPWQXhYxNvmbJ.exe"C:\Users\Admin\Pictures\Adobe Films\B0LsDP8Nwa2GPWQXhYxNvmbJ.exe"5⤵PID:4196
-
-
C:\Users\Admin\Pictures\Adobe Films\NZAFVdzdK9N_0zjeixWCZKm2.exe"C:\Users\Admin\Pictures\Adobe Films\NZAFVdzdK9N_0zjeixWCZKm2.exe"5⤵PID:4188
-
-
C:\Users\Admin\Pictures\Adobe Films\igbxQ8fwZtvrrRBVm_iCXxOn.exe"C:\Users\Admin\Pictures\Adobe Films\igbxQ8fwZtvrrRBVm_iCXxOn.exe"5⤵PID:4180
-
-
C:\Users\Admin\Pictures\Adobe Films\O9KnBNVBRDvvc9u2J6rLyKc6.exe"C:\Users\Admin\Pictures\Adobe Films\O9KnBNVBRDvvc9u2J6rLyKc6.exe"5⤵PID:4156
-
-
C:\Users\Admin\Pictures\Adobe Films\QDDzzn6EJGRBIjzODwXrTYjK.exe"C:\Users\Admin\Pictures\Adobe Films\QDDzzn6EJGRBIjzODwXrTYjK.exe"5⤵PID:4164
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02dc626f48.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue02dc626f48.exeTue02dc626f48.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:1444
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue026e94a5005f8.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue026e94a5005f8.exeTue026e94a5005f8.exe4⤵
- Executes dropped EXE
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue026e94a5005f8.exeC:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue026e94a5005f8.exe5⤵
- Executes dropped EXE
PID:2856
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue026e182673.exe /mixone3⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue026e182673.exeTue026e182673.exe /mixone4⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 6565⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 6685⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 7725⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 8085⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 7045⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 9205⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 11605⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 12965⤵
- Suspicious use of SetThreadContext
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 13685⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0289c99651.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue0289c99651.exeTue0289c99651.exe4⤵
- Executes dropped EXE
PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue029560e6534e190c.exe3⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue029560e6534e190c.exeTue029560e6534e190c.exe4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 9325⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02b2110095fe706.exe3⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue02b2110095fe706.exeTue02b2110095fe706.exe4⤵
- Executes dropped EXE
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02705f9c2b455.exe3⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue02705f9c2b455.exeTue02705f9c2b455.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 5803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-DKKEJ.tmp\Tue02b2110095fe706.tmp"C:\Users\Admin\AppData\Local\Temp\is-DKKEJ.tmp\Tue02b2110095fe706.tmp" /SL5="$60174,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSCA88ACE5\Tue02b2110095fe706.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3652