Analysis
-
max time kernel
44s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
23/11/2021, 16:32
Static task
static1
General
-
Target
77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe
-
Size
6.2MB
-
MD5
f4405d3dd08690d4ce4e9a02d4c641df
-
SHA1
26975067cc24f634f6c64a79b98f356fb639d77e
-
SHA256
77012c024869ba2639b54b959fab1e10ebaaf8ebb9bfcc2a11db4c71a2b9fa59
-
SHA512
992bd478eaa78efa74a16dc2338b0f9dccf6b91644b35631673aa038e174b6463b6845bbac80fbb14d27fdef8952331c3ce3ae92e14d46ce8cf9290939b3517f
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
http://www.ecgbg.com/
Extracted
redline
janera
65.108.20.195:6774
Extracted
redline
ANI
45.142.215.47:27643
Extracted
redline
matthew2009
213.166.69.181:64650
Extracted
vidar
41
706
https://mas.to/@killern0
-
profile_id
706
Extracted
smokeloader
2020
http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
resource yara_rule behavioral2/memory/776-247-0x0000000004BF0000-0x0000000004C0F000-memory.dmp family_redline behavioral2/memory/776-257-0x00000000070D0000-0x00000000070EE000-memory.dmp family_redline behavioral2/memory/1360-265-0x0000000005330000-0x0000000005936000-memory.dmp family_redline behavioral2/memory/3376-272-0x000000000041C5CA-mapping.dmp family_redline behavioral2/memory/3376-271-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral2/memory/2540-285-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral2/memory/2540-286-0x000000000041C5FA-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 4 IoCs
resource yara_rule behavioral2/files/0x000200000001abe6-195.dat family_socelars behavioral2/files/0x000200000001abe6-159.dat family_socelars behavioral2/files/0x000400000001ac37-575.dat family_socelars behavioral2/files/0x000400000001ac37-574.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 688 created 1260 688 WerFault.exe 91 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/1260-304-0x0000000000400000-0x000000000051E000-memory.dmp family_vidar behavioral2/memory/1260-303-0x00000000021D0000-0x00000000022A4000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001abc6-126.dat aspack_v212_v242 behavioral2/files/0x000500000001abc6-127.dat aspack_v212_v242 behavioral2/files/0x000500000001abc8-125.dat aspack_v212_v242 behavioral2/files/0x000500000001abc8-130.dat aspack_v212_v242 behavioral2/files/0x000400000001abcf-132.dat aspack_v212_v242 behavioral2/files/0x000400000001abcf-134.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
pid Process 3732 setup_installer.exe 1840 setup_install.exe 3972 Thu0024eb0c01ddf62.exe 3168 Thu006994f743f.exe 776 Thu00e6dc783f.exe 1184 Thu008c1e505ef28ce.exe 2972 Thu00e1362251a3.exe 2376 Thu000ee9073d9260.exe 3328 Thu00c42c363480.exe 1152 Thu00b87bb8a6c15.exe 1260 Thu00381dcd157d70.exe 1360 Thu00baff0b12d.exe 588 Thu00308459d5d1.exe 2164 Thu009182426214b9c.exe 2296 Thu0046fa0086fb73b2f.exe 3256 Thu0033b1bf632d.exe 2712 WerFault.exe 684 Thu009182426214b9c.exe 3376 Thu008c1e505ef28ce.exe 2540 Thu009182426214b9c.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Thu00baff0b12d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Thu00baff0b12d.exe -
Loads dropped DLL 7 IoCs
pid Process 1840 setup_install.exe 1840 setup_install.exe 1840 setup_install.exe 1840 setup_install.exe 1840 setup_install.exe 1840 setup_install.exe 2712 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000600000001abe8-197.dat themida behavioral2/files/0x000600000001abe8-163.dat themida behavioral2/memory/1360-233-0x0000000000160000-0x0000000000161000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Thu00baff0b12d.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com 114 ipinfo.io 115 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1360 Thu00baff0b12d.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1184 set thread context of 3376 1184 Thu008c1e505ef28ce.exe 107 PID 2164 set thread context of 2540 2164 Thu009182426214b9c.exe 108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
pid pid_target Process procid_target 3816 1840 WerFault.exe 69 688 1260 WerFault.exe 91 2712 3972 WerFault.exe 97 3236 3972 WerFault.exe 97 904 3972 WerFault.exe 97 904 3972 WerFault.exe 97 4156 3972 WerFault.exe 97 4852 3972 WerFault.exe 97 4880 3972 WerFault.exe 97 4912 3972 WerFault.exe 97 4936 3972 WerFault.exe 97 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu0033b1bf632d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu0033b1bf632d.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu0033b1bf632d.exe -
Kills process with taskkill 1 IoCs
pid Process 3800 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1360 Thu00baff0b12d.exe 1360 Thu00baff0b12d.exe 2740 powershell.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 3816 WerFault.exe 2740 powershell.exe 2740 powershell.exe 3256 Thu0033b1bf632d.exe 3256 Thu0033b1bf632d.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 688 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 3236 WerFault.exe 3236 WerFault.exe 3236 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3256 Thu0033b1bf632d.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeDebugPrivilege 2376 Thu000ee9073d9260.exe Token: SeCreateTokenPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeAssignPrimaryTokenPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeLockMemoryPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeIncreaseQuotaPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeMachineAccountPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeTcbPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeSecurityPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeTakeOwnershipPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeLoadDriverPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeSystemProfilePrivilege 1152 Thu00b87bb8a6c15.exe Token: SeSystemtimePrivilege 1152 Thu00b87bb8a6c15.exe Token: SeProfSingleProcessPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeIncBasePriorityPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeCreatePagefilePrivilege 1152 Thu00b87bb8a6c15.exe Token: SeCreatePermanentPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeBackupPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeRestorePrivilege 1152 Thu00b87bb8a6c15.exe Token: SeShutdownPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeDebugPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeAuditPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeSystemEnvironmentPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeChangeNotifyPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeRemoteShutdownPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeUndockPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeSyncAgentPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeEnableDelegationPrivilege 1152 Thu00b87bb8a6c15.exe Token: SeManageVolumePrivilege 1152 Thu00b87bb8a6c15.exe Token: SeImpersonatePrivilege 1152 Thu00b87bb8a6c15.exe Token: SeCreateGlobalPrivilege 1152 Thu00b87bb8a6c15.exe Token: 31 1152 Thu00b87bb8a6c15.exe Token: 32 1152 Thu00b87bb8a6c15.exe Token: 33 1152 Thu00b87bb8a6c15.exe Token: 34 1152 Thu00b87bb8a6c15.exe Token: 35 1152 Thu00b87bb8a6c15.exe Token: SeDebugPrivilege 2296 Thu0046fa0086fb73b2f.exe Token: SeRestorePrivilege 3816 WerFault.exe Token: SeBackupPrivilege 3816 WerFault.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 3816 WerFault.exe Token: SeDebugPrivilege 3800 taskkill.exe Token: SeDebugPrivilege 688 WerFault.exe Token: SeDebugPrivilege 2712 WerFault.exe Token: SeDebugPrivilege 3236 WerFault.exe Token: SeDebugPrivilege 904 WerFault.exe Token: SeDebugPrivilege 904 WerFault.exe Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeDebugPrivilege 4156 WerFault.exe Token: SeDebugPrivilege 4852 WerFault.exe Token: SeDebugPrivilege 4880 WerFault.exe Token: SeDebugPrivilege 4912 WerFault.exe Token: SeDebugPrivilege 4936 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 3732 2692 77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe 68 PID 2692 wrote to memory of 3732 2692 77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe 68 PID 2692 wrote to memory of 3732 2692 77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe 68 PID 3732 wrote to memory of 1840 3732 setup_installer.exe 69 PID 3732 wrote to memory of 1840 3732 setup_installer.exe 69 PID 3732 wrote to memory of 1840 3732 setup_installer.exe 69 PID 1840 wrote to memory of 3312 1840 setup_install.exe 72 PID 1840 wrote to memory of 3312 1840 setup_install.exe 72 PID 1840 wrote to memory of 3312 1840 setup_install.exe 72 PID 1840 wrote to memory of 3016 1840 setup_install.exe 73 PID 1840 wrote to memory of 3016 1840 setup_install.exe 73 PID 1840 wrote to memory of 3016 1840 setup_install.exe 73 PID 1840 wrote to memory of 3288 1840 setup_install.exe 74 PID 1840 wrote to memory of 3288 1840 setup_install.exe 74 PID 1840 wrote to memory of 3288 1840 setup_install.exe 74 PID 1840 wrote to memory of 3724 1840 setup_install.exe 104 PID 1840 wrote to memory of 3724 1840 setup_install.exe 104 PID 1840 wrote to memory of 3724 1840 setup_install.exe 104 PID 1840 wrote to memory of 3668 1840 setup_install.exe 103 PID 1840 wrote to memory of 3668 1840 setup_install.exe 103 PID 1840 wrote to memory of 3668 1840 setup_install.exe 103 PID 1840 wrote to memory of 1140 1840 setup_install.exe 102 PID 1840 wrote to memory of 1140 1840 setup_install.exe 102 PID 1840 wrote to memory of 1140 1840 setup_install.exe 102 PID 1840 wrote to memory of 2788 1840 setup_install.exe 75 PID 1840 wrote to memory of 2788 1840 setup_install.exe 75 PID 1840 wrote to memory of 2788 1840 setup_install.exe 75 PID 1840 wrote to memory of 2584 1840 setup_install.exe 76 PID 1840 wrote to memory of 2584 1840 setup_install.exe 76 PID 1840 wrote to memory of 2584 1840 setup_install.exe 76 PID 1840 wrote to memory of 1476 1840 setup_install.exe 77 PID 1840 wrote to memory of 1476 1840 setup_install.exe 77 PID 1840 wrote to memory of 1476 1840 setup_install.exe 77 PID 1840 wrote to memory of 1428 1840 setup_install.exe 78 PID 1840 wrote to memory of 1428 1840 setup_install.exe 78 PID 1840 wrote to memory of 1428 1840 setup_install.exe 78 PID 1840 wrote to memory of 1380 1840 setup_install.exe 79 PID 1840 wrote to memory of 1380 1840 setup_install.exe 79 PID 1840 wrote to memory of 1380 1840 setup_install.exe 79 PID 1840 wrote to memory of 3624 1840 setup_install.exe 101 PID 1840 wrote to memory of 3624 1840 setup_install.exe 101 PID 1840 wrote to memory of 3624 1840 setup_install.exe 101 PID 1840 wrote to memory of 696 1840 setup_install.exe 80 PID 1840 wrote to memory of 696 1840 setup_install.exe 80 PID 1840 wrote to memory of 696 1840 setup_install.exe 80 PID 1840 wrote to memory of 372 1840 setup_install.exe 81 PID 1840 wrote to memory of 372 1840 setup_install.exe 81 PID 1840 wrote to memory of 372 1840 setup_install.exe 81 PID 1840 wrote to memory of 1264 1840 setup_install.exe 82 PID 1840 wrote to memory of 1264 1840 setup_install.exe 82 PID 1840 wrote to memory of 1264 1840 setup_install.exe 82 PID 3016 wrote to memory of 3972 3016 cmd.exe 97 PID 3016 wrote to memory of 3972 3016 cmd.exe 97 PID 3016 wrote to memory of 3972 3016 cmd.exe 97 PID 3724 wrote to memory of 3168 3724 cmd.exe 96 PID 3724 wrote to memory of 3168 3724 cmd.exe 96 PID 3724 wrote to memory of 3168 3724 cmd.exe 96 PID 3288 wrote to memory of 776 3288 cmd.exe 95 PID 3288 wrote to memory of 776 3288 cmd.exe 95 PID 3288 wrote to memory of 776 3288 cmd.exe 95 PID 1140 wrote to memory of 1184 1140 cmd.exe 84 PID 1140 wrote to memory of 1184 1140 cmd.exe 84 PID 1140 wrote to memory of 1184 1140 cmd.exe 84 PID 3668 wrote to memory of 2972 3668 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe"C:\Users\Admin\AppData\Local\Temp\77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS49E14995\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:3312
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0024eb0c01ddf62.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu0024eb0c01ddf62.exeThu0024eb0c01ddf62.exe /mixone5⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 6606⤵
- Executes dropped EXE
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 6726⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 7766⤵
- Program crash
PID:904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 8126⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 8366⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 9246⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 11806⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 11526⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 13526⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00e6dc783f.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00e6dc783f.exeThu00e6dc783f.exe5⤵
- Executes dropped EXE
PID:776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00b87bb8a6c15.exe4⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00b87bb8a6c15.exeThu00b87bb8a6c15.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2644
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00308459d5d1.exe4⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00308459d5d1.exeThu00308459d5d1.exe5⤵
- Executes dropped EXE
PID:588 -
C:\Users\Admin\AppData\Local\Temp\is-MJK9L.tmp\Thu00308459d5d1.tmp"C:\Users\Admin\AppData\Local\Temp\is-MJK9L.tmp\Thu00308459d5d1.tmp" /SL5="$20114,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00308459d5d1.exe"6⤵PID:2712
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00baff0b12d.exe4⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00baff0b12d.exeThu00baff0b12d.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1360
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00c42c363480.exe4⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00c42c363480.exeThu00c42c363480.exe5⤵
- Executes dropped EXE
PID:3328 -
C:\Users\Admin\Pictures\Adobe Films\7fKV6GhopFBuJFoJqwCxLA4w.exe"C:\Users\Admin\Pictures\Adobe Films\7fKV6GhopFBuJFoJqwCxLA4w.exe"6⤵PID:5060
-
-
C:\Users\Admin\Pictures\Adobe Films\STM1hAMcxfsF3LyUNiT_KmR7.exe"C:\Users\Admin\Pictures\Adobe Films\STM1hAMcxfsF3LyUNiT_KmR7.exe"6⤵PID:4228
-
-
C:\Users\Admin\Pictures\Adobe Films\l1gydy3gVmcG8t1NS2opGHbH.exe"C:\Users\Admin\Pictures\Adobe Films\l1gydy3gVmcG8t1NS2opGHbH.exe"6⤵PID:4212
-
-
C:\Users\Admin\Pictures\Adobe Films\OqI_gmaEMYatwEIvwmw56gCI.exe"C:\Users\Admin\Pictures\Adobe Films\OqI_gmaEMYatwEIvwmw56gCI.exe"6⤵PID:4256
-
-
C:\Users\Admin\Pictures\Adobe Films\1z03anLryLE3Sqr0KYfnhFmh.exe"C:\Users\Admin\Pictures\Adobe Films\1z03anLryLE3Sqr0KYfnhFmh.exe"6⤵PID:4340
-
-
C:\Users\Admin\Pictures\Adobe Films\dZG07bxHRP1maBQzsLI7Kqkq.exe"C:\Users\Admin\Pictures\Adobe Films\dZG07bxHRP1maBQzsLI7Kqkq.exe"6⤵PID:4324
-
-
C:\Users\Admin\Pictures\Adobe Films\ri4rx7QwKuVQuKDHKUSv39kH.exe"C:\Users\Admin\Pictures\Adobe Films\ri4rx7QwKuVQuKDHKUSv39kH.exe"6⤵PID:4312
-
-
C:\Users\Admin\Pictures\Adobe Films\o0dzUQHqO3XjnCDNqXd3cAO2.exe"C:\Users\Admin\Pictures\Adobe Films\o0dzUQHqO3XjnCDNqXd3cAO2.exe"6⤵PID:4356
-
-
C:\Users\Admin\Pictures\Adobe Films\ScSE_Vsuz2HcnNv5VJOZO42_.exe"C:\Users\Admin\Pictures\Adobe Films\ScSE_Vsuz2HcnNv5VJOZO42_.exe"6⤵PID:4432
-
-
C:\Users\Admin\Pictures\Adobe Films\9S9vt25VG11cwf7Wp7G9x1Z6.exe"C:\Users\Admin\Pictures\Adobe Films\9S9vt25VG11cwf7Wp7G9x1Z6.exe"6⤵PID:4392
-
-
C:\Users\Admin\Pictures\Adobe Films\QgnQVrXGVjLTZsrRq9a0iOeT.exe"C:\Users\Admin\Pictures\Adobe Films\QgnQVrXGVjLTZsrRq9a0iOeT.exe"6⤵PID:4456
-
-
C:\Users\Admin\Pictures\Adobe Films\kCggRAxeXVeWHBbeOQ6hfREu.exe"C:\Users\Admin\Pictures\Adobe Films\kCggRAxeXVeWHBbeOQ6hfREu.exe"6⤵PID:4608
-
-
C:\Users\Admin\Pictures\Adobe Films\6oEQiVzZamskIs4pDxs1DCzk.exe"C:\Users\Admin\Pictures\Adobe Films\6oEQiVzZamskIs4pDxs1DCzk.exe"6⤵PID:4600
-
-
C:\Users\Admin\Pictures\Adobe Films\HgxySBynqYi3rSVZEpgzFD1q.exe"C:\Users\Admin\Pictures\Adobe Films\HgxySBynqYi3rSVZEpgzFD1q.exe"6⤵PID:4576
-
-
C:\Users\Admin\Pictures\Adobe Films\_tTwEMvOyRwexrp4NN1H0aFl.exe"C:\Users\Admin\Pictures\Adobe Films\_tTwEMvOyRwexrp4NN1H0aFl.exe"6⤵PID:4584
-
-
C:\Users\Admin\Pictures\Adobe Films\Xyfk7MbNSN3NcTMW4m08d76Z.exe"C:\Users\Admin\Pictures\Adobe Films\Xyfk7MbNSN3NcTMW4m08d76Z.exe"6⤵PID:4552
-
-
C:\Users\Admin\Pictures\Adobe Films\w1Umc4kV2ArNatN9A7wQROMP.exe"C:\Users\Admin\Pictures\Adobe Films\w1Umc4kV2ArNatN9A7wQROMP.exe"6⤵PID:4512
-
-
C:\Users\Admin\Pictures\Adobe Films\pRbZoyglPhZlhMbKo7cnI0Mt.exe"C:\Users\Admin\Pictures\Adobe Films\pRbZoyglPhZlhMbKo7cnI0Mt.exe"6⤵PID:4500
-
-
C:\Users\Admin\Pictures\Adobe Films\y4bmXZFqNcGJxHg20HyUxBGj.exe"C:\Users\Admin\Pictures\Adobe Films\y4bmXZFqNcGJxHg20HyUxBGj.exe"6⤵PID:4492
-
-
C:\Users\Admin\Pictures\Adobe Films\g0boIGBQYYf9j13ikafC45TP.exe"C:\Users\Admin\Pictures\Adobe Films\g0boIGBQYYf9j13ikafC45TP.exe"6⤵PID:4484
-
-
C:\Users\Admin\Pictures\Adobe Films\ZT_95tBiy6eMkYqM26w0GQ_b.exe"C:\Users\Admin\Pictures\Adobe Films\ZT_95tBiy6eMkYqM26w0GQ_b.exe"6⤵PID:4468
-
-
C:\Users\Admin\Pictures\Adobe Films\ednI6tftcxCvQdn4dGRILTtx.exe"C:\Users\Admin\Pictures\Adobe Films\ednI6tftcxCvQdn4dGRILTtx.exe"6⤵PID:4472
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00381dcd157d70.exe4⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00381dcd157d70.exeThu00381dcd157d70.exe5⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 14766⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu009182426214b9c.exe4⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu009182426214b9c.exeThu009182426214b9c.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu009182426214b9c.exeC:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu009182426214b9c.exe6⤵
- Executes dropped EXE
PID:684
-
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu009182426214b9c.exeC:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu009182426214b9c.exe6⤵
- Executes dropped EXE
PID:2540
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0033b1bf632d.exe4⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu0033b1bf632d.exeThu0033b1bf632d.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0046fa0086fb73b2f.exe4⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu0046fa0086fb73b2f.exeThu0046fa0086fb73b2f.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 5924⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu000ee9073d9260.exe4⤵PID:3624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu008c1e505ef28ce.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00e1362251a3.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu006994f743f.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3724
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu00e1362251a3.exeThu00e1362251a3.exe1⤵
- Executes dropped EXE
PID:2972
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu008c1e505ef28ce.exeThu008c1e505ef28ce.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu008c1e505ef28ce.exeC:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu008c1e505ef28ce.exe2⤵
- Executes dropped EXE
PID:3376
-
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu000ee9073d9260.exeThu000ee9073d9260.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
C:\Users\Admin\AppData\Local\Temp\7zS49E14995\Thu006994f743f.exeThu006994f743f.exe1⤵
- Executes dropped EXE
PID:3168