Resubmissions
02-12-2021 07:35
211202-je6zgsfge4 1010-09-2021 20:31
210910-za2rzaaeh3 1010-09-2021 19:40
210910-ydvmdsdffp 1010-09-2021 12:06
210910-n9s4bsdbep 1010-09-2021 05:37
210910-gbjcxahdh2 1009-09-2021 22:16
210909-17av7aghb7 1009-09-2021 22:12
210909-14mqksgha9 1009-09-2021 22:12
210909-14l42sgha8 1009-09-2021 22:11
210909-14e1qsgha7 1009-09-2021 22:11
210909-138lnacacn 10Analysis
-
max time kernel
319s -
max time network
616s -
platform
windows10_x64 -
resource
win10-de-20211014 -
submitted
02-12-2021 07:35
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20211104
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20211104
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-en-20211104
General
-
Target
setup_x86_x64_install.exe
-
Size
4.3MB
-
MD5
6d18c8e8ab9051f7a70b89ff7bb0ec35
-
SHA1
265311e2afd9f59e824f4b77162cf3dfa278eb7e
-
SHA256
8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
-
SHA512
249bf79dc90d4662b942c7eed2a7b7816b749f6d5f7bc190bba05f826fa143d0b44f58054d8649b8626884c5fcbd1cea8abd625dc701d44b7aaac84fc74e47ff
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
vidar
40.5
706
https://gheorghip.tumblr.com/
-
profile_id
706
Extracted
redline
pab123
45.14.49.169:22411
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral7/memory/1876-242-0x0000000002E80000-0x0000000002E9F000-memory.dmp family_redline behavioral7/memory/1876-253-0x0000000004AC0000-0x0000000004ADE000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral7/files/0x000400000001abfd-152.dat family_socelars behavioral7/files/0x000400000001abfd-198.dat family_socelars -
Vidar Stealer 2 IoCs
resource yara_rule behavioral7/memory/1892-237-0x0000000004820000-0x00000000048F1000-memory.dmp family_vidar behavioral7/memory/1892-247-0x0000000000400000-0x0000000002BC5000-memory.dmp family_vidar -
resource yara_rule behavioral7/files/0x000400000001abf0-123.dat aspack_v212_v242 behavioral7/files/0x000400000001abf0-124.dat aspack_v212_v242 behavioral7/files/0x000400000001abef-122.dat aspack_v212_v242 behavioral7/files/0x000400000001abef-129.dat aspack_v212_v242 behavioral7/files/0x000400000001abef-128.dat aspack_v212_v242 behavioral7/files/0x000400000001abf2-127.dat aspack_v212_v242 behavioral7/files/0x000400000001abf2-130.dat aspack_v212_v242 -
Executes dropped EXE 17 IoCs
pid Process 3704 setup_installer.exe 2816 setup_install.exe 1876 Thu21624565bb917a.exe 1956 Thu219d5fe8cf316.exe 2844 Thu21b93295136197.exe 3068 Thu2164f292a11ce.exe 2208 Thu21b9847cb6727.exe 1236 Thu21568b0ab8.exe 1892 Thu214ce31cede21.exe 956 Thu2102ff6cfe07c.exe 1204 Thu21a1ef054cac78a.exe 3684 Thu2156de5489c19.exe 1884 Thu21df5caa1b78de6.exe 2384 Thu214aaca5625.exe 1276 Thu21b93295136197.tmp 1092 Thu214aaca5625.tmp 4688 srfiuas -
Loads dropped DLL 9 IoCs
pid Process 2816 setup_install.exe 2816 setup_install.exe 2816 setup_install.exe 2816 setup_install.exe 2816 setup_install.exe 2816 setup_install.exe 2816 setup_install.exe 2816 setup_install.exe 1092 Thu214aaca5625.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com 25 ipinfo.io 30 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
pid pid_target Process procid_target 2368 2816 WerFault.exe 77 380 1884 WerFault.exe 97 1528 1884 WerFault.exe 97 648 1884 WerFault.exe 97 3060 1884 WerFault.exe 97 1484 1884 WerFault.exe 97 1712 1884 WerFault.exe 97 4144 1884 WerFault.exe 97 4188 1884 WerFault.exe 97 4236 1884 WerFault.exe 97 4556 1884 WerFault.exe 97 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu2164f292a11ce.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu2164f292a11ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu2164f292a11ce.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thu214ce31cede21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Thu214ce31cede21.exe -
Kills process with taskkill 1 IoCs
pid Process 4496 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Thu214ce31cede21.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Thu214ce31cede21.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 30 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 39 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 2368 WerFault.exe 3068 Thu2164f292a11ce.exe 3068 Thu2164f292a11ce.exe 2368 WerFault.exe 2368 WerFault.exe 3636 powershell.exe 3636 powershell.exe 3636 powershell.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1884 Thu21df5caa1b78de6.exe 3024 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3068 Thu2164f292a11ce.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeCreateTokenPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeAssignPrimaryTokenPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeLockMemoryPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeIncreaseQuotaPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeMachineAccountPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeTcbPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeSecurityPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeTakeOwnershipPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeLoadDriverPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeSystemProfilePrivilege 1204 Thu21a1ef054cac78a.exe Token: SeSystemtimePrivilege 1204 Thu21a1ef054cac78a.exe Token: SeProfSingleProcessPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeIncBasePriorityPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeCreatePagefilePrivilege 1204 Thu21a1ef054cac78a.exe Token: SeCreatePermanentPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeBackupPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeRestorePrivilege 1204 Thu21a1ef054cac78a.exe Token: SeShutdownPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeDebugPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeAuditPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeSystemEnvironmentPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeChangeNotifyPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeRemoteShutdownPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeUndockPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeSyncAgentPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeEnableDelegationPrivilege 1204 Thu21a1ef054cac78a.exe Token: SeManageVolumePrivilege 1204 Thu21a1ef054cac78a.exe Token: SeImpersonatePrivilege 1204 Thu21a1ef054cac78a.exe Token: SeCreateGlobalPrivilege 1204 Thu21a1ef054cac78a.exe Token: 31 1204 Thu21a1ef054cac78a.exe Token: 32 1204 Thu21a1ef054cac78a.exe Token: 33 1204 Thu21a1ef054cac78a.exe Token: 34 1204 Thu21a1ef054cac78a.exe Token: 35 1204 Thu21a1ef054cac78a.exe Token: SeDebugPrivilege 1236 Thu21568b0ab8.exe Token: SeDebugPrivilege 1956 Thu219d5fe8cf316.exe Token: SeRestorePrivilege 2368 WerFault.exe Token: SeBackupPrivilege 2368 WerFault.exe Token: SeDebugPrivilege 2368 WerFault.exe Token: SeDebugPrivilege 3636 powershell.exe Token: SeDebugPrivilege 3684 Thu2156de5489c19.exe Token: SeDebugPrivilege 380 WerFault.exe Token: SeDebugPrivilege 1528 WerFault.exe Token: SeDebugPrivilege 648 WerFault.exe Token: SeDebugPrivilege 3060 WerFault.exe Token: SeDebugPrivilege 1484 WerFault.exe Token: SeDebugPrivilege 1712 WerFault.exe Token: SeDebugPrivilege 4144 WerFault.exe Token: SeDebugPrivilege 4188 WerFault.exe Token: SeDebugPrivilege 4236 WerFault.exe Token: SeDebugPrivilege 4496 taskkill.exe Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeDebugPrivilege 4556 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 516 wrote to memory of 3704 516 setup_x86_x64_install.exe 76 PID 516 wrote to memory of 3704 516 setup_x86_x64_install.exe 76 PID 516 wrote to memory of 3704 516 setup_x86_x64_install.exe 76 PID 3704 wrote to memory of 2816 3704 setup_installer.exe 77 PID 3704 wrote to memory of 2816 3704 setup_installer.exe 77 PID 3704 wrote to memory of 2816 3704 setup_installer.exe 77 PID 2816 wrote to memory of 1504 2816 setup_install.exe 80 PID 2816 wrote to memory of 1504 2816 setup_install.exe 80 PID 2816 wrote to memory of 1504 2816 setup_install.exe 80 PID 2816 wrote to memory of 420 2816 setup_install.exe 81 PID 2816 wrote to memory of 420 2816 setup_install.exe 81 PID 2816 wrote to memory of 420 2816 setup_install.exe 81 PID 2816 wrote to memory of 1048 2816 setup_install.exe 82 PID 2816 wrote to memory of 1048 2816 setup_install.exe 82 PID 2816 wrote to memory of 1048 2816 setup_install.exe 82 PID 2816 wrote to memory of 1172 2816 setup_install.exe 83 PID 2816 wrote to memory of 1172 2816 setup_install.exe 83 PID 2816 wrote to memory of 1172 2816 setup_install.exe 83 PID 2816 wrote to memory of 3392 2816 setup_install.exe 86 PID 2816 wrote to memory of 3392 2816 setup_install.exe 86 PID 2816 wrote to memory of 3392 2816 setup_install.exe 86 PID 2816 wrote to memory of 3016 2816 setup_install.exe 84 PID 2816 wrote to memory of 3016 2816 setup_install.exe 84 PID 2816 wrote to memory of 3016 2816 setup_install.exe 84 PID 2816 wrote to memory of 1380 2816 setup_install.exe 85 PID 2816 wrote to memory of 1380 2816 setup_install.exe 85 PID 2816 wrote to memory of 1380 2816 setup_install.exe 85 PID 2816 wrote to memory of 3948 2816 setup_install.exe 93 PID 2816 wrote to memory of 3948 2816 setup_install.exe 93 PID 2816 wrote to memory of 3948 2816 setup_install.exe 93 PID 2816 wrote to memory of 1636 2816 setup_install.exe 87 PID 2816 wrote to memory of 1636 2816 setup_install.exe 87 PID 2816 wrote to memory of 1636 2816 setup_install.exe 87 PID 2816 wrote to memory of 3140 2816 setup_install.exe 92 PID 2816 wrote to memory of 3140 2816 setup_install.exe 92 PID 2816 wrote to memory of 3140 2816 setup_install.exe 92 PID 2816 wrote to memory of 3924 2816 setup_install.exe 88 PID 2816 wrote to memory of 3924 2816 setup_install.exe 88 PID 2816 wrote to memory of 3924 2816 setup_install.exe 88 PID 1048 wrote to memory of 1876 1048 cmd.exe 89 PID 1048 wrote to memory of 1876 1048 cmd.exe 89 PID 1048 wrote to memory of 1876 1048 cmd.exe 89 PID 2816 wrote to memory of 1320 2816 setup_install.exe 91 PID 2816 wrote to memory of 1320 2816 setup_install.exe 91 PID 2816 wrote to memory of 1320 2816 setup_install.exe 91 PID 420 wrote to memory of 1956 420 cmd.exe 90 PID 420 wrote to memory of 1956 420 cmd.exe 90 PID 2816 wrote to memory of 1964 2816 setup_install.exe 109 PID 2816 wrote to memory of 1964 2816 setup_install.exe 109 PID 2816 wrote to memory of 1964 2816 setup_install.exe 109 PID 1504 wrote to memory of 3636 1504 cmd.exe 108 PID 1504 wrote to memory of 3636 1504 cmd.exe 108 PID 1504 wrote to memory of 3636 1504 cmd.exe 108 PID 3016 wrote to memory of 2844 3016 cmd.exe 94 PID 3016 wrote to memory of 2844 3016 cmd.exe 94 PID 3016 wrote to memory of 2844 3016 cmd.exe 94 PID 3392 wrote to memory of 3068 3392 cmd.exe 95 PID 3392 wrote to memory of 3068 3392 cmd.exe 95 PID 3392 wrote to memory of 3068 3392 cmd.exe 95 PID 3948 wrote to memory of 1892 3948 cmd.exe 107 PID 3948 wrote to memory of 1892 3948 cmd.exe 107 PID 3948 wrote to memory of 1892 3948 cmd.exe 107 PID 1380 wrote to memory of 2208 1380 cmd.exe 106 PID 1380 wrote to memory of 2208 1380 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu219d5fe8cf316.exe4⤵
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu219d5fe8cf316.exeThu219d5fe8cf316.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21624565bb917a.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu21624565bb917a.exeThu21624565bb917a.exe5⤵
- Executes dropped EXE
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21a1ef054cac78a.exe4⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu21a1ef054cac78a.exeThu21a1ef054cac78a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1204 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4412
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21b93295136197.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu21b93295136197.exeThu21b93295136197.exe5⤵
- Executes dropped EXE
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\is-5PL8P.tmp\Thu21b93295136197.tmp"C:\Users\Admin\AppData\Local\Temp\is-5PL8P.tmp\Thu21b93295136197.tmp" /SL5="$4013C,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu21b93295136197.exe"6⤵
- Executes dropped EXE
PID:1276
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21b9847cb6727.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu21b9847cb6727.exeThu21b9847cb6727.exe5⤵
- Executes dropped EXE
PID:2208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2164f292a11ce.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu2164f292a11ce.exeThu2164f292a11ce.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2156de5489c19.exe4⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu2156de5489c19.exeThu2156de5489c19.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu214aaca5625.exe4⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu214aaca5625.exeThu214aaca5625.exe5⤵
- Executes dropped EXE
PID:2384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21568b0ab8.exe4⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu21568b0ab8.exeThu21568b0ab8.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu21df5caa1b78de6.exe /mixone4⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu21df5caa1b78de6.exeThu21df5caa1b78de6.exe /mixone5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 6566⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 6726⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 7726⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 8206⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 8366⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 8886⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 11006⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 12846⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 12966⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 6886⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu214ce31cede21.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu214ce31cede21.exeThu214ce31cede21.exe5⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
PID:1892
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 4484⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu2102ff6cfe07c.exe4⤵PID:1964
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu2102ff6cfe07c.exeThu2102ff6cfe07c.exe1⤵
- Executes dropped EXE
PID:956
-
C:\Users\Admin\AppData\Local\Temp\is-PCQDQ.tmp\Thu214aaca5625.tmp"C:\Users\Admin\AppData\Local\Temp\is-PCQDQ.tmp\Thu214aaca5625.tmp" /SL5="$30178,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS87E351E5\Thu214aaca5625.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092
-
C:\Users\Admin\AppData\Roaming\srfiuasC:\Users\Admin\AppData\Roaming\srfiuas1⤵
- Executes dropped EXE
PID:4688