Analysis
-
max time kernel
62s -
max time network
161s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20/12/2021, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe
Resource
win10-en-20211208
General
-
Target
51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe
-
Size
7.2MB
-
MD5
dae2316b551b4502015dee0773decd38
-
SHA1
129446f53bd0ec2f336235dfa9ab7505e326354e
-
SHA256
51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10
-
SHA512
c52a5cc90d6e53d9968a585910d472af3188d0c509b51ecd9aa0e3e6a44fe866a9bdd5e473beccdb7dfe0fab7df95b0e6532b75a4535be91737932bb48353736
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
raccoon
b2a6680a55967ecaa6997d8e44705c8be49a632c
-
url4cnc
http://194.180.174.53/masseffectus2
http://91.219.236.18/masseffectus2
http://194.180.174.41/masseffectus2
http://91.219.236.148/masseffectus2
https://t.me/masseffectus2
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 4368 rundll32.exe 140 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
resource yara_rule behavioral2/memory/1016-320-0x0000000000C30000-0x0000000000DFF000-memory.dmp family_redline behavioral2/memory/1016-319-0x0000000000C30000-0x0000000000DFF000-memory.dmp family_redline behavioral2/memory/2960-354-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/4204-390-0x0000000000419332-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab3c-192.dat family_socelars behavioral2/files/0x000500000001ab3c-178.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab44-185.dat WebBrowserPassView behavioral2/files/0x000500000001ab44-225.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x000500000001ab44-185.dat Nirsoft behavioral2/files/0x000500000001ab44-225.dat Nirsoft behavioral2/files/0x000600000001ab30-282.dat Nirsoft behavioral2/files/0x000600000001ab30-284.dat Nirsoft behavioral2/memory/2016-289-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/1788-278-0x0000000002210000-0x00000000022E9000-memory.dmp family_vidar behavioral2/memory/1788-280-0x0000000000400000-0x0000000000536000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000600000001ab26-126.dat aspack_v212_v242 behavioral2/files/0x000600000001ab26-127.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2d-125.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2d-130.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2f-132.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2f-134.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 37 IoCs
pid Process 1588 setup_installer.exe 592 setup_install.exe 3980 Sun020372b94495.exe 1872 Sun02d50deb5f.exe 4080 Sun02158c4429642.exe 400 Sun02687ff429634d30b.exe 3908 Sun025e2074db2bd693.exe 1576 Sun02989ef95cb95.exe 4072 Sun02466441087bfc9.exe 1848 Sun0289a4802fe9c10.exe 1664 Sun020570a5cfa553fb.exe 1900 Sun02a326084de0.exe 3004 Sun02b9c2ca0dbf.exe 2616 Sun02bca234bb37c.exe 3728 Sun02dc04e4fb5564a.exe 956 Sun02b54c9f5924cbd3f.exe 1788 Sun0258a3bfb9448.exe 2704 Sun02b9c2ca0dbf.exe 1572 Sun020a58adf7e2118f.exe 756 Sun020570a5cfa553fb.tmp 1048 LzmwAqmV.exe 1584 Sun0289a4802fe9c10.exe 1772 Sun020570a5cfa553fb.exe 2016 11111.exe 3352 Sun020570a5cfa553fb.tmp 1180 mynewstfile.exe 3856 8b6bf3ae-856c-4670-b123-0229cafed51b.exe 1392 ff6eab52-f77f-4d94-aacd-58adf2c158be.exe 2096 Ebook10.exe 1016 de85904c-da0d-431e-8ae4-8570bd45678c.exe 3824 337be442-ca72-43f0-b5e6-6810727f8528.exe 4024 133949fe-3dd5-4a64-9b67-d7b770af45b5.exe 3592 11111.exe 2960 Sun02687ff429634d30b.exe 1664 Sun025e2074db2bd693.exe 4204 Sun025e2074db2bd693.exe 4856 9995931099959310.exe -
Loads dropped DLL 10 IoCs
pid Process 592 setup_install.exe 592 setup_install.exe 592 setup_install.exe 592 setup_install.exe 592 setup_install.exe 592 setup_install.exe 756 Sun020570a5cfa553fb.tmp 3352 Sun020570a5cfa553fb.tmp 4920 rundll32.exe 4920 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\218457123 = "C:\\Users\\Admin\\AppData\\Roaming\\19478679\\9995931099959310.exe" ff6eab52-f77f-4d94-aacd-58adf2c158be.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1016 de85904c-da0d-431e-8ae4-8570bd45678c.exe 3824 337be442-ca72-43f0-b5e6-6810727f8528.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3004 set thread context of 2704 3004 Sun02b9c2ca0dbf.exe 105 PID 400 set thread context of 2960 400 Sun02687ff429634d30b.exe 123 PID 3908 set thread context of 4204 3908 Sun025e2074db2bd693.exe 128 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun02bca234bb37c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun02bca234bb37c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun02bca234bb37c.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3068 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 1704 taskkill.exe 4224 taskkill.exe 4928 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings Sun02a326084de0.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings Sun020a58adf7e2118f.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2616 Sun02bca234bb37c.exe 2616 Sun02bca234bb37c.exe 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 1348 powershell.exe 396 Process not Found 396 Process not Found 2976 powershell.exe 2976 powershell.exe 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found 396 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 396 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2616 Sun02bca234bb37c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1872 Sun02d50deb5f.exe Token: SeCreateTokenPrivilege 1576 Sun02989ef95cb95.exe Token: SeAssignPrimaryTokenPrivilege 1576 Sun02989ef95cb95.exe Token: SeLockMemoryPrivilege 1576 Sun02989ef95cb95.exe Token: SeIncreaseQuotaPrivilege 1576 Sun02989ef95cb95.exe Token: SeMachineAccountPrivilege 1576 Sun02989ef95cb95.exe Token: SeTcbPrivilege 1576 Sun02989ef95cb95.exe Token: SeSecurityPrivilege 1576 Sun02989ef95cb95.exe Token: SeTakeOwnershipPrivilege 1576 Sun02989ef95cb95.exe Token: SeLoadDriverPrivilege 1576 Sun02989ef95cb95.exe Token: SeSystemProfilePrivilege 1576 Sun02989ef95cb95.exe Token: SeSystemtimePrivilege 1576 Sun02989ef95cb95.exe Token: SeProfSingleProcessPrivilege 1576 Sun02989ef95cb95.exe Token: SeIncBasePriorityPrivilege 1576 Sun02989ef95cb95.exe Token: SeCreatePagefilePrivilege 1576 Sun02989ef95cb95.exe Token: SeCreatePermanentPrivilege 1576 Sun02989ef95cb95.exe Token: SeBackupPrivilege 1576 Sun02989ef95cb95.exe Token: SeRestorePrivilege 1576 Sun02989ef95cb95.exe Token: SeShutdownPrivilege 1576 Sun02989ef95cb95.exe Token: SeDebugPrivilege 1576 Sun02989ef95cb95.exe Token: SeAuditPrivilege 1576 Sun02989ef95cb95.exe Token: SeSystemEnvironmentPrivilege 1576 Sun02989ef95cb95.exe Token: SeChangeNotifyPrivilege 1576 Sun02989ef95cb95.exe Token: SeRemoteShutdownPrivilege 1576 Sun02989ef95cb95.exe Token: SeUndockPrivilege 1576 Sun02989ef95cb95.exe Token: SeSyncAgentPrivilege 1576 Sun02989ef95cb95.exe Token: SeEnableDelegationPrivilege 1576 Sun02989ef95cb95.exe Token: SeManageVolumePrivilege 1576 Sun02989ef95cb95.exe Token: SeImpersonatePrivilege 1576 Sun02989ef95cb95.exe Token: SeCreateGlobalPrivilege 1576 Sun02989ef95cb95.exe Token: 31 1576 Sun02989ef95cb95.exe Token: 32 1576 Sun02989ef95cb95.exe Token: 33 1576 Sun02989ef95cb95.exe Token: 34 1576 Sun02989ef95cb95.exe Token: 35 1576 Sun02989ef95cb95.exe Token: SeDebugPrivilege 3908 Sun025e2074db2bd693.exe Token: SeDebugPrivilege 400 Sun02687ff429634d30b.exe Token: SeDebugPrivilege 3980 Sun020372b94495.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found Token: SeShutdownPrivilege 396 Process not Found Token: SeCreatePagefilePrivilege 396 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3372 wrote to memory of 1588 3372 51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe 68 PID 3372 wrote to memory of 1588 3372 51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe 68 PID 3372 wrote to memory of 1588 3372 51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe 68 PID 1588 wrote to memory of 592 1588 setup_installer.exe 69 PID 1588 wrote to memory of 592 1588 setup_installer.exe 69 PID 1588 wrote to memory of 592 1588 setup_installer.exe 69 PID 592 wrote to memory of 3460 592 setup_install.exe 72 PID 592 wrote to memory of 3460 592 setup_install.exe 72 PID 592 wrote to memory of 3460 592 setup_install.exe 72 PID 592 wrote to memory of 3700 592 setup_install.exe 73 PID 592 wrote to memory of 3700 592 setup_install.exe 73 PID 592 wrote to memory of 3700 592 setup_install.exe 73 PID 592 wrote to memory of 3956 592 setup_install.exe 74 PID 592 wrote to memory of 3956 592 setup_install.exe 74 PID 592 wrote to memory of 3956 592 setup_install.exe 74 PID 592 wrote to memory of 1012 592 setup_install.exe 75 PID 592 wrote to memory of 1012 592 setup_install.exe 75 PID 592 wrote to memory of 1012 592 setup_install.exe 75 PID 592 wrote to memory of 3952 592 setup_install.exe 76 PID 592 wrote to memory of 3952 592 setup_install.exe 76 PID 592 wrote to memory of 3952 592 setup_install.exe 76 PID 592 wrote to memory of 3740 592 setup_install.exe 77 PID 592 wrote to memory of 3740 592 setup_install.exe 77 PID 592 wrote to memory of 3740 592 setup_install.exe 77 PID 592 wrote to memory of 4032 592 setup_install.exe 78 PID 592 wrote to memory of 4032 592 setup_install.exe 78 PID 592 wrote to memory of 4032 592 setup_install.exe 78 PID 592 wrote to memory of 1016 592 setup_install.exe 104 PID 592 wrote to memory of 1016 592 setup_install.exe 104 PID 592 wrote to memory of 1016 592 setup_install.exe 104 PID 592 wrote to memory of 3136 592 setup_install.exe 103 PID 592 wrote to memory of 3136 592 setup_install.exe 103 PID 592 wrote to memory of 3136 592 setup_install.exe 103 PID 3956 wrote to memory of 3980 3956 cmd.exe 79 PID 3956 wrote to memory of 3980 3956 cmd.exe 79 PID 592 wrote to memory of 2908 592 setup_install.exe 80 PID 592 wrote to memory of 2908 592 setup_install.exe 80 PID 592 wrote to memory of 2908 592 setup_install.exe 80 PID 592 wrote to memory of 1844 592 setup_install.exe 102 PID 592 wrote to memory of 1844 592 setup_install.exe 102 PID 592 wrote to memory of 1844 592 setup_install.exe 102 PID 3952 wrote to memory of 1872 3952 cmd.exe 81 PID 3952 wrote to memory of 1872 3952 cmd.exe 81 PID 3740 wrote to memory of 4080 3740 cmd.exe 101 PID 3740 wrote to memory of 4080 3740 cmd.exe 101 PID 3740 wrote to memory of 4080 3740 cmd.exe 101 PID 3700 wrote to memory of 1348 3700 cmd.exe 100 PID 3700 wrote to memory of 1348 3700 cmd.exe 100 PID 3700 wrote to memory of 1348 3700 cmd.exe 100 PID 1012 wrote to memory of 400 1012 cmd.exe 99 PID 1012 wrote to memory of 400 1012 cmd.exe 99 PID 1012 wrote to memory of 400 1012 cmd.exe 99 PID 592 wrote to memory of 604 592 setup_install.exe 98 PID 592 wrote to memory of 604 592 setup_install.exe 98 PID 592 wrote to memory of 604 592 setup_install.exe 98 PID 3460 wrote to memory of 2976 3460 cmd.exe 97 PID 3460 wrote to memory of 2976 3460 cmd.exe 97 PID 3460 wrote to memory of 2976 3460 cmd.exe 97 PID 592 wrote to memory of 2564 592 setup_install.exe 96 PID 592 wrote to memory of 2564 592 setup_install.exe 96 PID 592 wrote to memory of 2564 592 setup_install.exe 96 PID 3136 wrote to memory of 3908 3136 cmd.exe 95 PID 3136 wrote to memory of 3908 3136 cmd.exe 95 PID 3136 wrote to memory of 3908 3136 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe"C:\Users\Admin\AppData\Local\Temp\51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\7zS43642456\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS43642456\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun020372b94495.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020372b94495.exeSun020372b94495.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980 -
C:\Users\Admin\AppData\Local\8b6bf3ae-856c-4670-b123-0229cafed51b.exe"C:\Users\Admin\AppData\Local\8b6bf3ae-856c-4670-b123-0229cafed51b.exe"6⤵
- Executes dropped EXE
PID:3856
-
-
C:\Users\Admin\AppData\Local\ff6eab52-f77f-4d94-aacd-58adf2c158be.exe"C:\Users\Admin\AppData\Local\ff6eab52-f77f-4d94-aacd-58adf2c158be.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1392 -
C:\Users\Admin\AppData\Roaming\19478679\9995931099959310.exe"C:\Users\Admin\AppData\Roaming\19478679\9995931099959310.exe"7⤵
- Executes dropped EXE
PID:4856
-
-
-
C:\Users\Admin\AppData\Local\de85904c-da0d-431e-8ae4-8570bd45678c.exe"C:\Users\Admin\AppData\Local\de85904c-da0d-431e-8ae4-8570bd45678c.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1016
-
-
C:\Users\Admin\AppData\Local\133949fe-3dd5-4a64-9b67-d7b770af45b5.exe"C:\Users\Admin\AppData\Local\133949fe-3dd5-4a64-9b67-d7b770af45b5.exe"6⤵
- Executes dropped EXE
PID:4024 -
C:\Users\Admin\AppData\Roaming\5703862.exe"C:\Users\Admin\AppData\Roaming\5703862.exe"7⤵PID:4416
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:4216
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:4884
-
-
-
-
-
C:\Users\Admin\AppData\Local\337be442-ca72-43f0-b5e6-6810727f8528.exe"C:\Users\Admin\AppData\Local\337be442-ca72-43f0-b5e6-6810727f8528.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3824
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun02687ff429634d30b.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02687ff429634d30b.exeSun02687ff429634d30b.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:400 -
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02687ff429634d30b.exeC:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02687ff429634d30b.exe6⤵
- Executes dropped EXE
PID:2960
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun02d50deb5f.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02d50deb5f.exeSun02d50deb5f.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\mynewstfile.exe"C:\Users\Admin\AppData\Local\Temp\mynewstfile.exe"7⤵
- Executes dropped EXE
PID:1180
-
-
C:\Users\Admin\AppData\Local\Temp\Ebook10.exe"C:\Users\Admin\AppData\Local\Temp\Ebook10.exe"7⤵
- Executes dropped EXE
PID:2096
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun02158c4429642.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02158c4429642.exeSun02158c4429642.exe5⤵
- Executes dropped EXE
PID:4080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun02466441087bfc9.exe4⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02466441087bfc9.exeSun02466441087bfc9.exe5⤵
- Executes dropped EXE
PID:4072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun02b9c2ca0dbf.exe /mixtwo4⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02b9c2ca0dbf.exeSun02b9c2ca0dbf.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02b9c2ca0dbf.exeSun02b9c2ca0dbf.exe /mixtwo6⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun02b9c2ca0dbf.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02b9c2ca0dbf.exe" & exit7⤵PID:4864
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun02b9c2ca0dbf.exe" /f8⤵
- Kills process with taskkill
PID:1704
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun020a58adf7e2118f.exe4⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020a58adf7e2118f.exeSun020a58adf7e2118f.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\CCPKJ.CPl",6⤵PID:4840
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\CCPKJ.CPl",7⤵PID:4388
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0289a4802fe9c10.exe4⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun0289a4802fe9c10.exeSun0289a4802fe9c10.exe5⤵
- Executes dropped EXE
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun0289a4802fe9c10.exe"C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun0289a4802fe9c10.exe" -u6⤵
- Executes dropped EXE
PID:1584
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun02bca234bb37c.exe4⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02bca234bb37c.exeSun02bca234bb37c.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0258a3bfb9448.exe4⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun0258a3bfb9448.exeSun0258a3bfb9448.exe5⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sun0258a3bfb9448.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun0258a3bfb9448.exe" & del C:\ProgramData\*.dll & exit6⤵PID:4064
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sun0258a3bfb9448.exe /f7⤵
- Kills process with taskkill
PID:4928
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:3068
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun02b54c9f5924cbd3f.exe4⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02b54c9f5924cbd3f.exeSun02b54c9f5924cbd3f.exe5⤵
- Executes dropped EXE
PID:956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun02dc04e4fb5564a.exe4⤵PID:2564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun02989ef95cb95.exe4⤵PID:604
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun02a326084de0.exe4⤵PID:1844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun025e2074db2bd693.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun020570a5cfa553fb.exe4⤵PID:1016
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02dc04e4fb5564a.exeSun02dc04e4fb5564a.exe1⤵
- Executes dropped EXE
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
PID:2016
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
PID:3592
-
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02a326084de0.exeSun02a326084de0.exe1⤵
- Executes dropped EXE
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\LBFPVwUW.cpl",2⤵PID:2268
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\LBFPVwUW.cpl",3⤵
- Loads dropped DLL
PID:4920 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\LBFPVwUW.cpl",4⤵PID:4780
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\LBFPVwUW.cpl",5⤵PID:1664
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020570a5cfa553fb.exeSun020570a5cfa553fb.exe1⤵
- Executes dropped EXE
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\is-A2K72.tmp\Sun020570a5cfa553fb.tmp"C:\Users\Admin\AppData\Local\Temp\is-A2K72.tmp\Sun020570a5cfa553fb.tmp" /SL5="$20084,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020570a5cfa553fb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:756 -
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020570a5cfa553fb.exe"C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020570a5cfa553fb.exe" /SILENT3⤵
- Executes dropped EXE
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\is-UALMO.tmp\Sun020570a5cfa553fb.tmp"C:\Users\Admin\AppData\Local\Temp\is-UALMO.tmp\Sun020570a5cfa553fb.tmp" /SL5="$201D0,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020570a5cfa553fb.exe" /SILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02989ef95cb95.exeSun02989ef95cb95.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵PID:4932
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
PID:4224
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun025e2074db2bd693.exeSun025e2074db2bd693.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun025e2074db2bd693.exeC:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun025e2074db2bd693.exe2⤵
- Executes dropped EXE
PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun025e2074db2bd693.exeC:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun025e2074db2bd693.exe2⤵
- Executes dropped EXE
PID:4204
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:3320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4280
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:1188