Analysis
-
max time kernel
61s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20/12/2021, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
fd2464429aae52de3c9cdc5f1d5346900eef4aa30a2311f7350190b7a7bdac4a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fd2464429aae52de3c9cdc5f1d5346900eef4aa30a2311f7350190b7a7bdac4a.exe
Resource
win10-en-20211208
General
-
Target
fd2464429aae52de3c9cdc5f1d5346900eef4aa30a2311f7350190b7a7bdac4a.exe
-
Size
7.3MB
-
MD5
37ff68170c14560d4375f56eecd52fed
-
SHA1
4f7dad85d8eebb8d3131a661c17e1b34082d852f
-
SHA256
fd2464429aae52de3c9cdc5f1d5346900eef4aa30a2311f7350190b7a7bdac4a
-
SHA512
d41bf88bfb1ea7f7a063e73fcb9ee4e886b1cd63cb1daced065c9e086d590f9cc527384cc65fac0fb4a6e91858aafc0b10a3ba1200b972bbfe5035aede213ac0
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
raccoon
b2a6680a55967ecaa6997d8e44705c8be49a632c
-
url4cnc
http://194.180.174.53/masseffectus2
http://91.219.236.18/masseffectus2
http://194.180.174.41/masseffectus2
http://91.219.236.148/masseffectus2
https://t.me/masseffectus2
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 4748 rundll32.exe 133 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral2/memory/3724-308-0x0000000000BD0000-0x0000000000D9F000-memory.dmp family_redline behavioral2/memory/3724-310-0x0000000000BD0000-0x0000000000D9F000-memory.dmp family_redline behavioral2/memory/4168-319-0x0000000001320000-0x00000000014EF000-memory.dmp family_redline behavioral2/memory/4168-322-0x0000000001320000-0x00000000014EF000-memory.dmp family_redline behavioral2/memory/4604-373-0x0000000000419332-mapping.dmp family_redline behavioral2/memory/4588-371-0x0000000000419336-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000600000001ab5b-156.dat family_socelars behavioral2/files/0x000600000001ab5b-187.dat family_socelars -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab63-152.dat WebBrowserPassView behavioral2/files/0x000500000001ab63-199.dat WebBrowserPassView behavioral2/files/0x000900000001ab41-278.dat WebBrowserPassView behavioral2/files/0x000900000001ab41-280.dat WebBrowserPassView behavioral2/memory/2092-279-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral2/files/0x000500000001ab63-152.dat Nirsoft behavioral2/memory/512-266-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000800000001ab41-265.dat Nirsoft behavioral2/files/0x000800000001ab41-264.dat Nirsoft behavioral2/files/0x000500000001ab63-199.dat Nirsoft behavioral2/files/0x000900000001ab41-278.dat Nirsoft behavioral2/files/0x000900000001ab41-280.dat Nirsoft behavioral2/memory/2092-279-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/1140-281-0x0000000002010000-0x00000000020E9000-memory.dmp family_vidar behavioral2/memory/1140-286-0x0000000000400000-0x0000000000536000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000600000001ab3e-123.dat aspack_v212_v242 behavioral2/files/0x000600000001ab3e-125.dat aspack_v212_v242 behavioral2/files/0x000800000001ab43-130.dat aspack_v212_v242 behavioral2/files/0x000800000001ab43-129.dat aspack_v212_v242 behavioral2/files/0x000600000001ab3f-128.dat aspack_v212_v242 behavioral2/files/0x000600000001ab3f-122.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 31 IoCs
pid Process 908 setup_installer.exe 644 setup_install.exe 1216 Sat22cc079fa975742.exe 1228 Sat2266f583ece132764.exe 3008 Sat22af478322381d366.exe 1500 Sat22c6ea1853d48f.exe 2036 Sat22a4f1998457e.exe 2144 Sat2283621daf918e8.exe 4080 Sat2222ad87648d7d9f.exe 1632 Sat22a5cbbcf173835.exe 816 Sat22e7bb82f1.exe 824 Sat22b701d5ae327922.exe 1140 Sat220bfcb617d56673.exe 3096 Sat229e7cb41de510.exe 2104 Sat2200e2983a9ef.exe 1212 Sat221b5ce8aed21c76.exe 3840 Sat2296fa05ad3b7a5.exe 3724 Sat221c9edb4c2b0b99e.exe 1100 Sat2296fa05ad3b7a5.exe 1496 Sat229e7cb41de510.exe 728 Sat2283621daf918e8.tmp 3732 Sat2283621daf918e8.exe 512 11111.exe 396 Sat2283621daf918e8.tmp 2092 11111.exe 992 8998eafc-24a7-4739-a6fe-52d22e7dc851.exe 1264 da8e7a3c-d4d3-4fd0-85c2-2fd20ccd124c.exe 3724 cec7e9bb-42cb-4624-b546-1cc9168b86e0.exe 4168 544caec6-7be1-4a6a-b582-89095b0473e8.exe 4208 67bd8fba-bb57-489e-81a9-5c61a8275ffe.exe 4388 4355645643556456.exe -
Loads dropped DLL 11 IoCs
pid Process 644 setup_install.exe 644 setup_install.exe 644 setup_install.exe 644 setup_install.exe 644 setup_install.exe 728 Sat2283621daf918e8.tmp 396 Sat2283621daf918e8.tmp 1444 rundll32.exe 3960 rundll32.exe 3960 rundll32.exe 1444 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\218457123 = "C:\\Users\\Admin\\AppData\\Roaming\\79437124\\4355645643556456.exe" da8e7a3c-d4d3-4fd0-85c2-2fd20ccd124c.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3724 cec7e9bb-42cb-4624-b546-1cc9168b86e0.exe 4168 544caec6-7be1-4a6a-b582-89095b0473e8.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3840 set thread context of 1100 3840 Sat2296fa05ad3b7a5.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat22c6ea1853d48f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat22c6ea1853d48f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat22c6ea1853d48f.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4732 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 1292 taskkill.exe 4976 taskkill.exe 2032 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings Sat221b5ce8aed21c76.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 29 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 1984 powershell.exe 1512 powershell.exe 2092 11111.exe 2092 11111.exe 1500 Sat22c6ea1853d48f.exe 1500 Sat22c6ea1853d48f.exe 3724 cec7e9bb-42cb-4624-b546-1cc9168b86e0.exe 3724 cec7e9bb-42cb-4624-b546-1cc9168b86e0.exe 4168 544caec6-7be1-4a6a-b582-89095b0473e8.exe 4168 544caec6-7be1-4a6a-b582-89095b0473e8.exe 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 2092 11111.exe 2092 11111.exe 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1500 Sat22c6ea1853d48f.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 1216 Sat22cc079fa975742.exe Token: SeCreateTokenPrivilege 2036 Sat22a4f1998457e.exe Token: SeAssignPrimaryTokenPrivilege 2036 Sat22a4f1998457e.exe Token: SeLockMemoryPrivilege 2036 Sat22a4f1998457e.exe Token: SeIncreaseQuotaPrivilege 2036 Sat22a4f1998457e.exe Token: SeMachineAccountPrivilege 2036 Sat22a4f1998457e.exe Token: SeTcbPrivilege 2036 Sat22a4f1998457e.exe Token: SeSecurityPrivilege 2036 Sat22a4f1998457e.exe Token: SeTakeOwnershipPrivilege 2036 Sat22a4f1998457e.exe Token: SeLoadDriverPrivilege 2036 Sat22a4f1998457e.exe Token: SeSystemProfilePrivilege 2036 Sat22a4f1998457e.exe Token: SeSystemtimePrivilege 2036 Sat22a4f1998457e.exe Token: SeProfSingleProcessPrivilege 2036 Sat22a4f1998457e.exe Token: SeIncBasePriorityPrivilege 2036 Sat22a4f1998457e.exe Token: SeCreatePagefilePrivilege 2036 Sat22a4f1998457e.exe Token: SeCreatePermanentPrivilege 2036 Sat22a4f1998457e.exe Token: SeBackupPrivilege 2036 Sat22a4f1998457e.exe Token: SeRestorePrivilege 2036 Sat22a4f1998457e.exe Token: SeShutdownPrivilege 2036 Sat22a4f1998457e.exe Token: SeDebugPrivilege 2036 Sat22a4f1998457e.exe Token: SeAuditPrivilege 2036 Sat22a4f1998457e.exe Token: SeSystemEnvironmentPrivilege 2036 Sat22a4f1998457e.exe Token: SeChangeNotifyPrivilege 2036 Sat22a4f1998457e.exe Token: SeRemoteShutdownPrivilege 2036 Sat22a4f1998457e.exe Token: SeUndockPrivilege 2036 Sat22a4f1998457e.exe Token: SeSyncAgentPrivilege 2036 Sat22a4f1998457e.exe Token: SeEnableDelegationPrivilege 2036 Sat22a4f1998457e.exe Token: SeManageVolumePrivilege 2036 Sat22a4f1998457e.exe Token: SeImpersonatePrivilege 2036 Sat22a4f1998457e.exe Token: SeCreateGlobalPrivilege 2036 Sat22a4f1998457e.exe Token: 31 2036 Sat22a4f1998457e.exe Token: 32 2036 Sat22a4f1998457e.exe Token: 33 2036 Sat22a4f1998457e.exe Token: 34 2036 Sat22a4f1998457e.exe Token: 35 2036 Sat22a4f1998457e.exe Token: SeDebugPrivilege 4080 Sat2222ad87648d7d9f.exe Token: SeDebugPrivilege 2104 Sat2200e2983a9ef.exe Token: SeDebugPrivilege 3008 Sat22af478322381d366.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 1292 taskkill.exe Token: SeDebugPrivilege 4208 67bd8fba-bb57-489e-81a9-5c61a8275ffe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3204 wrote to memory of 908 3204 fd2464429aae52de3c9cdc5f1d5346900eef4aa30a2311f7350190b7a7bdac4a.exe 69 PID 3204 wrote to memory of 908 3204 fd2464429aae52de3c9cdc5f1d5346900eef4aa30a2311f7350190b7a7bdac4a.exe 69 PID 3204 wrote to memory of 908 3204 fd2464429aae52de3c9cdc5f1d5346900eef4aa30a2311f7350190b7a7bdac4a.exe 69 PID 908 wrote to memory of 644 908 setup_installer.exe 70 PID 908 wrote to memory of 644 908 setup_installer.exe 70 PID 908 wrote to memory of 644 908 setup_installer.exe 70 PID 644 wrote to memory of 1340 644 setup_install.exe 73 PID 644 wrote to memory of 1340 644 setup_install.exe 73 PID 644 wrote to memory of 1340 644 setup_install.exe 73 PID 644 wrote to memory of 64 644 setup_install.exe 74 PID 644 wrote to memory of 64 644 setup_install.exe 74 PID 644 wrote to memory of 64 644 setup_install.exe 74 PID 644 wrote to memory of 884 644 setup_install.exe 75 PID 644 wrote to memory of 884 644 setup_install.exe 75 PID 644 wrote to memory of 884 644 setup_install.exe 75 PID 644 wrote to memory of 60 644 setup_install.exe 76 PID 644 wrote to memory of 60 644 setup_install.exe 76 PID 644 wrote to memory of 60 644 setup_install.exe 76 PID 644 wrote to memory of 2600 644 setup_install.exe 79 PID 644 wrote to memory of 2600 644 setup_install.exe 79 PID 644 wrote to memory of 2600 644 setup_install.exe 79 PID 644 wrote to memory of 2408 644 setup_install.exe 77 PID 644 wrote to memory of 2408 644 setup_install.exe 77 PID 644 wrote to memory of 2408 644 setup_install.exe 77 PID 644 wrote to memory of 3076 644 setup_install.exe 78 PID 644 wrote to memory of 3076 644 setup_install.exe 78 PID 644 wrote to memory of 3076 644 setup_install.exe 78 PID 644 wrote to memory of 1040 644 setup_install.exe 80 PID 644 wrote to memory of 1040 644 setup_install.exe 80 PID 644 wrote to memory of 1040 644 setup_install.exe 80 PID 644 wrote to memory of 560 644 setup_install.exe 81 PID 644 wrote to memory of 560 644 setup_install.exe 81 PID 644 wrote to memory of 560 644 setup_install.exe 81 PID 644 wrote to memory of 648 644 setup_install.exe 82 PID 644 wrote to memory of 648 644 setup_install.exe 82 PID 644 wrote to memory of 648 644 setup_install.exe 82 PID 2600 wrote to memory of 1216 2600 cmd.exe 84 PID 2600 wrote to memory of 1216 2600 cmd.exe 84 PID 644 wrote to memory of 936 644 setup_install.exe 83 PID 644 wrote to memory of 936 644 setup_install.exe 83 PID 644 wrote to memory of 936 644 setup_install.exe 83 PID 644 wrote to memory of 2984 644 setup_install.exe 86 PID 644 wrote to memory of 2984 644 setup_install.exe 86 PID 644 wrote to memory of 2984 644 setup_install.exe 86 PID 644 wrote to memory of 2300 644 setup_install.exe 85 PID 644 wrote to memory of 2300 644 setup_install.exe 85 PID 644 wrote to memory of 2300 644 setup_install.exe 85 PID 648 wrote to memory of 1228 648 cmd.exe 90 PID 648 wrote to memory of 1228 648 cmd.exe 90 PID 648 wrote to memory of 1228 648 cmd.exe 90 PID 644 wrote to memory of 1332 644 setup_install.exe 89 PID 644 wrote to memory of 1332 644 setup_install.exe 89 PID 644 wrote to memory of 1332 644 setup_install.exe 89 PID 884 wrote to memory of 3008 884 cmd.exe 87 PID 884 wrote to memory of 3008 884 cmd.exe 87 PID 644 wrote to memory of 3024 644 setup_install.exe 88 PID 644 wrote to memory of 3024 644 setup_install.exe 88 PID 644 wrote to memory of 3024 644 setup_install.exe 88 PID 60 wrote to memory of 1500 60 cmd.exe 113 PID 60 wrote to memory of 1500 60 cmd.exe 113 PID 60 wrote to memory of 1500 60 cmd.exe 113 PID 644 wrote to memory of 1896 644 setup_install.exe 112 PID 644 wrote to memory of 1896 644 setup_install.exe 112 PID 644 wrote to memory of 1896 644 setup_install.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd2464429aae52de3c9cdc5f1d5346900eef4aa30a2311f7350190b7a7bdac4a.exe"C:\Users\Admin\AppData\Local\Temp\fd2464429aae52de3c9cdc5f1d5346900eef4aa30a2311f7350190b7a7bdac4a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC839B316\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1340
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:64
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22af478322381d366.exe4⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat22af478322381d366.exeSat22af478322381d366.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Users\Admin\AppData\Local\8998eafc-24a7-4739-a6fe-52d22e7dc851.exe"C:\Users\Admin\AppData\Local\8998eafc-24a7-4739-a6fe-52d22e7dc851.exe"6⤵
- Executes dropped EXE
PID:992
-
-
C:\Users\Admin\AppData\Local\da8e7a3c-d4d3-4fd0-85c2-2fd20ccd124c.exe"C:\Users\Admin\AppData\Local\da8e7a3c-d4d3-4fd0-85c2-2fd20ccd124c.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1264 -
C:\Users\Admin\AppData\Roaming\79437124\4355645643556456.exe"C:\Users\Admin\AppData\Roaming\79437124\4355645643556456.exe"7⤵
- Executes dropped EXE
PID:4388
-
-
-
C:\Users\Admin\AppData\Local\cec7e9bb-42cb-4624-b546-1cc9168b86e0.exe"C:\Users\Admin\AppData\Local\cec7e9bb-42cb-4624-b546-1cc9168b86e0.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3724
-
-
C:\Users\Admin\AppData\Local\544caec6-7be1-4a6a-b582-89095b0473e8.exe"C:\Users\Admin\AppData\Local\544caec6-7be1-4a6a-b582-89095b0473e8.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4168
-
-
C:\Users\Admin\AppData\Local\67bd8fba-bb57-489e-81a9-5c61a8275ffe.exe"C:\Users\Admin\AppData\Local\67bd8fba-bb57-489e-81a9-5c61a8275ffe.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4208 -
C:\Users\Admin\AppData\Roaming\5417490.exe"C:\Users\Admin\AppData\Roaming\5417490.exe"7⤵PID:5004
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:4348
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:4584
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",10⤵PID:3476
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",11⤵PID:2876
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22c6ea1853d48f.exe4⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat22c6ea1853d48f.exeSat22c6ea1853d48f.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22e7bb82f1.exe4⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat22e7bb82f1.exeSat22e7bb82f1.exe5⤵
- Executes dropped EXE
PID:816 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:512
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2222ad87648d7d9f.exe4⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2222ad87648d7d9f.exeSat2222ad87648d7d9f.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2222ad87648d7d9f.exeC:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2222ad87648d7d9f.exe6⤵PID:4604
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22cc079fa975742.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat22cc079fa975742.exeSat22cc079fa975742.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22a4f1998457e.exe4⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat22a4f1998457e.exeSat22a4f1998457e.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4668
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:4976
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2283621daf918e8.exe4⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2283621daf918e8.exeSat2283621daf918e8.exe5⤵
- Executes dropped EXE
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\is-K9NH3.tmp\Sat2283621daf918e8.tmp"C:\Users\Admin\AppData\Local\Temp\is-K9NH3.tmp\Sat2283621daf918e8.tmp" /SL5="$20144,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2283621daf918e8.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:728
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2266f583ece132764.exe4⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2266f583ece132764.exeSat2266f583ece132764.exe5⤵
- Executes dropped EXE
PID:1228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22b701d5ae327922.exe4⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat22b701d5ae327922.exeSat22b701d5ae327922.exe5⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\T2bGV.~6⤵PID:1824
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\T2bGV.~7⤵
- Loads dropped DLL
PID:1444 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\T2bGV.~8⤵PID:4672
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\T2bGV.~9⤵PID:3744
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat22a5cbbcf173835.exe4⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat22a5cbbcf173835.exeSat22a5cbbcf173835.exe5⤵
- Executes dropped EXE
PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat220bfcb617d56673.exe4⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat220bfcb617d56673.exeSat220bfcb617d56673.exe5⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sat220bfcb617d56673.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat220bfcb617d56673.exe" & del C:\ProgramData\*.dll & exit6⤵PID:5036
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sat220bfcb617d56673.exe /f7⤵
- Kills process with taskkill
PID:2032
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:4732
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat229e7cb41de510.exe4⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat229e7cb41de510.exeSat229e7cb41de510.exe5⤵
- Executes dropped EXE
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat229e7cb41de510.exe"C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat229e7cb41de510.exe" -u6⤵
- Executes dropped EXE
PID:1496
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat221b5ce8aed21c76.exe4⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat221b5ce8aed21c76.exeSat221b5ce8aed21c76.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\_DNp8YI.cpL",6⤵PID:752
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_DNp8YI.cpL",7⤵
- Loads dropped DLL
PID:3960 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\_DNp8YI.cpL",8⤵PID:5112
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\_DNp8YI.cpL",9⤵PID:4384
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2296fa05ad3b7a5.exe /mixtwo4⤵PID:3608
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat221c9edb4c2b0b99e.exe4⤵PID:3656
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2200e2983a9ef.exe4⤵PID:1896
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2200e2983a9ef.exeSat2200e2983a9ef.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2200e2983a9ef.exeC:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2200e2983a9ef.exe2⤵PID:4588
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2296fa05ad3b7a5.exeSat2296fa05ad3b7a5.exe /mixtwo1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2296fa05ad3b7a5.exeSat2296fa05ad3b7a5.exe /mixtwo2⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat2296fa05ad3b7a5.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2296fa05ad3b7a5.exe" & exit3⤵PID:2220
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat2296fa05ad3b7a5.exe" /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat221c9edb4c2b0b99e.exeSat221c9edb4c2b0b99e.exe1⤵
- Executes dropped EXE
PID:3724
-
C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2283621daf918e8.exe"C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2283621daf918e8.exe" /SILENT1⤵
- Executes dropped EXE
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\is-THNEF.tmp\Sat2283621daf918e8.tmp"C:\Users\Admin\AppData\Local\Temp\is-THNEF.tmp\Sat2283621daf918e8.tmp" /SL5="$30144,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC839B316\Sat2283621daf918e8.exe" /SILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:5024 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:5052
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:2956