Analysis
-
max time kernel
62s -
max time network
174s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20/12/2021, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe
Resource
win7-en-20211208
General
-
Target
345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe
-
Size
7.8MB
-
MD5
bb627ed9b75d70e535ee848ce917aa65
-
SHA1
7dc9b35117234134d910f53e2345d3157c25e8b2
-
SHA256
345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b
-
SHA512
acbac7166c809f43e50111bb118fac43d09f3219f1e15c593438ed5dc406e0100abf2fca68ba6c2e0545d49c853aeb75e71bf64f034dd0b13f5f48d61acbba67
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2572 rundll32.exe 76 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral1/memory/2880-314-0x0000000000419332-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
resource yara_rule behavioral1/files/0x0006000000013947-173.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x0006000000013980-171.dat WebBrowserPassView behavioral1/memory/2388-233-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral1/files/0x0006000000013980-171.dat Nirsoft behavioral1/memory/2152-221-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral1/memory/2388-233-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
resource yara_rule behavioral1/files/0x0007000000013225-73.dat aspack_v212_v242 behavioral1/files/0x0007000000013225-72.dat aspack_v212_v242 behavioral1/files/0x000600000001330a-71.dat aspack_v212_v242 behavioral1/files/0x000600000001330a-70.dat aspack_v212_v242 behavioral1/files/0x00060000000133c1-77.dat aspack_v212_v242 behavioral1/files/0x00060000000133c1-76.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 21 IoCs
pid Process 576 setup_installer.exe 1480 setup_install.exe 1352 Sat214f898013408c.exe 1720 Sat215d0254132.exe 924 Sat21331fd7d3.exe 1060 Sat2186a2fe17bc3.exe 900 Sat211f3dc0dc85a790.exe 872 Sat21de94a76558.exe 1896 Sat21d2de5c9915e148.exe 1964 Sat2186a2fe17bc3.exe 1348 Sat2191af1420045d6af.exe 1496 Sat2175f29e38b1.exe 1064 Sat21cab531e24c.exe 960 Sat21822ebb0e.exe 1224 Sat2184c3c6c75ad8f83.exe 1840 Sat21e5d4a320d0.exe 540 Sat2184c3c6c75ad8f83.exe 1500 Sat21fad2ad3b493fd4.exe 2152 11111.exe 2240 Sat21a3a382cb.exe 2388 11111.exe -
Loads dropped DLL 64 IoCs
pid Process 308 345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe 576 setup_installer.exe 576 setup_installer.exe 576 setup_installer.exe 576 setup_installer.exe 576 setup_installer.exe 576 setup_installer.exe 1480 setup_install.exe 1480 setup_install.exe 1480 setup_install.exe 1480 setup_install.exe 1480 setup_install.exe 1480 setup_install.exe 1480 setup_install.exe 1480 setup_install.exe 1540 cmd.exe 2004 cmd.exe 2004 cmd.exe 1152 cmd.exe 1152 cmd.exe 1320 cmd.exe 1652 cmd.exe 1352 Sat214f898013408c.exe 1352 Sat214f898013408c.exe 1720 Sat215d0254132.exe 1720 Sat215d0254132.exe 1060 Sat2186a2fe17bc3.exe 1060 Sat2186a2fe17bc3.exe 1712 cmd.exe 1736 cmd.exe 1060 Sat2186a2fe17bc3.exe 1964 Sat2186a2fe17bc3.exe 1964 Sat2186a2fe17bc3.exe 1608 cmd.exe 1084 cmd.exe 872 Sat21de94a76558.exe 872 Sat21de94a76558.exe 1704 cmd.exe 636 cmd.exe 636 cmd.exe 1096 cmd.exe 1096 cmd.exe 632 cmd.exe 632 cmd.exe 1348 Sat2191af1420045d6af.exe 1348 Sat2191af1420045d6af.exe 1224 Sat2184c3c6c75ad8f83.exe 1224 Sat2184c3c6c75ad8f83.exe 960 Sat21822ebb0e.exe 960 Sat21822ebb0e.exe 1840 Sat21e5d4a320d0.exe 1840 Sat21e5d4a320d0.exe 1224 Sat2184c3c6c75ad8f83.exe 1984 cmd.exe 540 Sat2184c3c6c75ad8f83.exe 540 Sat2184c3c6c75ad8f83.exe 1500 Sat21fad2ad3b493fd4.exe 1500 Sat21fad2ad3b493fd4.exe 1624 cmd.exe 1624 cmd.exe 2152 11111.exe 2152 11111.exe 2388 11111.exe 2388 11111.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com 50 ipinfo.io 51 ipinfo.io 52 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1060 set thread context of 1964 1060 Sat2186a2fe17bc3.exe 57 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2236 1720 WerFault.exe 40 1884 872 WerFault.exe 48 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat214f898013408c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat214f898013408c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat214f898013408c.exe -
Kills process with taskkill 2 IoCs
pid Process 2300 taskkill.exe 2752 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Sat2191af1420045d6af.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Sat2191af1420045d6af.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 1352 Sat214f898013408c.exe 1352 Sat214f898013408c.exe 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1352 Sat214f898013408c.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeCreateTokenPrivilege 1348 Sat2191af1420045d6af.exe Token: SeAssignPrimaryTokenPrivilege 1348 Sat2191af1420045d6af.exe Token: SeLockMemoryPrivilege 1348 Sat2191af1420045d6af.exe Token: SeIncreaseQuotaPrivilege 1348 Sat2191af1420045d6af.exe Token: SeMachineAccountPrivilege 1348 Sat2191af1420045d6af.exe Token: SeTcbPrivilege 1348 Sat2191af1420045d6af.exe Token: SeSecurityPrivilege 1348 Sat2191af1420045d6af.exe Token: SeTakeOwnershipPrivilege 1348 Sat2191af1420045d6af.exe Token: SeLoadDriverPrivilege 1348 Sat2191af1420045d6af.exe Token: SeSystemProfilePrivilege 1348 Sat2191af1420045d6af.exe Token: SeSystemtimePrivilege 1348 Sat2191af1420045d6af.exe Token: SeProfSingleProcessPrivilege 1348 Sat2191af1420045d6af.exe Token: SeIncBasePriorityPrivilege 1348 Sat2191af1420045d6af.exe Token: SeCreatePagefilePrivilege 1348 Sat2191af1420045d6af.exe Token: SeCreatePermanentPrivilege 1348 Sat2191af1420045d6af.exe Token: SeBackupPrivilege 1348 Sat2191af1420045d6af.exe Token: SeRestorePrivilege 1348 Sat2191af1420045d6af.exe Token: SeShutdownPrivilege 1348 Sat2191af1420045d6af.exe Token: SeDebugPrivilege 1348 Sat2191af1420045d6af.exe Token: SeAuditPrivilege 1348 Sat2191af1420045d6af.exe Token: SeSystemEnvironmentPrivilege 1348 Sat2191af1420045d6af.exe Token: SeChangeNotifyPrivilege 1348 Sat2191af1420045d6af.exe Token: SeRemoteShutdownPrivilege 1348 Sat2191af1420045d6af.exe Token: SeUndockPrivilege 1348 Sat2191af1420045d6af.exe Token: SeSyncAgentPrivilege 1348 Sat2191af1420045d6af.exe Token: SeEnableDelegationPrivilege 1348 Sat2191af1420045d6af.exe Token: SeManageVolumePrivilege 1348 Sat2191af1420045d6af.exe Token: SeImpersonatePrivilege 1348 Sat2191af1420045d6af.exe Token: SeCreateGlobalPrivilege 1348 Sat2191af1420045d6af.exe Token: 31 1348 Sat2191af1420045d6af.exe Token: 32 1348 Sat2191af1420045d6af.exe Token: 33 1348 Sat2191af1420045d6af.exe Token: 34 1348 Sat2191af1420045d6af.exe Token: 35 1348 Sat2191af1420045d6af.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 308 wrote to memory of 576 308 345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe 27 PID 308 wrote to memory of 576 308 345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe 27 PID 308 wrote to memory of 576 308 345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe 27 PID 308 wrote to memory of 576 308 345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe 27 PID 308 wrote to memory of 576 308 345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe 27 PID 308 wrote to memory of 576 308 345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe 27 PID 308 wrote to memory of 576 308 345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe 27 PID 576 wrote to memory of 1480 576 setup_installer.exe 28 PID 576 wrote to memory of 1480 576 setup_installer.exe 28 PID 576 wrote to memory of 1480 576 setup_installer.exe 28 PID 576 wrote to memory of 1480 576 setup_installer.exe 28 PID 576 wrote to memory of 1480 576 setup_installer.exe 28 PID 576 wrote to memory of 1480 576 setup_installer.exe 28 PID 576 wrote to memory of 1480 576 setup_installer.exe 28 PID 1480 wrote to memory of 1280 1480 setup_install.exe 30 PID 1480 wrote to memory of 1280 1480 setup_install.exe 30 PID 1480 wrote to memory of 1280 1480 setup_install.exe 30 PID 1480 wrote to memory of 1280 1480 setup_install.exe 30 PID 1480 wrote to memory of 1280 1480 setup_install.exe 30 PID 1480 wrote to memory of 1280 1480 setup_install.exe 30 PID 1480 wrote to memory of 1280 1480 setup_install.exe 30 PID 1480 wrote to memory of 1616 1480 setup_install.exe 31 PID 1480 wrote to memory of 1616 1480 setup_install.exe 31 PID 1480 wrote to memory of 1616 1480 setup_install.exe 31 PID 1480 wrote to memory of 1616 1480 setup_install.exe 31 PID 1480 wrote to memory of 1616 1480 setup_install.exe 31 PID 1480 wrote to memory of 1616 1480 setup_install.exe 31 PID 1480 wrote to memory of 1616 1480 setup_install.exe 31 PID 1480 wrote to memory of 1540 1480 setup_install.exe 32 PID 1480 wrote to memory of 1540 1480 setup_install.exe 32 PID 1480 wrote to memory of 1540 1480 setup_install.exe 32 PID 1480 wrote to memory of 1540 1480 setup_install.exe 32 PID 1480 wrote to memory of 1540 1480 setup_install.exe 32 PID 1480 wrote to memory of 1540 1480 setup_install.exe 32 PID 1480 wrote to memory of 1540 1480 setup_install.exe 32 PID 1480 wrote to memory of 2004 1480 setup_install.exe 33 PID 1480 wrote to memory of 2004 1480 setup_install.exe 33 PID 1480 wrote to memory of 2004 1480 setup_install.exe 33 PID 1480 wrote to memory of 2004 1480 setup_install.exe 33 PID 1480 wrote to memory of 2004 1480 setup_install.exe 33 PID 1480 wrote to memory of 2004 1480 setup_install.exe 33 PID 1480 wrote to memory of 2004 1480 setup_install.exe 33 PID 1480 wrote to memory of 1624 1480 setup_install.exe 34 PID 1480 wrote to memory of 1624 1480 setup_install.exe 34 PID 1480 wrote to memory of 1624 1480 setup_install.exe 34 PID 1480 wrote to memory of 1624 1480 setup_install.exe 34 PID 1480 wrote to memory of 1624 1480 setup_install.exe 34 PID 1480 wrote to memory of 1624 1480 setup_install.exe 34 PID 1480 wrote to memory of 1624 1480 setup_install.exe 34 PID 1480 wrote to memory of 1152 1480 setup_install.exe 35 PID 1480 wrote to memory of 1152 1480 setup_install.exe 35 PID 1480 wrote to memory of 1152 1480 setup_install.exe 35 PID 1480 wrote to memory of 1152 1480 setup_install.exe 35 PID 1480 wrote to memory of 1152 1480 setup_install.exe 35 PID 1480 wrote to memory of 1152 1480 setup_install.exe 35 PID 1480 wrote to memory of 1152 1480 setup_install.exe 35 PID 1480 wrote to memory of 1652 1480 setup_install.exe 36 PID 1480 wrote to memory of 1652 1480 setup_install.exe 36 PID 1480 wrote to memory of 1652 1480 setup_install.exe 36 PID 1480 wrote to memory of 1652 1480 setup_install.exe 36 PID 1480 wrote to memory of 1652 1480 setup_install.exe 36 PID 1480 wrote to memory of 1652 1480 setup_install.exe 36 PID 1480 wrote to memory of 1652 1480 setup_install.exe 36 PID 1480 wrote to memory of 1320 1480 setup_install.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe"C:\Users\Admin\AppData\Local\Temp\345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0424F126\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1280
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1616
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:1368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat215d0254132.exe4⤵
- Loads dropped DLL
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat215d0254132.exeSat215d0254132.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Users\Admin\Pictures\Adobe Films\mgh1k02gvUST3Jsb4LRXbKr6.exe"C:\Users\Admin\Pictures\Adobe Films\mgh1k02gvUST3Jsb4LRXbKr6.exe"6⤵PID:516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 14886⤵
- Program crash
PID:2236
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2186a2fe17bc3.exe /mixtwo4⤵
- Loads dropped DLL
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2186a2fe17bc3.exeSat2186a2fe17bc3.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2186a2fe17bc3.exeSat2186a2fe17bc3.exe /mixtwo6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat2186a2fe17bc3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2186a2fe17bc3.exe" & exit7⤵PID:2208
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat2186a2fe17bc3.exe" /f8⤵
- Kills process with taskkill
PID:2300
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21a3a382cb.exe4⤵
- Loads dropped DLL
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21a3a382cb.exeSat21a3a382cb.exe5⤵
- Executes dropped EXE
PID:2240
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat214f898013408c.exe4⤵
- Loads dropped DLL
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat214f898013408c.exeSat214f898013408c.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat211f3dc0dc85a790.exe4⤵
- Loads dropped DLL
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat211f3dc0dc85a790.exeSat211f3dc0dc85a790.exe5⤵
- Executes dropped EXE
PID:900 -
C:\Users\Admin\AppData\Local\Temp\is-6JGRS.tmp\Sat211f3dc0dc85a790.tmp"C:\Users\Admin\AppData\Local\Temp\is-6JGRS.tmp\Sat211f3dc0dc85a790.tmp" /SL5="$20164,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat211f3dc0dc85a790.exe"6⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat211f3dc0dc85a790.exe"C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat211f3dc0dc85a790.exe" /SILENT7⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\is-BNSLE.tmp\Sat211f3dc0dc85a790.tmp"C:\Users\Admin\AppData\Local\Temp\is-BNSLE.tmp\Sat211f3dc0dc85a790.tmp" /SL5="$301EA,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat211f3dc0dc85a790.exe" /SILENT8⤵PID:2128
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21331fd7d3.exe4⤵
- Loads dropped DLL
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21331fd7d3.exeSat21331fd7d3.exe5⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\T2bGV.~6⤵PID:2960
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\T2bGV.~7⤵PID:3004
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\T2bGV.~8⤵PID:1668
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\T2bGV.~9⤵PID:2448
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21d2de5c9915e148.exe4⤵
- Loads dropped DLL
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21d2de5c9915e148.exeSat21d2de5c9915e148.exe5⤵
- Executes dropped EXE
PID:1896 -
C:\Users\Admin\AppData\Local\603ecca9-bf79-4ed8-a910-8f6afc7f7237.exe"C:\Users\Admin\AppData\Local\603ecca9-bf79-4ed8-a910-8f6afc7f7237.exe"6⤵PID:2988
-
-
C:\Users\Admin\AppData\Local\f168f0ef-7d2f-4ae2-bfd8-e0e50a53e52d.exe"C:\Users\Admin\AppData\Local\f168f0ef-7d2f-4ae2-bfd8-e0e50a53e52d.exe"6⤵PID:3024
-
C:\Users\Admin\AppData\Roaming\85598396\7480031185598252.exe"C:\Users\Admin\AppData\Roaming\85598396\7480031185598252.exe"7⤵PID:1088
-
-
-
C:\Users\Admin\AppData\Local\bc53aa3e-baa1-483d-9e2a-6ff2233452cb.exe"C:\Users\Admin\AppData\Local\bc53aa3e-baa1-483d-9e2a-6ff2233452cb.exe"6⤵PID:2740
-
-
C:\Users\Admin\AppData\Local\ec56be66-0dc6-4764-8793-0b290a9798e4.exe"C:\Users\Admin\AppData\Local\ec56be66-0dc6-4764-8793-0b290a9798e4.exe"6⤵PID:3012
-
-
C:\Users\Admin\AppData\Local\68347cc1-6a79-4e18-abc2-d8ab9990fad9.exe"C:\Users\Admin\AppData\Local\68347cc1-6a79-4e18-abc2-d8ab9990fad9.exe"6⤵PID:2732
-
C:\Users\Admin\AppData\Roaming\2762339.exe"C:\Users\Admin\AppData\Roaming\2762339.exe"7⤵PID:1712
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2106af2f1b2e3716.exe4⤵PID:2028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2175f29e38b1.exe4⤵
- Loads dropped DLL
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2175f29e38b1.exeSat2175f29e38b1.exe5⤵
- Executes dropped EXE
PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21de94a76558.exe4⤵
- Loads dropped DLL
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21de94a76558.exeSat21de94a76558.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Users\Admin\Pictures\Adobe Films\qHFqTJRLt27ASy0gcgVpn4BR.exe"C:\Users\Admin\Pictures\Adobe Films\qHFqTJRLt27ASy0gcgVpn4BR.exe"6⤵PID:1364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 15486⤵
- Program crash
PID:1884
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21e5d4a320d0.exe4⤵
- Loads dropped DLL
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21e5d4a320d0.exeSat21e5d4a320d0.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\compostdeb\svchost.exe" -Force6⤵PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\fa8cbdfb-3ebe-4762-ab08-cbbee76b1963\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\fa8cbdfb-3ebe-4762-ab08-cbbee76b1963\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\fa8cbdfb-3ebe-4762-ab08-cbbee76b1963\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run6⤵PID:1776
-
-
C:\Users\Admin\AppData\Local\Temp\fa8cbdfb-3ebe-4762-ab08-cbbee76b1963\dd5102ff-8339-4d43-822f-be1787e68975.exe"C:\Users\Admin\AppData\Local\Temp\fa8cbdfb-3ebe-4762-ab08-cbbee76b1963\dd5102ff-8339-4d43-822f-be1787e68975.exe" /o /c "Windows-Defender" /r6⤵PID:2536
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\compostdeb\svchost.exe" -Force6⤵PID:2504
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21e5d4a320d0.exe" -Force6⤵PID:2636
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21fad2ad3b493fd4.exe4⤵
- Loads dropped DLL
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21fad2ad3b493fd4.exeSat21fad2ad3b493fd4.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\T2bGV.~6⤵PID:2484
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\T2bGV.~7⤵PID:2596
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21822ebb0e.exe4⤵
- Loads dropped DLL
PID:636 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21822ebb0e.exeSat21822ebb0e.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21822ebb0e.exeC:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21822ebb0e.exe6⤵PID:2880
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21cab531e24c.exe4⤵
- Loads dropped DLL
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat21cab531e24c.exeSat21cab531e24c.exe5⤵
- Executes dropped EXE
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2191af1420045d6af.exe4⤵
- Loads dropped DLL
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2191af1420045d6af.exeSat2191af1420045d6af.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1348 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2716
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:2752
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2184c3c6c75ad8f83.exe4⤵
- Loads dropped DLL
PID:632 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2184c3c6c75ad8f83.exeSat2184c3c6c75ad8f83.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2184c3c6c75ad8f83.exe"C:\Users\Admin\AppData\Local\Temp\7zS0424F126\Sat2184c3c6c75ad8f83.exe" -u6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540
-
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2864 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2904
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:3016